[refpolicy] [PATCH 0/6] Courier IMAPd related policy changes

[refpolicy] [PATCH 0/6] Courier IMAPd related policy changes

[Sven Vermeulen]

Small updates to courier policy in order to have the Courier IMAPd work with the policy.

Sven Vermeulen (6):
  Courier TCPd startup creates imapd.pid.lock and imapd.lock
  Locate authdaemon socket and communicate with authdaemon
  Allow authdaemon to access selinux fs to check SELinux state
  Grant setuid/setgid to courier_pop_t
  Execute courier helper script after authentication
  Courier IMAP needs to manage the users' maildir

 courier.te | 11 +++++++++++
 1 file changed, 11 insertions(+)

-- 
2.0.5

[refpolicy] [PATCH 1/6] Courier TCPd startup creates imapd.pid.lock and imapd.lock

[Sven Vermeulen]

Startup of courier-imapd creates /var/run/imapd.pid.lock and imapd.lock

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 courier.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/courier.te b/courier.te
index ae3bc70..112a60b 100644
--- a/courier.te
+++ b/courier.te
@@ -172,6 +172,8 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t)
 dev_read_rand(courier_tcpd_t)
 dev_read_urand(courier_tcpd_t)
 
+files_pid_filetrans(courier_tcpd_t, courier_var_run_t, file)
+
 miscfiles_read_localization(courier_tcpd_t)
 
 ########################################
-- 
2.0.5

[refpolicy] [PATCH 2/6] Locate authdaemon socket and communicate with authdaemon

[Sven Vermeulen]

Without this, authentication fails. The following is shown in the logs:

Dec 30 19:36:54 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 30 19:36:54 localhost imapd: authdaemon: s_connect() failed: Permission denied
Dec 30 19:36:54 localhost imapd: LOGIN FAILED, user=root, ip=[::ffff:192.168.100.152]
Dec 30 19:36:54 localhost imapd: authentication error: Permission denied

Through logon, the daemon (courier_pop_t) wants to locate the socket in
/var/lib/courier to initiate communication with the authdaemon.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 courier.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/courier.te b/courier.te
index 112a60b..c4ab936 100644
--- a/courier.te
+++ b/courier.te
@@ -137,6 +137,8 @@ allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_s
 
 allow courier_pop_t courier_var_lib_t:file { read write };
 
+stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_run_t, courier_authdaemon_t)
+
 domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
 
 miscfiles_read_localization(courier_pop_t)
-- 
2.0.5

[refpolicy] [PATCH 3/6] Allow authdaemon to access selinux fs to check SELinux state

[Sven Vermeulen]

When attempting to authenticate, the PAM module checks if SELinux is
enabled (pam_unix, in order to verify if the chkpwd helper utility needs
to be called). If it fails to check the SELinux state, then authdaemon
will try to access shadow directly (again, through pam_unix).

This only occurs when a user tries to log on as root (on IMAP server) as
non-root users automatically have chkpwd executed.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 courier.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/courier.te b/courier.te
index c4ab936..07752c2 100644
--- a/courier.te
+++ b/courier.te
@@ -114,6 +114,8 @@ libs_read_lib_files(courier_authdaemon_t)
 
 miscfiles_read_localization(courier_authdaemon_t)
 
+selinux_getattr_fs(courier_authdaemon_t)
+
 userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
 
 ########################################
-- 
2.0.5

[refpolicy] [PATCH 4/6] Grant setuid/setgid to courier_pop_t

[Sven Vermeulen]

When trying to log on to the IMAP service, the authentication fails and
the following shows up in the courier logs:

Dec 30 19:40:56 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 30 19:40:56 localhost imapd: initgroups: Operation not permitted

In the audit logs, the following shows up:

type=AVC msg=audit(1419968456.850:190): avc:  denied  { setgid } for
pid=4028 comm="imaplogin" capability=6
scontext=system_u:system_r:courier_pop_t:s0
tcontext=system_u:system_r:courier_pop_t:s0 tclass=capability

type=AVC msg=audit(1419968532.622:192): avc:  denied  { setuid } for
pid=4118 comm="imaplogin" capability=7
scontext=system_u:system_r:courier_pop_t:s0
tcontext=system_u:system_r:courier_pop_t:s0 tclass=capability

The daemon wants to switch user to access the necessary maildir's.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 courier.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/courier.te b/courier.te
index 07752c2..6082d5c 100644
--- a/courier.te
+++ b/courier.te
@@ -132,6 +132,7 @@ dev_read_rand(courier_pcp_t)
 # POP3/IMAP local policy
 #
 
+allow courier_pop_t self:capability { setgid setuid };
 allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
 allow courier_pop_t courier_authdaemon_t:process sigchld;
 
-- 
2.0.5

[refpolicy] [PATCH 5/6] Execute courier helper script after authentication

[Sven Vermeulen]

After succesful authentication, the IMAP daemon will attempt to execute
a helper script called /usr/lib64/courier-imap/courier-imapd.indirect.
This helper script is to initiate the user session.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 courier.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/courier.te b/courier.te
index 6082d5c..c06c3ad 100644
--- a/courier.te
+++ b/courier.te
@@ -144,6 +144,8 @@ stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_run_t, cour
 
 domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
 
+corecmd_exec_shell(courier_pop_t)
+
 miscfiles_read_localization(courier_pop_t)
 
 userdom_manage_user_home_content_files(courier_pop_t)
-- 
2.0.5

[refpolicy] [PATCH 6/6] Courier IMAP needs to manage the users' maildir

[Sven Vermeulen]

Without these permissions, the logon immediately terminates and the
following shows up in the logs:

Dec 30 19:45:33 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 30 19:45:33 localhost imapd: chdir .maildir: Permission denied
Dec 30 19:45:33 localhost imapd: root: Permission denied

The first denial (and many similar ones follow when granted):

type=AVC msg=audit(1419968733.163:197): avc:  denied  { search } for
pid=4292 comm="courier-imapd" name=".maildir" dev="vda3" ino=393221
scontext=system_u:system_r:courier_pop_t:s0
tcontext=root:object_r:mail_home_rw_t:s0 tclass=dir

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 courier.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/courier.te b/courier.te
index c06c3ad..49fa11d 100644
--- a/courier.te
+++ b/courier.te
@@ -148,6 +148,8 @@ corecmd_exec_shell(courier_pop_t)
 
 miscfiles_read_localization(courier_pop_t)
 
+mta_manage_mail_home_rw_content(courier_pop_t)
+
 userdom_manage_user_home_content_files(courier_pop_t)
 userdom_manage_user_home_content_dirs(courier_pop_t)
 
-- 
2.0.5

[refpolicy] [PATCH 1/6] Courier TCPd startup creates imapd.pid.lock and imapd.lock

[Dominick Grift]

On Tue, Dec 30, 2014 at 09:21:34PM +0100, Sven Vermeulen wrote:
> Startup of courier-imapd creates /var/run/imapd.pid.lock and imapd.lock
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  courier.te | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/courier.te b/courier.te
> index ae3bc70..112a60b 100644
> --- a/courier.te
> +++ b/courier.te
> @@ -172,6 +172,8 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t)
>  dev_read_rand(courier_tcpd_t)
>  dev_read_urand(courier_tcpd_t)
>  
> +files_pid_filetrans(courier_tcpd_t, courier_var_run_t, file)

Then this should probably go with a file context specification for /var/run/imapd.pid.lock and /var/run/imapd.lock

Could you enclose those as part of this patch if there are none for the above locations already (i could not find them in courier.fc)

> +
>  miscfiles_read_localization(courier_tcpd_t)
>  
>  ########################################
> -- 
> 2.0.5
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141230/22ac2530/attachment.bin 

[refpolicy] [PATCH 2/6] Locate authdaemon socket and communicate with authdaemon

[Dominick Grift]

On Tue, Dec 30, 2014 at 09:21:35PM +0100, Sven Vermeulen wrote:
> Without this, authentication fails. The following is shown in the logs:
> 
> Dec 30 19:36:54 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
> Dec 30 19:36:54 localhost imapd: authdaemon: s_connect() failed: Permission denied
> Dec 30 19:36:54 localhost imapd: LOGIN FAILED, user=root, ip=[::ffff:192.168.100.152]
> Dec 30 19:36:54 localhost imapd: authentication error: Permission denied
> 
> Through logon, the daemon (courier_pop_t) wants to locate the socket in
> /var/lib/courier to initiate communication with the authdaemon.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  courier.te | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/courier.te b/courier.te
> index 112a60b..c4ab936 100644
> --- a/courier.te
> +++ b/courier.te
> @@ -137,6 +137,8 @@ allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_s
>  
>  allow courier_pop_t courier_var_lib_t:file { read write };
>  
> +stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_run_t, courier_authdaemon_t)

Could you explain what a sock file with type courier_var_run_t is doing in a directory with type courier_var_lib_t?

I suspect that above should probably instead be "stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t courier_authdaemon_t)"
If my assumption is wrong then please explain why

> +
>  domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
>  
>  miscfiles_read_localization(courier_pop_t)
> -- 
> 2.0.5
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141230/59154518/attachment.bin 

[refpolicy] [PATCH 6/6] Courier IMAP needs to manage the users' maildir

[Dominick Grift]

On Tue, Dec 30, 2014 at 09:21:39PM +0100, Sven Vermeulen wrote:
> Without these permissions, the logon immediately terminates and the
> following shows up in the logs:
> 
> Dec 30 19:45:33 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
> Dec 30 19:45:33 localhost imapd: chdir .maildir: Permission denied
> Dec 30 19:45:33 localhost imapd: root: Permission denied
> 
> The first denial (and many similar ones follow when granted):
> 
> type=AVC msg=audit(1419968733.163:197): avc:  denied  { search } for
> pid=4292 comm="courier-imapd" name=".maildir" dev="vda3" ino=393221
> scontext=system_u:system_r:courier_pop_t:s0
> tcontext=root:object_r:mail_home_rw_t:s0 tclass=dir
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  courier.te | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/courier.te b/courier.te
> index c06c3ad..49fa11d 100644
> --- a/courier.te
> +++ b/courier.te
> @@ -148,6 +148,8 @@ corecmd_exec_shell(courier_pop_t)
>  
>  miscfiles_read_localization(courier_pop_t)
>  
> +mta_manage_mail_home_rw_content(courier_pop_t)
> +

Should this go together with a "mta_home_filetrans_mail_home(courier_pop_t, dir, ".maildir")", i.e. should courier-imapd be able to create that directory if it does not already exist?

>  userdom_manage_user_home_content_files(courier_pop_t)
>  userdom_manage_user_home_content_dirs(courier_pop_t)
>  

The above may, or may not, be redundant now that we have a .maildir with a private type

> -- 
> 2.0.5
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141230/f8a76373/attachment-0001.bin 

[refpolicy] [PATCH 2/6] Locate authdaemon socket and communicate with authdaemon

[Sven Vermeulen]

On Tue, Dec 30, 2014 at 09:47:57PM +0100, Dominick Grift wrote:
> > diff --git a/courier.te b/courier.te
> > index 112a60b..c4ab936 100644
> > --- a/courier.te
> > +++ b/courier.te
> > @@ -137,6 +137,8 @@ allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_s
> >  
> >  allow courier_pop_t courier_var_lib_t:file { read write };
> >  
> > +stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_run_t, courier_authdaemon_t)
> 
> Could you explain what a sock file with type courier_var_run_t is doing in a directory with type courier_var_lib_t?
> 
> I suspect that above should probably instead be "stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t courier_authdaemon_t)"
> If my assumption is wrong then please explain why

Good catch. Indeed, I had a stale courier_var_run_t laying around in an
attempt for reconfiguring the daemons to use /var/run/courier instead of
/var/lib/courier for the socket. But I failed miserably and I don't know why
- it continues to make the socket in /var/lib/courier.

I reset the contexts of /var/lib completely and can confirm that
courier_var_lib_t is what is needed. I'll update the patch to this.

Wkr,
  Sven Vermeulen

[refpolicy] [PATCH 6/6] Courier IMAP needs to manage the users' maildir

[Sven Vermeulen]

On Tue, Dec 30, 2014 at 09:54:21PM +0100, Dominick Grift wrote:
> > diff --git a/courier.te b/courier.te
> > index c06c3ad..49fa11d 100644
> > --- a/courier.te
> > +++ b/courier.te
> > @@ -148,6 +148,8 @@ corecmd_exec_shell(courier_pop_t)
> >  
> >  miscfiles_read_localization(courier_pop_t)
> >  
> > +mta_manage_mail_home_rw_content(courier_pop_t)
> > +
> 
> Should this go together with a "mta_home_filetrans_mail_home(courier_pop_t, dir, ".maildir")", i.e. should courier-imapd be able to create that directory if it does not already exist?

Not here at least. The daemon does not try to create the .maildir - it
expects that it is already there. Without the directory available, the login
fails and in the logs the following is shown:

Dec 31 15:57:06 localhost imapd: Connection, ip=[::ffff:192.168.100.152]
Dec 31 15:57:06 localhost imapd: chdir .maildir: No such file or directory
Dec 31 15:57:06 localhost imapd: root: No such file or directory

There are no denials (even with dontaudits disabled) that show that it
tries to create it. So the admin needs to create it using the maildirmake
application (also provided through the courier-imap package).

> >  userdom_manage_user_home_content_files(courier_pop_t)
> >  userdom_manage_user_home_content_dirs(courier_pop_t)
> >  
> 
> The above may, or may not, be redundant now that we have a .maildir with a private type

Indeed, at least it is not necessary on my test system anymore. I'll remove
it with the patch as well.

Wkr,
	Sven Vermeulen