-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/03/2013 09:38 AM, Charles Bradshaw wrote:
> I am configuring sendmail authentication using cyrus-sasl on a Fedora 17
> server. The server, when it goes live, will essentially run Apache and mail
> for a number of domains. I intend that selinux will run 'enforcing' with
> 'targeted' policy.
>
> I have installed cyrus-sasl and initially test it as follows: Modify
> /etc/sysconfig/saslauthd MECH=pam -> MECH=shadow
>
> [root@..]# systemctl restart saslauthd.service [root@..]# make reload
> [root@..]# setenforce 0 [root@..]# testsaslauthd -u foo -p foospwd 0: OK
> "Success."
>
> OK saslauthd works, but I get selinux alerts, so:
>
> [root@..]# grep saslauthd /var/log/audit/audit.log | audit2allow -M
> saslpol [root@..]# cat saslpol.te module saslpol 1.0 require {sasl_auth_t;
> class capability { sys_nice dac_read_search dac_override }; class process
> setsched; } allow saslauthd_t self capability { sys_nice dac_override
> dac_read_search }; allow saslauthd_t self process { setsched }
>
> Which looks fine to my un-educated eyes. Before I semodule -i saslpol.pp,
> and taking seriously Bill McCarthys "evil" warning in his discussion of the
> use of audit2allow in the O'Reilly book.
>
> I need to know what I'm doing, right?
>
> Fundamentally I'm going to allow the process saslauthd access to
> /etc/shadow, which by definition is a potential security hole!
>
> The following questions arise:
>
> 0 - I suppose the first question is: Should I be using some other
> authentication mechanism rather than shadow for saslauth? Historically
> I've avoided PAM, allowing only SSH server login using certificates.
> Therefore avoiding the PAM learning curve.
>
> 1 - Given that, in the short term, I am getting too old to fully
> understand the subtle depths and complexities of selinux! How far should I
> trust the resulting above saslpol.te?
>
> 2 - Is it possible to determine what other actions sys_nice,
> dac_read_search, dac_override get allowed for saslauthd?
>
> 3 - Should I test my saslpol is the minimum required? By for example, by
> including each capability targets one at a time and in combination, and
> testing the results at each step?
>
> I hope that's not too many questions in one post. Thanks in advance,
> Charles Bradshaw
>
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Have you tried the saslauthd_read_shadow boolean?
sesearch -A -C | grep saslauthd_read
DT allow saslauthd_t shadow_t : file { ioctl read getattr lock open } ; [
saslauthd_read_shadow ]
DT allow saslauthd_t etc_t : dir { ioctl read getattr lock search open } ; [
saslauthd_read_shadow ]
DT allow saslauthd_t saslauthd_t : capability dac_override ; [
saslauthd_read_shadow ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlDlqtQACgkQrlYvE4MpobOUmACgnDdlu1aL0ERd3E9SyczoArI9
wFsAoJsofgUm7kKsCiwH4TaEWs7pdAgf
=CTe0
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
