Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Hardened

[selinux] courier-imap

 

 

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded


stefan at sf-net

Mar 20, 2005, 7:40 AM

Post #1 of 7 (193 views)
Permalink
[selinux] courier-imap

Hi,

if I try to get my email through fetchmail, I often get an error. From
three times only one is successful. I'm using
net-mail/courier-imap-4.0.1
and the latest courier-policy from the hp of kaiowas.

/var/log/mail.log:
Mar 20 15:18:59 X imapd-ssl: couriertls: accept: error:140B544E:SSL
routines:SSL_GET_NEW_SESSION:ssl session id callback failed
Mar 20 15:26:05 X imapd-ssl: couriertls: accept: error:140B544E:SSL
routines:SSL_GET_NEW_SESSION:ssl session id callback failed

and fetchmail displays:
fetchmail: 6.2.5 querying mail.X.net (protocol IMAP) at Sun Mar
20 15:27:44 2005: poll started
fetchmail: SSL connection failed.
fetchmail: 6.2.5 querying mail.X.net (protocol IMAP) at Sun Mar
20 15:27:45 2005: poll completed
fetchmail: Query status=3 (AUTHFAIL)
fetchmail: normal termination, status 3

The log of the avc ist completely empty (dmesg). I don't get any errors.
The bug is not reproduceable. The only thing what I can do is to disable
selinux (echo 0 > /selinux/enforce) then get the mails and lock selinux
(echo 1 > /selinux/enforce).
This behaviour sounds to me a little bit strange, because I can't get
the mails in every try when selinux is in enforcing mode. But when I
switch of the selinux I can get the mails without any problems. And the
avc is still empty. I searched for dontaudits in the policy but didn't
find any suitable.
I'm using only the courier-imapd-ssl feature. Are there any problems
known?

Stefan


kaiowas at gentoo

Mar 20, 2005, 1:59 PM

Post #2 of 7 (194 views)
Permalink
Re: [selinux] courier-imap [In reply to]

Hi Stefan,

Stefan SF wrote:
> Hi,
>
> if I try to get my email through fetchmail, I often get an error. From
> three times only one is successful. I'm using
> net-mail/courier-imap-4.0.1
> and the latest courier-policy from the hp of kaiowas.
>
> /var/log/mail.log:
> Mar 20 15:18:59 X imapd-ssl: couriertls: accept: error:140B544E:SSL
> routines:SSL_GET_NEW_SESSION:ssl session id callback failed
> Mar 20 15:26:05 X imapd-ssl: couriertls: accept: error:140B544E:SSL
> routines:SSL_GET_NEW_SESSION:ssl session id callback failed
>
> and fetchmail displays:
> fetchmail: 6.2.5 querying mail.X.net (protocol IMAP) at Sun Mar
> 20 15:27:44 2005: poll started
> fetchmail: SSL connection failed.
> fetchmail: 6.2.5 querying mail.X.net (protocol IMAP) at Sun Mar
> 20 15:27:45 2005: poll completed
> fetchmail: Query status=3 (AUTHFAIL)
> fetchmail: normal termination, status 3
>
> The log of the avc ist completely empty (dmesg). I don't get any errors.
> The bug is not reproduceable. The only thing what I can do is to disable
> selinux (echo 0 > /selinux/enforce) then get the mails and lock selinux
> (echo 1 > /selinux/enforce).
> This behaviour sounds to me a little bit strange, because I can't get
> the mails in every try when selinux is in enforcing mode. But when I
> switch of the selinux I can get the mails without any problems. And the
> avc is still empty. I searched for dontaudits in the policy but didn't
> find any suitable.
> I'm using only the courier-imapd-ssl feature. Are there any problems
> known?

none I'm aware of. I do use 4.0.1 courier-pop3-ssl and courier-imapd-ssl on 2 boxes without any problems.

I'm not sure if this is how you tried to fix it, but just to make sure, here goes:
echo 1 > /selinux/enforce
dmesg -c
make -C /etc/security/selinux/src/policy enableaudit
make -C /etc/security/selinux/src/policy load

if there is no clear denial you can point your finger to then your problem might be of another nature.

bye,
peter

>
> Stefan


--
petre rodan
<kaiowas [at] gentoo>
Developer,
Hardened Gentoo Linux
Attachments: signature.asc (0.26 KB)


stefan at sf-net

Mar 22, 2005, 7:21 AM

Post #3 of 7 (194 views)
Permalink
Re: [selinux] courier-imap [In reply to]

Hi!

> make -C /etc/security/selinux/src/policy enableaudit

I didn't know about the audit function. This helped me a lot. Now after
3 days and hundreds of loggins I don't have any more problems. The only
rules I had to add were these:

allow courier_tcpd_t urandom_device_t:{ chr_file file } read;
allow courier_imap_t urandom_device_t:{ chr_file file } read;

Through the enableaudit avc logged the denials.

Thanks!

-Stefan

--
gentoo-hardened [at] gentoo mailing list


pebenito at gentoo

Mar 22, 2005, 4:26 PM

Post #4 of 7 (193 views)
Permalink
Re: [selinux] courier-imap [In reply to]

On Tue, 2005-03-22 at 15:21 +0100, Stefan SF wrote:
> allow courier_tcpd_t urandom_device_t:{ chr_file file } read;
> allow courier_imap_t urandom_device_t:{ chr_file file } read;

Woah, there aren't supposed to be any files labeled urandom_device_t.
Either you misread the denials, or something is wrong.

--
Chris PeBenito
<pebenito [at] gentoo>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
Attachments: signature.asc (0.18 KB)


stefan at sf-net

Mar 23, 2005, 4:03 AM

Post #5 of 7 (191 views)
Permalink
Re: [selinux] courier-imap [In reply to]

> Woah, there aren't supposed to be any files labeled urandom_device_t.
> Either you misread the denials, or something is wrong.

ls -lZ /dev/urandom
cr--r--r-- root root system_u:object_r:urandom_device_t
/dev/urandom

You make me feel nervous :)

What's about your /dev/urandom? What is it labeled to?

-Stefan

PS: I've got two machines running gentoo-selinux which have the same
labeled devices.


dfisher at stealthnetworks

Mar 23, 2005, 4:40 AM

Post #6 of 7 (196 views)
Permalink
Re: [selinux] courier-imap [In reply to]

On Wed, 23 Mar 2005 12:03:09 +0100
Stefan SF <stefan [at] sf-net> wrote:

> ls -lZ /dev/urandom
> cr--r--r-- root root system_u:object_r:urandom_device_t
> /dev/urandom

I have a x86 and ~x86 and both are labeled

ls -lZ /dev/urandom
cr--r--r-- root root system_u:object_r:urandom_device_t
/dev/urandom

aswell

--
gentoo-hardened [at] gentoo mailing list


pebenito at gentoo

Mar 23, 2005, 6:34 PM

Post #7 of 7 (192 views)
Permalink
Re: [selinux] courier-imap [In reply to]

On Wed, 2005-03-23 at 12:03 +0100, Stefan SF wrote:
> > Woah, there aren't supposed to be any files labeled urandom_device_t.
> > Either you misread the denials, or something is wrong.
>
> ls -lZ /dev/urandom
> cr--r--r-- root root system_u:object_r:urandom_device_t
> /dev/urandom
>
> You make me feel nervous :)

This is correct, /dev/urandom is supposed to be a chr_file, and the only
object in the filesystem labeled urandom_device_t. But you had these
rules in your previous post:

allow courier_tcpd_t urandom_device_t:{ chr_file file } read;
allow courier_imap_t urandom_device_t:{ chr_file file } read;

Theres a difference between file and chr_file :) You don't want file in
these rules, only chr_file. Since you had file in there too, I figured
that something was going on.

--
Chris PeBenito
<pebenito [at] gentoo>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
Attachments: signature.asc (0.18 KB)

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.