How should I allow salsauthd access to shadow?

Charles Bradshaw brad at gx110.bradcan.homelinux.com
Thu Jan 3 14:38:20 UTC 2013 

I am configuring sendmail authentication using cyrus-sasl on a Fedora 17 server.
The server, when it goes live, will essentially run Apache and mail for a
number of domains.
I intend that selinux will run 'enforcing' with 'targeted' policy.

I have installed cyrus-sasl and initially test it as follows:
Modify /etc/sysconfig/saslauthd
MECH=pam -> MECH=shadow

[root at ..]# systemctl restart saslauthd.service
[root at ..]# make reload
[root at ..]# setenforce 0
[root at ..]# testsaslauthd -u foo -p foospwd
0: OK "Success."

OK saslauthd works, but I get selinux alerts, so:

[root at ..]# grep saslauthd /var/log/audit/audit.log | audit2allow -M saslpol
[root at ..]# cat saslpol.te
module saslpol 1.0
require {sasl_auth_t;
         class capability { sys_nice dac_read_search dac_override };
         class process setsched;
}
allow saslauthd_t self capability { sys_nice dac_override dac_read_search };
allow saslauthd_t self process { setsched }

Which looks fine to my un-educated eyes.
Before I semodule -i saslpol.pp, and taking seriously Bill McCarthys "evil"
warning in his discussion of the use of audit2allow in the O'Reilly book.

I need to know what I'm doing, right?

Fundamentally I'm going to allow the process saslauthd access to
/etc/shadow, which by definition is a potential security hole!

The following questions arise:

0 - I suppose the first question is: Should I be using some other
authentication mechanism rather than shadow for saslauth? Historically I've
avoided PAM, allowing only SSH server login using certificates. Therefore
avoiding the PAM learning curve. 

1 - Given that, in the short term, I am getting too old to fully understand
the subtle depths and complexities of selinux! How far should I trust the
resulting above saslpol.te?  

2 - Is it possible to determine what other actions sys_nice, dac_read_search,
dac_override get allowed for saslauthd? 

3 - Should I test my saslpol is the minimum required? By for example, by
including each capability targets one at a time and in combination, and
testing the results at each step?

I hope that's not too many questions in one post. Thanks in advance, Charles
Bradshaw

More information about the selinux mailing list