Grant setuid/setgid to courier_pop_t

When trying to log on to the IMAP service, the authentication fails and
the following shows up in the courier logs:

Dec 30 19:40:56 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 30 19:40:56 localhost imapd: initgroups: Operation not permitted

In the audit logs, the following shows up:

type=AVC msg=audit(1419968456.850:190): avc:  denied  { setgid } for
pid=4028 comm="imaplogin" capability=6
scontext=system_u:system_r:courier_pop_t:s0
tcontext=system_u:system_r:courier_pop_t:s0 tclass=capability

type=AVC msg=audit(1419968532.622:192): avc:  denied  { setuid } for
pid=4118 comm="imaplogin" capability=7
scontext=system_u:system_r:courier_pop_t:s0
tcontext=system_u:system_r:courier_pop_t:s0 tclass=capability

The daemon wants to switch user to access the necessary maildir's.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

1 files changed, 1 insertions, 0 deletions

diff --git a/policy/modules/contrib/courier.te b/policy/modules/contrib/courier.te
index bcfb4b2ce..29057a72b 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -132,6 +132,7 @@ dev_read_rand(courier_pcp_t)
 # POP3/IMAP local policy
 #
 
+allow courier_pop_t self:capability { setgid setuid };
 allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
 allow courier_pop_t courier_authdaemon_t:process sigchld;