Bug 162798 - selinux disables MECH=rimap in saslauthd
selinux disables MECH=rimap in saslauthd
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
selinux disables MECH=rimap in saslauthd
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-08 14:31 EDT by Kirk Smith
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 1.25.1-9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-19 03:57:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Kirk Smith 2005-07-08 14:31:31 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
If MECH=rimap is set in /etc/sysconfig/saslauthd, selinux is in enforcing mode, then saslauthd does not have the required permission to get the job done.  To enable this, add the following lines to /etc/selinux/targeted/src/policy/domains/program/saslauthd.te

# needed for MECH=rimap

allow saslauthd_t netif_lo_t:netif { tcp_recv tcp_send };
allow saslauthd_t node_lo_t:node { tcp_recv tcp_send };
allow saslauthd_t pop_port_t:tcp_socket { name_connect recv_msg send_msg };
allow saslauthd_t self:tcp_socket { connect create read write };


Version-Release number of selected component (if applicable):
selinux-policy-targeted.noarch-1.24-3

How reproducible:
Always

Steps to Reproduce:
1. Set up an imap server for mail.  A reasonable configuration is to only allow users with imap accounts to forward outgoing mail through sendmail.
2. Configure sendmail to require authentication before forwarding mail messages by editing /etc/mail/sendmail.mc and setting: define(`confAUTH_OPTIONS', `A')dnl
3. Edit /usr/lib/sasl/smtpd.conf to direct authentication at saslauthd by setting: pwcheck_method: saslauthd
4. Edit /etc/sysconfig/saslauthd and set the mechanism to use as MECH=rimap.
5. Restart saslauthd and sendmail
6. Try to send a mail message through sendmail using a mail client such as microsoft outlook.
  

Actual Results:  The login is denied with the message in /var/log/messages:

Jul  7 15:27:13 ns1 saslauthd[14364]: auth_rimap: couldn't connect to 127.0.0.1/143


Expected Results:  saslauthd should have connected to the imap server to verify if the person could send the message.

Additional info:

To give saslauthd permission to do these operations, add the following lines to /etc/selinux/targeted/src/policy/domains/program/saslauthd.te,

allow saslauthd_t netif_lo_t:netif { tcp_recv tcp_send };
allow saslauthd_t node_lo_t:node { tcp_recv tcp_send };
allow saslauthd_t pop_port_t:tcp_socket { name_connect recv_msg send_msg };
allow saslauthd_t self:tcp_socket { connect create read write };

This was generated using audit2allow, and could possibly be slightly modified, but this definitely removes the restriction that kept saslauthd from connecting to the imap server.
Comment 1 Daniel Walsh 2005-07-11 13:12:54 EDT
Fixed in  selinux-policy-targeted-1.25.1-9

Note You need to log in before you can comment on or make changes to this bug.