On 5/10/20 3:20 PM, Sam Varshavchik wrote:
> Fedora's selinux package has a contributed policy for Courier,
> include/contrib/courier.if, which has two issues (that I found so far)
> with my upstream rpm packages. My rpm packages have worked this way for
> a long time, probably 15+ years, or so, this is not a recent change. The
> only thing that changed is that I'm actually tried to run in enforcing
> mode late last year, and ran into this. I'm picking this issue up now,
> for one last college try to figure out the fix.
>
> I couldn't figure out how courier.if works; so last time after doing
> some random reading, I was able to come up with a band-aid for the first
> issue. The rpm package installs a binary in /var/www/cgi-bin that talks
> to the running webmail daemon over an AF_Unix socket. selinux's policy
> was labeling the /var/www/cgi-bin binary, and blocking its socket
> connection. The band-aid was this additional local policy:
>
> policy_module(courier_webmail, 1.0)
>
> require {
> type httpd_sys_script_t;
> type courier_spool_t;
> };
>
> allow httpd_sys_script_t courier_spool_t:dir search_dir_perms;
> allow httpd_sys_script_t courier_spool_t:sock_file manage_sock_file_perms;
>
> That seemed innocent enough. But I revisited the entire package this
> week, and found two more issues.
>
> The first one is an additional AVC that was now blocking the same
> webmail binary:
>
> type=AVC msg=audit(1589086763.118:1319): avc: denied { connectto }
> for pid=674413 comm="webmail" path="/var/spool/courier/sqwebmail.sock"
> scontext=system_u:system_r:httpd_sys_script_t:s0
> tcontext=system_u:system_r:unconfined_service_t:s0
> tclass=unix_stream_socket permissive=0
>
> This was new, I could not figure out why the target context was
> unconfined, because:
>
> [root@jack ~]# ls -alZ /var/spool/courier/sqwebmail.sock
> srwxrwxrwx. 1 root root system_u:object_r:courier_spool_t:s0 0 May 10
> 01:15 /var/spool/courier/sqwebmail.sock
>
> As a band-aid on top of the first band-aid, I added
>
> allow httpd_sys_script_t unconfined_service_t:unix_stream_socket connectto;
>
> to the local policy, to get it working. But this doesn't seem ideal.
>
> The second issue was that an individual uninstall of one of the
> rpm-subpackages was hanging. selinux was blocking a signal sent by
> binary that %preun runs. The signal is sent to the running process:
>
> type=AVC msg=audit(1589082060.526:1156): avc: denied { signal } for
> pid=672912 comm="courierlogger"
> scontext=unconfined_u:unconfined_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process
> permissive=0
>
> and
>
> type=AVC msg=audit(1589082160.527:1172): avc: denied { sigkill } for
> pid=672912 comm="courierlogger"
> scontext=unconfined_u:unconfined_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process
> permissive=0
>
> The main rpm package's systemd unit runs a startup script that
> inventories which subpackages are installed, and starts each one's
> service. Manually uninstalling an rpm subpackage executes a %preun that
> stops just its own service, and this part is getting blocked. The binary
> that sends the signal appears to be labeled by the contributed Fedora
> policy:
>
> rwxr-xr-x. 1 daemon daemon system_u:object_r:courier_exec_t:s0 25296
> May 9 23:19 /usr/sbin/courierlogger
>
> The binary is trying to send a signal to one of these processes:
>
> system_u:system_r:unconfined_service_t:s0 root 780748 780747 0 01:15
> ? 00:00:00 /usr/lib/courier/sbin/couriertcpd [parameters]
>
> r-xr-xr-x. 1 daemon daemon system_u:object_r:bin_t:s0 142456 May 10
> 01:14
>
> I could avoid this by systemctl stop in %preun and systemctl start
> in%postun, I suppose. Startup and shutdown, which sends the same signal
> via the same binary, seems to work when the main rpm package runs
> systemctl stop. But doing it this way stops and restarts everything when
> a single subpackage gets removed, this is not ideal.
>
Hi,
Thank you for reporting this issue to us.
Can please run following commands before you reproduce the scenario again:
# chcon -t courier_exec_t /usr/lib/courier/sbin/couriertcpd
# dnf install selinux-policy-devel -y
$ cat httpd_courier.te
policy_module(httpd_courier, 1.0)
gen_require(`
type httpd_sys_script_t;
type courier_spool_t;
type system_mail_t;
')
stream_connect_pattern(httpd_sys_script_t, courier_spool_t,
courier_spool_t, system_mail_t)
# make -f /usr/share/selinux/devel/Makefile httpd_courier.pp
# semodule -i httpd_courier.pp
### reproduce the scenario
And attach output of:
# ausearch -m AVC -ts today
Thanks,
Lukas.
>
>
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>
--
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
