Gordon Messmer writes:
On 5/9/20 9:45 PM, Sam Varshavchik wrote:Raw Audit Messagestype=AVC msg=audit(1589082060.526:1156): avc: denied { signal } for pid=672912 comm="courierlogger" scontext=unconfined_u:unconfined_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0I've filed bug reports on this in the past, but only successfully got the bug fixed in RHEL:https://bugzilla.redhat.com/show_bug.cgi?id=1161812The problem isn't that rpm scripts run in a confined domain, but that "courierlogger" is labelled, and transitions to that domain whenever it is run. The solution is to label courier binaries as "bin_t" so they aren't confined (until someone provides a policy for Courier).
Well, someone provided /usr/share/selinux/devel/include/contrib/courier.if at some point in the past, except that it's got several problems. This is just one of them. The other one is /var/www/cgi-bin/webmail getting blocked from connecting to the socket that the webmail server is listening on. The rpm packages have worked the way they're working for a long, long time, about 10+ years.
Attachment:
pgpVO7BuVT_n2.pgp
Description: PGP signature
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
