Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 162798 - selinux disables MECH=rimap in saslauthd
Summary: selinux disables MECH=rimap in saslauthd
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL: selinux disables MECH=rimap in saslauthd
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-08 18:31 UTC by Kirk Smith
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: 1.25.1-9
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-08-19 07:57:44 UTC


Attachments (Terms of Use)

Description Kirk Smith 2005-07-08 18:31:31 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
If MECH=rimap is set in /etc/sysconfig/saslauthd, selinux is in enforcing mode, then saslauthd does not have the required permission to get the job done.  To enable this, add the following lines to /etc/selinux/targeted/src/policy/domains/program/saslauthd.te

# needed for MECH=rimap

allow saslauthd_t netif_lo_t:netif { tcp_recv tcp_send };
allow saslauthd_t node_lo_t:node { tcp_recv tcp_send };
allow saslauthd_t pop_port_t:tcp_socket { name_connect recv_msg send_msg };
allow saslauthd_t self:tcp_socket { connect create read write };


Version-Release number of selected component (if applicable):
selinux-policy-targeted.noarch-1.24-3

How reproducible:
Always

Steps to Reproduce:
1. Set up an imap server for mail.  A reasonable configuration is to only allow users with imap accounts to forward outgoing mail through sendmail.
2. Configure sendmail to require authentication before forwarding mail messages by editing /etc/mail/sendmail.mc and setting: define(`confAUTH_OPTIONS', `A')dnl
3. Edit /usr/lib/sasl/smtpd.conf to direct authentication at saslauthd by setting: pwcheck_method: saslauthd
4. Edit /etc/sysconfig/saslauthd and set the mechanism to use as MECH=rimap.
5. Restart saslauthd and sendmail
6. Try to send a mail message through sendmail using a mail client such as microsoft outlook.
  

Actual Results:  The login is denied with the message in /var/log/messages:

Jul  7 15:27:13 ns1 saslauthd[14364]: auth_rimap: couldn't connect to 127.0.0.1/143


Expected Results:  saslauthd should have connected to the imap server to verify if the person could send the message.

Additional info:

To give saslauthd permission to do these operations, add the following lines to /etc/selinux/targeted/src/policy/domains/program/saslauthd.te,

allow saslauthd_t netif_lo_t:netif { tcp_recv tcp_send };
allow saslauthd_t node_lo_t:node { tcp_recv tcp_send };
allow saslauthd_t pop_port_t:tcp_socket { name_connect recv_msg send_msg };
allow saslauthd_t self:tcp_socket { connect create read write };

This was generated using audit2allow, and could possibly be slightly modified, but this definitely removes the restriction that kept saslauthd from connecting to the imap server.

Comment 1 Daniel Walsh 2005-07-11 17:12:54 UTC
Fixed in  selinux-policy-targeted-1.25.1-9


Note You need to log in before you can comment on or make changes to this bug.