Issues with the include/contrib/courier.if policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Fedora's selinux package has a contributed policy for Courier, include/contrib/courier.if, which has two issues (that I found so far) with my upstream rpm packages. My rpm packages have worked this way for a long time, probably 15+ years, or so, this is not a recent change. The only thing that changed is that I'm actually tried to run in enforcing mode late last year, and ran into this. I'm picking this issue up now, for one last college try to figure out the fix.

I couldn't figure out how courier.if works; so last time after doing some random reading, I was able to come up with a band-aid for the first issue. The rpm package installs a binary in /var/www/cgi-bin that talks to the running webmail daemon over an AF_Unix socket. selinux's policy was labeling the /var/www/cgi-bin binary, and blocking its socket connection. The band- aid was this additional local policy:

policy_module(courier_webmail, 1.0)

require {
	type httpd_sys_script_t;
	type courier_spool_t;
};

allow httpd_sys_script_t courier_spool_t:dir search_dir_perms;
allow httpd_sys_script_t courier_spool_t:sock_file manage_sock_file_perms;

That seemed innocent enough. But I revisited the entire package this week, and found two more issues.

The first one is an additional AVC that was now blocking the same webmail binary:

type=AVC msg=audit(1589086763.118:1319): avc: denied { connectto } for pid=674413 comm="webmail" path="/var/spool/courier/sqwebmail.sock" scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0

This was new, I could not figure out why the target context was unconfined, because:

[root@jack ~]# ls -alZ /var/spool/courier/sqwebmail.sock
srwxrwxrwx. 1 root root system_u:object_r:courier_spool_t:s0 0 May 10 01:15 /var/spool/courier/sqwebmail.sock

As a band-aid on top of the first band-aid, I added

allow httpd_sys_script_t unconfined_service_t:unix_stream_socket connectto;

to the local policy, to get it working. But this doesn't seem ideal.

The second issue was that an individual uninstall of one of the rpm- subpackages was hanging. selinux was blocking a signal sent by binary that %preun runs. The signal is sent to the running process:

type=AVC msg=audit(1589082060.526:1156): avc: denied { signal } for pid=672912 comm="courierlogger" scontext=unconfined_u:unconfined_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0

and

type=AVC msg=audit(1589082160.527:1172): avc: denied { sigkill } for pid=672912 comm="courierlogger" scontext=unconfined_u:unconfined_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0

The main rpm package's systemd unit runs a startup script that inventories which subpackages are installed, and starts each one's service. Manually uninstalling an rpm subpackage executes a %preun that stops just its own service, and this part is getting blocked. The binary that sends the signal appears to be labeled by the contributed Fedora policy:

rwxr-xr-x. 1 daemon daemon system_u:object_r:courier_exec_t:s0 25296 May 9 23:19 /usr/sbin/courierlogger

The binary is trying to send a signal to one of these processes:

system_u:system_r:unconfined_service_t:s0 root 780748 780747 0 01:15 ? 00:00:00 /usr/lib/courier/sbin/couriertcpd [parameters]

r-xr-xr-x. 1 daemon daemon system_u:object_r:bin_t:s0 142456 May 10 01:14 /usr/lib/courier/sbin/couriertcpd

I could avoid this by systemctl stop in %preun and systemctl start in %postun, I suppose. Startup and shutdown, which sends the same signal via the same binary, seems to work when the main rpm package runs systemctl stop. But doing it this way stops and restarts everything when a single subpackage gets removed, this is not ideal.


Attachment: pgpD52u1YZNTG.pgp
Description: PGP signature

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux