Mailing List Archive

[selinux] courier-imap
Hi,

if I try to get my email through fetchmail, I often get an error. From
three times only one is successful. I'm using
net-mail/courier-imap-4.0.1
and the latest courier-policy from the hp of kaiowas.

/var/log/mail.log:
Mar 20 15:18:59 X imapd-ssl: couriertls: accept: error:140B544E:SSL
routines:SSL_GET_NEW_SESSION:ssl session id callback failed
Mar 20 15:26:05 X imapd-ssl: couriertls: accept: error:140B544E:SSL
routines:SSL_GET_NEW_SESSION:ssl session id callback failed

and fetchmail displays:
fetchmail: 6.2.5 querying mail.X.net (protocol IMAP) at Sun Mar
20 15:27:44 2005: poll started
fetchmail: SSL connection failed.
fetchmail: 6.2.5 querying mail.X.net (protocol IMAP) at Sun Mar
20 15:27:45 2005: poll completed
fetchmail: Query status=3 (AUTHFAIL)
fetchmail: normal termination, status 3

The log of the avc ist completely empty (dmesg). I don't get any errors.
The bug is not reproduceable. The only thing what I can do is to disable
selinux (echo 0 > /selinux/enforce) then get the mails and lock selinux
(echo 1 > /selinux/enforce).
This behaviour sounds to me a little bit strange, because I can't get
the mails in every try when selinux is in enforcing mode. But when I
switch of the selinux I can get the mails without any problems. And the
avc is still empty. I searched for dontaudits in the policy but didn't
find any suitable.
I'm using only the courier-imapd-ssl feature. Are there any problems
known?

Stefan
Re: [selinux] courier-imap [ In reply to ]
Hi Stefan,

Stefan SF wrote:
> Hi,
>
> if I try to get my email through fetchmail, I often get an error. From
> three times only one is successful. I'm using
> net-mail/courier-imap-4.0.1
> and the latest courier-policy from the hp of kaiowas.
>
> /var/log/mail.log:
> Mar 20 15:18:59 X imapd-ssl: couriertls: accept: error:140B544E:SSL
> routines:SSL_GET_NEW_SESSION:ssl session id callback failed
> Mar 20 15:26:05 X imapd-ssl: couriertls: accept: error:140B544E:SSL
> routines:SSL_GET_NEW_SESSION:ssl session id callback failed
>
> and fetchmail displays:
> fetchmail: 6.2.5 querying mail.X.net (protocol IMAP) at Sun Mar
> 20 15:27:44 2005: poll started
> fetchmail: SSL connection failed.
> fetchmail: 6.2.5 querying mail.X.net (protocol IMAP) at Sun Mar
> 20 15:27:45 2005: poll completed
> fetchmail: Query status=3 (AUTHFAIL)
> fetchmail: normal termination, status 3
>
> The log of the avc ist completely empty (dmesg). I don't get any errors.
> The bug is not reproduceable. The only thing what I can do is to disable
> selinux (echo 0 > /selinux/enforce) then get the mails and lock selinux
> (echo 1 > /selinux/enforce).
> This behaviour sounds to me a little bit strange, because I can't get
> the mails in every try when selinux is in enforcing mode. But when I
> switch of the selinux I can get the mails without any problems. And the
> avc is still empty. I searched for dontaudits in the policy but didn't
> find any suitable.
> I'm using only the courier-imapd-ssl feature. Are there any problems
> known?

none I'm aware of. I do use 4.0.1 courier-pop3-ssl and courier-imapd-ssl on 2 boxes without any problems.

I'm not sure if this is how you tried to fix it, but just to make sure, here goes:
echo 1 > /selinux/enforce
dmesg -c
make -C /etc/security/selinux/src/policy enableaudit
make -C /etc/security/selinux/src/policy load

if there is no clear denial you can point your finger to then your problem might be of another nature.

bye,
peter

>
> Stefan


--
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux
Re: [selinux] courier-imap [ In reply to ]
Hi!

> make -C /etc/security/selinux/src/policy enableaudit

I didn't know about the audit function. This helped me a lot. Now after
3 days and hundreds of loggins I don't have any more problems. The only
rules I had to add were these:

allow courier_tcpd_t urandom_device_t:{ chr_file file } read;
allow courier_imap_t urandom_device_t:{ chr_file file } read;

Through the enableaudit avc logged the denials.

Thanks!

-Stefan

--
gentoo-hardened@gentoo.org mailing list
Re: [selinux] courier-imap [ In reply to ]
On Tue, 2005-03-22 at 15:21 +0100, Stefan SF wrote:
> allow courier_tcpd_t urandom_device_t:{ chr_file file } read;
> allow courier_imap_t urandom_device_t:{ chr_file file } read;

Woah, there aren't supposed to be any files labeled urandom_device_t.
Either you misread the denials, or something is wrong.

--
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
Re: [selinux] courier-imap [ In reply to ]
> Woah, there aren't supposed to be any files labeled urandom_device_t.
> Either you misread the denials, or something is wrong.

ls -lZ /dev/urandom
cr--r--r-- root root system_u:object_r:urandom_device_t
/dev/urandom

You make me feel nervous :)

What's about your /dev/urandom? What is it labeled to?

-Stefan

PS: I've got two machines running gentoo-selinux which have the same
labeled devices.
Re: [selinux] courier-imap [ In reply to ]
On Wed, 23 Mar 2005 12:03:09 +0100
Stefan SF <stefan@sf-net.com> wrote:

> ls -lZ /dev/urandom
> cr--r--r-- root root system_u:object_r:urandom_device_t
> /dev/urandom

I have a x86 and ~x86 and both are labeled

ls -lZ /dev/urandom
cr--r--r-- root root system_u:object_r:urandom_device_t
/dev/urandom

aswell

--
gentoo-hardened@gentoo.org mailing list
Re: [selinux] courier-imap [ In reply to ]
On Wed, 2005-03-23 at 12:03 +0100, Stefan SF wrote:
> > Woah, there aren't supposed to be any files labeled urandom_device_t.
> > Either you misread the denials, or something is wrong.
>
> ls -lZ /dev/urandom
> cr--r--r-- root root system_u:object_r:urandom_device_t
> /dev/urandom
>
> You make me feel nervous :)

This is correct, /dev/urandom is supposed to be a chr_file, and the only
object in the filesystem labeled urandom_device_t. But you had these
rules in your previous post:

allow courier_tcpd_t urandom_device_t:{ chr_file file } read;
allow courier_imap_t urandom_device_t:{ chr_file file } read;

Theres a difference between file and chr_file :) You don't want file in
these rules, only chr_file. Since you had file in there too, I figured
that something was going on.

--
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243