diff options
author | Sven Vermeulen <sven.vermeulen@siphos.be> | 2014-12-31 17:09:56 +0100 |
---|---|---|
committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2015-01-02 18:18:09 +0100 |
commit | acbf0504f0645f997f16b3e70164f3c6acc2be86 (patch) | |
tree | 5ab7e8179151919f78dfb36b7676fbc8374caf9e | |
parent | Allow authdaemon to access selinux fs to check SELinux state (diff) | |
download | hardened-refpolicy-acbf0504f0645f997f16b3e70164f3c6acc2be86.tar.gz hardened-refpolicy-acbf0504f0645f997f16b3e70164f3c6acc2be86.tar.bz2 hardened-refpolicy-acbf0504f0645f997f16b3e70164f3c6acc2be86.zip |
Grant setuid/setgid to courier_pop_t
When trying to log on to the IMAP service, the authentication fails and
the following shows up in the courier logs:
Dec 30 19:40:56 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 30 19:40:56 localhost imapd: initgroups: Operation not permitted
In the audit logs, the following shows up:
type=AVC msg=audit(1419968456.850:190): avc: denied { setgid } for
pid=4028 comm="imaplogin" capability=6
scontext=system_u:system_r:courier_pop_t:s0
tcontext=system_u:system_r:courier_pop_t:s0 tclass=capability
type=AVC msg=audit(1419968532.622:192): avc: denied { setuid } for
pid=4118 comm="imaplogin" capability=7
scontext=system_u:system_r:courier_pop_t:s0
tcontext=system_u:system_r:courier_pop_t:s0 tclass=capability
The daemon wants to switch user to access the necessary maildir's.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
-rw-r--r-- | policy/modules/contrib/courier.te | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te index bcfb4b2ce..29057a72b 100644 --- a/policy/modules/contrib/courier.te +++ b/policy/modules/contrib/courier.te @@ -132,6 +132,7 @@ dev_read_rand(courier_pcp_t) # POP3/IMAP local policy # +allow courier_pop_t self:capability { setgid setuid }; allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms; allow courier_pop_t courier_authdaemon_t:process sigchld; |