1089660 – Dovecot cannot access slapd_cert

Bug 1089660 - Dovecot cannot access slapd_cert

Summary: Dovecot cannot access slapd_cert

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	19
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-04-21 11:56 UTC by William Brown
Modified:	2014-12-19 18:29 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.12.1-74.30.fc19
Clone Of:
Environment:
Last Closed:	2014-12-19 18:29:30 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description William Brown 2014-04-21 11:56:17 UTC

Description of problem:
Dovecot can search for users and accounts via ldap. To do this with TLS, it's common to reference the certificates in /etc/ldap/certs. Alternately, ldap library defaults in /etc/ldap/ldap.conf can affect the usage of TLS and certificates. 

As a result, dovecot get's denials reading these certificates. The following addition to policy/modules/contrib/dovecot.te would correct this. 

ldap_read_certs(dovecot_auth_t)

Alternately, sysnet_use_ldap lists in a comment that for LDAPS it enables some access to rand/urand. Perhaps the addition of 

ldap_read_certs($1)

to policy/modules/system/sysnetwork.if would be a useful addition, as sysnet_use_ldap would grant access to all resources for "tls/ssl" access to ldap.

Comment 1 Daniel Walsh 2014-04-24 01:11:23 UTC

I like the second option.

commit a330d66d2dfe23312f1911e3210fc63fa9e9d3ec
 fixes this in git.

Comment 2 William Brown 2014-04-24 03:40:24 UTC

Does this mean the server slapd process private keys are leaked via this? How are they labeled?

Comment 3 Lukas Vrabec 2014-06-12 08:46:09 UTC

I added changes to F19. 
Sorry but I don't understand your question, we just allow ldap to read certs. What leaked?
 
You mean how are labeled certs? 
$ matchpathcon /etc/openldap/certs
/etc/openldap/certs     system_u:object_r:slapd_cert_t:s0

Comment 4 Fedora Update System 2014-08-13 12:02:37 UTC

selinux-policy-3.12.1-74.29.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.29.fc19

Comment 5 Fedora Update System 2014-08-16 00:27:05 UTC

Package selinux-policy-3.12.1-74.29.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.29.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-9432/selinux-policy-3.12.1-74.29.fc19
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2014-12-03 12:53:27 UTC

selinux-policy-3.12.1-74.30.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.30.fc19

Comment 7 Fedora Update System 2014-12-19 18:29:30 UTC

selinux-policy-3.12.1-74.30.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.