I couldn't figure out how courier.if works; so last time after doing some random reading, I was able to come up with a band-aid for the first issue. The rpm package installs a binary in /var/www/cgi-bin that talks to the running webmail daemon over an AF_Unix socket. selinux's policy was labeling the /var/www/cgi-bin binary, and blocking its socket connection. The band- aid was this additional local policy:
policy_module(courier_webmail, 1.0)
require {
type httpd_sys_script_t;
type courier_spool_t;
};
allow httpd_sys_script_t courier_spool_t:dir search_dir_perms;
allow httpd_sys_script_t courier_spool_t:sock_file manage_sock_file_perms;
That seemed innocent enough. But I revisited the entire package this week,
and found two more issues.
The first one is an additional AVC that was now blocking the same webmail binary:
type=AVC msg=audit(1589086763.118:1319): avc: denied { connectto } for pid=674413 comm="webmail" path="/var/spool/courier/sqwebmail.sock" scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0
This was new, I could not figure out why the target context was unconfined, because:
[root@jack ~]# ls -alZ /var/spool/courier/sqwebmail.socksrwxrwxrwx. 1 root root system_u:object_r:courier_spool_t:s0 0 May 10 01:15 /var/spool/courier/sqwebmail.sock
As a band-aid on top of the first band-aid, I added allow httpd_sys_script_t unconfined_service_t:unix_stream_socket connectto; to the local policy, to get it working. But this doesn't seem ideal.The second issue was that an individual uninstall of one of the rpm- subpackages was hanging. selinux was blocking a signal sent by binary that %preun runs. The signal is sent to the running process:
type=AVC msg=audit(1589082060.526:1156): avc: denied { signal } for pid=672912 comm="courierlogger" scontext=unconfined_u:unconfined_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0
andtype=AVC msg=audit(1589082160.527:1172): avc: denied { sigkill } for pid=672912 comm="courierlogger" scontext=unconfined_u:unconfined_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0
The main rpm package's systemd unit runs a startup script that inventories which subpackages are installed, and starts each one's service. Manually uninstalling an rpm subpackage executes a %preun that stops just its own service, and this part is getting blocked. The binary that sends the signal appears to be labeled by the contributed Fedora policy:
rwxr-xr-x. 1 daemon daemon system_u:object_r:courier_exec_t:s0 25296 May 9 23:19 /usr/sbin/courierlogger
The binary is trying to send a signal to one of these processes:system_u:system_r:unconfined_service_t:s0 root 780748 780747 0 01:15 ? 00:00:00 /usr/lib/courier/sbin/couriertcpd [parameters]
r-xr-xr-x. 1 daemon daemon system_u:object_r:bin_t:s0 142456 May 10 01:14 /usr/lib/courier/sbin/couriertcpd
I could avoid this by systemctl stop in %preun and systemctl start in %postun, I suppose. Startup and shutdown, which sends the same signal via the same binary, seems to work when the main rpm package runs systemctl stop. But doing it this way stops and restarts everything when a single subpackage gets removed, this is not ideal.
Attachment:
pgpD52u1YZNTG.pgp
Description: PGP signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
