From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4 Description of problem: If MECH=rimap is set in /etc/sysconfig/saslauthd, selinux is in enforcing mode, then saslauthd does not have the required permission to get the job done. To enable this, add the following lines to /etc/selinux/targeted/src/policy/domains/program/saslauthd.te # needed for MECH=rimap allow saslauthd_t netif_lo_t:netif { tcp_recv tcp_send }; allow saslauthd_t node_lo_t:node { tcp_recv tcp_send }; allow saslauthd_t pop_port_t:tcp_socket { name_connect recv_msg send_msg }; allow saslauthd_t self:tcp_socket { connect create read write }; Version-Release number of selected component (if applicable): selinux-policy-targeted.noarch-1.24-3 How reproducible: Always Steps to Reproduce: 1. Set up an imap server for mail. A reasonable configuration is to only allow users with imap accounts to forward outgoing mail through sendmail. 2. Configure sendmail to require authentication before forwarding mail messages by editing /etc/mail/sendmail.mc and setting: define(`confAUTH_OPTIONS', `A')dnl 3. Edit /usr/lib/sasl/smtpd.conf to direct authentication at saslauthd by setting: pwcheck_method: saslauthd 4. Edit /etc/sysconfig/saslauthd and set the mechanism to use as MECH=rimap. 5. Restart saslauthd and sendmail 6. Try to send a mail message through sendmail using a mail client such as microsoft outlook. Actual Results: The login is denied with the message in /var/log/messages: Jul 7 15:27:13 ns1 saslauthd[14364]: auth_rimap: couldn't connect to 127.0.0.1/143 Expected Results: saslauthd should have connected to the imap server to verify if the person could send the message. Additional info: To give saslauthd permission to do these operations, add the following lines to /etc/selinux/targeted/src/policy/domains/program/saslauthd.te, allow saslauthd_t netif_lo_t:netif { tcp_recv tcp_send }; allow saslauthd_t node_lo_t:node { tcp_recv tcp_send }; allow saslauthd_t pop_port_t:tcp_socket { name_connect recv_msg send_msg }; allow saslauthd_t self:tcp_socket { connect create read write }; This was generated using audit2allow, and could possibly be slightly modified, but this definitely removes the restriction that kept saslauthd from connecting to the imap server.
Fixed in selinux-policy-targeted-1.25.1-9