162798 – selinux disables MECH=rimap in saslauthd

Bug 162798 - selinux disables MECH=rimap in saslauthd

Summary: selinux disables MECH=rimap in saslauthd

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:	selinux disables MECH=rimap in saslauthd
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-07-08 18:31 UTC by Kirk Smith
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:	1.25.1-9
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-08-19 07:57:44 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Kirk Smith 2005-07-08 18:31:31 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
If MECH=rimap is set in /etc/sysconfig/saslauthd, selinux is in enforcing mode, then saslauthd does not have the required permission to get the job done.  To enable this, add the following lines to /etc/selinux/targeted/src/policy/domains/program/saslauthd.te

# needed for MECH=rimap

allow saslauthd_t netif_lo_t:netif { tcp_recv tcp_send };
allow saslauthd_t node_lo_t:node { tcp_recv tcp_send };
allow saslauthd_t pop_port_t:tcp_socket { name_connect recv_msg send_msg };
allow saslauthd_t self:tcp_socket { connect create read write };


Version-Release number of selected component (if applicable):
selinux-policy-targeted.noarch-1.24-3

How reproducible:
Always

Steps to Reproduce:
1. Set up an imap server for mail.  A reasonable configuration is to only allow users with imap accounts to forward outgoing mail through sendmail.
2. Configure sendmail to require authentication before forwarding mail messages by editing /etc/mail/sendmail.mc and setting: define(`confAUTH_OPTIONS', `A')dnl
3. Edit /usr/lib/sasl/smtpd.conf to direct authentication at saslauthd by setting: pwcheck_method: saslauthd
4. Edit /etc/sysconfig/saslauthd and set the mechanism to use as MECH=rimap.
5. Restart saslauthd and sendmail
6. Try to send a mail message through sendmail using a mail client such as microsoft outlook.
  

Actual Results:  The login is denied with the message in /var/log/messages:

Jul  7 15:27:13 ns1 saslauthd[14364]: auth_rimap: couldn't connect to 127.0.0.1/143


Expected Results:  saslauthd should have connected to the imap server to verify if the person could send the message.

Additional info:

To give saslauthd permission to do these operations, add the following lines to /etc/selinux/targeted/src/policy/domains/program/saslauthd.te,

allow saslauthd_t netif_lo_t:netif { tcp_recv tcp_send };
allow saslauthd_t node_lo_t:node { tcp_recv tcp_send };
allow saslauthd_t pop_port_t:tcp_socket { name_connect recv_msg send_msg };
allow saslauthd_t self:tcp_socket { connect create read write };

This was generated using audit2allow, and could possibly be slightly modified, but this definitely removes the restriction that kept saslauthd from connecting to the imap server.

Comment 1 Daniel Walsh 2005-07-11 17:12:54 UTC

Fixed in  selinux-policy-targeted-1.25.1-9

Note You need to log in before you can comment on or make changes to this bug.