Re: Issues with the include/contrib/courier.if policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/10/20 3:20 PM, Sam Varshavchik wrote:
> Fedora's selinux package has a contributed policy for Courier,
> include/contrib/courier.if, which has two issues (that I found so far)
> with my upstream rpm packages. My rpm packages have worked this way for
> a long time, probably 15+ years, or so, this is not a recent change. The
> only thing that changed is that I'm actually tried to run in enforcing
> mode late last year, and ran into this. I'm picking this issue up now,
> for one last college try to figure out the fix.
> 
> I couldn't figure out how courier.if works; so last time after doing
> some random reading, I was able to come up with a band-aid for the first
> issue. The rpm package installs a binary in /var/www/cgi-bin that talks
> to the running webmail daemon over an AF_Unix socket. selinux's policy
> was labeling the /var/www/cgi-bin binary, and blocking its socket
> connection. The band-aid was this additional local policy:
> 
> policy_module(courier_webmail, 1.0)
> 
> require {
>     type httpd_sys_script_t;
>     type courier_spool_t;
> };
> 
> allow httpd_sys_script_t courier_spool_t:dir search_dir_perms;
> allow httpd_sys_script_t courier_spool_t:sock_file manage_sock_file_perms;
> 
> That seemed innocent enough. But I revisited the entire package this
> week, and found two more issues.
> 
> The first one is an additional AVC that was now blocking the same
> webmail binary:
> 
> type=AVC msg=audit(1589086763.118:1319): avc:  denied  { connectto }
> for  pid=674413 comm="webmail" path="/var/spool/courier/sqwebmail.sock"
> scontext=system_u:system_r:httpd_sys_script_t:s0
> tcontext=system_u:system_r:unconfined_service_t:s0
> tclass=unix_stream_socket permissive=0
> 
> This was new, I could not figure out why the target context was
> unconfined, because:
> 
> [root@jack ~]# ls -alZ /var/spool/courier/sqwebmail.sock
> srwxrwxrwx. 1 root root system_u:object_r:courier_spool_t:s0 0 May 10
> 01:15 /var/spool/courier/sqwebmail.sock
> 
> As a band-aid on top of the first band-aid, I added
> 
> allow httpd_sys_script_t unconfined_service_t:unix_stream_socket connectto;
> 
> to the local policy, to get it working. But this doesn't seem ideal.
> 
> The second issue was that an individual uninstall of one of the
> rpm-subpackages was hanging. selinux was blocking a signal sent by
> binary that %preun runs. The signal is sent to the running process:
> 
> type=AVC msg=audit(1589082060.526:1156): avc:  denied  { signal } for 
> pid=672912 comm="courierlogger"
> scontext=unconfined_u:unconfined_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process
> permissive=0
> 
> and
> 
> type=AVC msg=audit(1589082160.527:1172): avc:  denied  { sigkill } for 
> pid=672912 comm="courierlogger"
> scontext=unconfined_u:unconfined_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process
> permissive=0
> 
> The main rpm package's systemd unit runs a startup script that
> inventories which subpackages are installed, and starts each one's
> service. Manually uninstalling an rpm subpackage executes a %preun that
> stops just its own service, and this part is getting blocked. The binary
> that sends the signal appears to be labeled by the contributed Fedora
> policy:
> 
> rwxr-xr-x. 1 daemon daemon system_u:object_r:courier_exec_t:s0 25296
> May  9 23:19 /usr/sbin/courierlogger
> 
> The binary is trying to send a signal to one of these processes:
> 
> system_u:system_r:unconfined_service_t:s0 root 780748 780747  0 01:15
> ?    00:00:00 /usr/lib/courier/sbin/couriertcpd [parameters]
> 
> r-xr-xr-x. 1 daemon daemon system_u:object_r:bin_t:s0 142456 May 10
> 01:14 
> 
> I could avoid this by systemctl stop in %preun and systemctl start
> in%postun, I suppose. Startup and shutdown, which sends the same signal
> via the same binary, seems to work when the main rpm package runs
> systemctl stop. But doing it this way stops and restarts everything when
> a single subpackage gets removed, this is not ideal.
> 

Hi,

Thank you for reporting this issue to us.

Can please run following commands before you reproduce the scenario again:

# chcon -t courier_exec_t /usr/lib/courier/sbin/couriertcpd
# dnf install selinux-policy-devel -y
$ cat httpd_courier.te
policy_module(httpd_courier, 1.0)
gen_require(`
    type httpd_sys_script_t;
    type courier_spool_t;
    type system_mail_t;
')

stream_connect_pattern(httpd_sys_script_t, courier_spool_t,
courier_spool_t, system_mail_t)

# make -f /usr/share/selinux/devel/Makefile httpd_courier.pp
# semodule -i httpd_courier.pp

### reproduce the scenario

And attach output of:
# ausearch -m AVC -ts today


Thanks,
Lukas.


> 
> 
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
> 


-- 
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux