Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 37179

Summary: courier-imap policy files
Product: Gentoo Security Reporter: petre rodan (RETIRED) <kaiowas>
Component: VulnerabilitiesAssignee: Chris PeBenito (RETIRED) <pebenito>
Status: VERIFIED TEST-REQUEST    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments:
Description Flags
file_contexts
none
type enforcement
none
type enforcement
none
file contexts none

Description petre rodan (RETIRED) gentoo-dev 2004-01-04 04:48:34 UTC
new selinux policy files
Comment 1 petre rodan (RETIRED) gentoo-dev 2004-01-04 04:49:07 UTC
Created attachment 23129 [details]
file_contexts
Comment 2 petre rodan (RETIRED) gentoo-dev 2004-01-04 04:49:42 UTC
Created attachment 23130 [details]
type enforcement
Comment 3 Chris PeBenito (RETIRED) gentoo-dev 2004-01-04 18:27:09 UTC
Is there a reason you renamed courier.te to courier-imap.te?  Especially when it says it handles the imap and pop servers?
Comment 4 petre rodan (RETIRED) gentoo-dev 2004-01-04 23:06:37 UTC
Yes, there is another package (net-mail/courier) that is a MTA. 

These two packages has no dependencies one over the other, so I guess they should 
have different policy files. As a matter of fact I'm using net-mail/courier-imap with qmail (this has no effect over the policy).

bye,
peter
Comment 5 Chris PeBenito (RETIRED) gentoo-dev 2004-01-06 13:03:20 UTC
Hmm, these are extensive changes compared to the NSA and Russell's policies.  Could you tell me more about them?
Comment 6 petre rodan (RETIRED) gentoo-dev 2004-01-07 00:22:10 UTC
the original policy was that from Russell, and I made the following changes:

* added courier_shadow_t type. this is the label for the /etc/userdb* files that are used for authentication, for getting uid, gid and maildir location info (used if authdb or authcram authentication is used). tested with both authdb and authcram.
* replaced courier_pop (or smth) with courier_imap (which realy is the name of the package in discussion)
* remade the file_contexts so they match the gentoo file locations.
* added support for couriertls (tested with secure imap)
* removed sqwebmail (http://www.inter7.com/sqwebmail.html) support, since it's a different package and if I am correct it's not even in portage.

things not tested:
* calendaring (i'm pretty sure it's not part of courier-imap, and if it's the case those 3 lines from .te can be removed)
* selinux networking support.

I use this policy for more than a week and it's rock solid.

BTW. I'm quite busy these days, please don't be upset if I respond with a greater delay :(
Comment 7 petre rodan (RETIRED) gentoo-dev 2004-01-11 08:25:16 UTC
Created attachment 23599 [details]
type enforcement

selinux-base-policy-20031225 friendly
Comment 8 petre rodan (RETIRED) gentoo-dev 2004-01-27 13:03:24 UTC
Created attachment 24497 [details]
file contexts

support for pid files (gentoo default locations)
Comment 9 Chris PeBenito (RETIRED) gentoo-dev 2004-02-03 20:35:26 UTC
committed to portage
Comment 10 petre rodan (RETIRED) gentoo-dev 2004-02-05 12:24:52 UTC
flawless :)