Bug 405291
Summary: | SELinux shortcomings for sockets used by milters and SASL | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Glen Turner <glen.turner> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 8 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Current | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-01-30 19:06:47 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Glen Turner
2007-11-30 01:14:51 UTC
Actually SELinux does generate warnings. audit2allow reports #============= sendmail_t ============== allow sendmail_t saslauthd_var_run_t:dir { write search }; allow sendmail_t spamd_var_run_t:dir { search getattr }; allow sendmail_t var_run_t:sock_file getattr; And now that sendmail can read the /var/run/saslauthd directory we additionally need #============= sendmail_t ============== allow sendmail_t saslauthd_var_run_t:dir { write search }; allow sendmail_t saslauthd_var_run_t:sock_file write; allow sendmail_t spamd_var_run_t:dir { search getattr }; allow sendmail_t var_run_t:sock_file getattr; The final set of SELinux policies which allow SMTP AUTH to work are #============= sendmail_t ============== allow sendmail_t saslauthd_t:unix_stream_socket connectto; allow sendmail_t saslauthd_var_run_t:dir { write search }; allow sendmail_t saslauthd_var_run_t:sock_file write; allow sendmail_t var_run_t:sock_file getattr; The final set of SELinux policies which allow SMTP AUTH, Spamassassin milter and ClamAV milter. #============= sendmail_t ============== allow sendmail_t initrc_t:unix_stream_socket connectto; allow sendmail_t saslauthd_t:unix_stream_socket connectto; allow sendmail_t saslauthd_var_run_t:dir { write search }; allow sendmail_t saslauthd_var_run_t:sock_file write; allow sendmail_t spamd_var_run_t:dir { search getattr }; allow sendmail_t spamd_var_run_t:sock_file { write getattr }; allow sendmail_t var_run_t:sock_file { write getattr }; #============= system_mail_t ============== allow system_mail_t security_t:filesystem getattr; allow system_mail_t spamd_var_run_t:dir { search getattr }; allow system_mail_t var_run_t:sock_file getattr; Considering that SELinux enforcing and sendmail are recommended system configurations I'd say this shows a distinct lack of system testing. Altered component to selinux-policy-targeted libselinux-2.0.43-1.fc8 libselinux-devel-2.0.43-1.fc8 selinux-policy-3.0.8-56.fc8 selinux-policy-targeted-3.0.8-56.fc8 libselinux-python-2.0.43-1.fc8 checkpolicy-2.0.4-1.fc8 policycoreutils-2.0.31-15.fc8 Thanks for the analysys. I believe I have encorporated all your changes into selinux-policy-3.0.8-63.fc8 Thanks Dan. I won't be in a position to test selinux-policy-3.0.8-63.fc8 until Wednesday (South Australia time). Bulk closing a old selinux policy bugs that were in the modified state. If the bug is still not fixed. Please reopen. |