I am configuring sendmail authentication using cyrus-sasl on a Fedora 17 server.
The server, when it goes live, will essentially run Apache and mail for a
number of domains.
I intend that selinux will run 'enforcing' with 'targeted' policy.
I have installed cyrus-sasl and initially test it as follows:
Modify /etc/sysconfig/saslauthd
MECH=pam -> MECH=shadow
[root@..]# systemctl restart saslauthd.service
[root@..]# make reload
[root@..]# setenforce 0
[root@..]# testsaslauthd -u foo -p foospwd
0: OK "Success."
OK saslauthd works, but I get selinux alerts, so:
[root@..]# grep saslauthd /var/log/audit/audit.log | audit2allow -M saslpol
[root@..]# cat saslpol.te
module saslpol 1.0
require {sasl_auth_t;
class capability { sys_nice dac_read_search dac_override };
class process setsched;
}
allow saslauthd_t self capability { sys_nice dac_override dac_read_search };
allow saslauthd_t self process { setsched }
Which looks fine to my un-educated eyes.
Before I semodule -i saslpol.pp, and taking seriously Bill McCarthys "evil"
warning in his discussion of the use of audit2allow in the O'Reilly book.
I need to know what I'm doing, right?
Fundamentally I'm going to allow the process saslauthd access to
/etc/shadow, which by definition is a potential security hole!
The following questions arise:
0 - I suppose the first question is: Should I be using some other
authentication mechanism rather than shadow for saslauth? Historically I've
avoided PAM, allowing only SSH server login using certificates. Therefore
avoiding the PAM learning curve.
1 - Given that, in the short term, I am getting too old to fully understand
the subtle depths and complexities of selinux! How far should I trust the
resulting above saslpol.te?
2 - Is it possible to determine what other actions sys_nice, dac_read_search,
dac_override get allowed for saslauthd?
3 - Should I test my saslpol is the minimum required? By for example, by
including each capability targets one at a time and in combination, and
testing the results at each step?
I hope that's not too many questions in one post. Thanks in advance, Charles
Bradshaw