Bug 239436 - AVC generated for web imap client in review
AVC generated for web imap client in review
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks: 225575
  Show dependency treegraph
 
Reported: 2007-05-08 09:43 EDT by Gwyn Ciesla
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-14 14:37:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gwyn Ciesla 2007-05-08 09:43:56 EDT
From Bernard Johnson:
"
audit(1178594537.211:25): avc:  denied  { name_connect } for  pid=31565
comm="httpd" dest=143 scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket

Not sure why it says pop_port_t when I'm using imap but it will need to cover
ports 25, 143, 389, 465, 587, 993.
"
Comment 1 Daniel Walsh 2007-05-14 14:37:40 EDT
All mail ports are grouped under a single type name of pop_port_t.  You need to
turn on the policy boolean httpd_can_network_connect

setsebool -P httpd_can_network_connect=1
Comment 2 Daniel Walsh 2007-05-14 14:39:11 EDT
Also you should install setroubleshoot.  This would have given you an error
message like

Summary
    SELinux is preventing the http daemon from connecting to network port 143

Detailed Description
    SELinux has denied the http daemon from connecting to 143. An http script is
    trying to do a network connect to a remote port. If you did not setup httpd
    to network connections, this could signal a intrusion attempt.

Allowing Access
    If you want httpd to connect to network ports you need to turn on the
    httpd_can_network_network_connect boolean: "setsebool -P
    httpd_can_network_connect=1"

    The following command will allow this access:
    setsebool -P httpd_can_network_connect=1

Additional Information        

Source Context                user_u:system_r:httpd_t
Target Context                system_u:object_r:pop_port_t
Target Objects                None [ tcp_socket ]
Affected RPM Packages         
Policy RPM                    
Selinux Enabled               
Policy Type                   
MLS Enabled                   
Enforcing Mode                
Plugin Name                   plugins.httpd_can_network_connect
Host Name                     
Platform                      
Alert Count                   1
First Seen                    Mon May  7 23:22:17 2007
Last Seen                     Mon May  7 23:22:17 2007
Local ID                      384d3a38-53db-419e-883c-6fea016f18c4
Line Numbers                  1

Raw Audit Messages            

avc: denied { name_connect } for comm="httpd" dest=143 pid=31565
scontext=user_u:system_r:httpd_t:s0 tclass=tcp_socket
tcontext=system_u:object_r:pop_port_t:s0
Comment 3 Bernard Johnson 2007-05-21 15:34:49 EDT
(In reply to comment #1)
> All mail ports are grouped under a single type name of pop_port_t.  You need to
> turn on the policy boolean httpd_can_network_connect
> 
> setsebool -P httpd_can_network_connect=1

Are you suggesting that we do that in %post and reverse it in %postun?  If so,
doesn't that break when multiple packages start using it?

Or, are you suggesting to put in the the README for the package that those are
required for the package to operate normally under selinux?
Comment 4 Daniel Walsh 2007-05-23 13:47:15 EDT
The problem I see here is that we don't have a transition from the httpd domain
to some other domain.  I guess that you are using some kind of
mod_perl/mod_php/mod_python.  So the address space is the same.  If this was a
separate cgi, we could write policy for your app, separate from http_t. 
Allowing httpd_t to connect to the network, opens you up to your web site being
used as a launching site for attacks on other machines.

In order to make this work we should add a new boolean httpd_can_send_mail,
which you could turn on and this would allow httpd to connect to the mail server.
Comment 5 Daniel Walsh 2007-05-23 14:03:40 EDT
Adding policy like the following would satisfy your needs.
tunable_policy(`httpd_can_sendmail',`
	# allow httpd to connect to mail servers
	corenet_tcp_connect_smtp_port(httpd_t)
	corenet_sendrecv_smtp_client_packets(httpd_t)
	corenet_tcp_connect_pop_port(httpd_t)
	corenet_sendrecv_pop_client_packets(httpd_t)
')

http can already connect to ldap ports.

Note You need to log in before you can comment on or make changes to this bug.