commit: acbf0504f0645f997f16b3e70164f3c6acc2be86
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Dec 31 16:09:56 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 2 17:18:09 2015 +0000
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=acbf0504
Grant setuid/setgid to courier_pop_t
When trying to log on to the IMAP service, the authentication fails and
the following shows up in the courier logs:
Dec 30 19:40:56 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 30 19:40:56 localhost imapd: initgroups: Operation not permitted
In the audit logs, the following shows up:
type=AVC msg=audit(1419968456.850:190): avc: denied { setgid } for
pid=4028 comm="imaplogin" capability=6
scontext=system_u:system_r:courier_pop_t:s0
tcontext=system_u:system_r:courier_pop_t:s0 tclass=capability
type=AVC msg=audit(1419968532.622:192): avc: denied { setuid } for
pid=4118 comm="imaplogin" capability=7
scontext=system_u:system_r:courier_pop_t:s0
tcontext=system_u:system_r:courier_pop_t:s0 tclass=capability
The daemon wants to switch user to access the necessary maildir's.
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
---
policy/modules/contrib/courier.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/courier.te
b/policy/modules/contrib/courier.te
index bcfb4b2..29057a7 100644
--- a/policy/modules/contrib/courier.te
+++ b/policy/modules/contrib/courier.te
@@ -132,6 +132,7 @@ dev_read_rand(courier_pcp_t)
# POP3/IMAP local policy
#
+allow courier_pop_t self:capability { setgid setuid };
allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
allow courier_pop_t courier_authdaemon_t:process sigchld;
