Lukas Vrabec writes:
For some reason courierlogger runs as unconfined_service_t. Can you describe flow how binaries are executed? Also can you attach systemd unit file executing this service?
The starting point is this unit file: https://github.com/svarshavchik/courier/blob/master/courier/courier.service.in The @datadir@ placeholder is /usr/lib/courier/share The courier.sysvinit script is this one: https://github.com/svarshavchik/courier/blob/master/courier/courier.sysvinit.inThe first of the two problems: the cgi-bin binary that gets blocked from connecting to the AF_UNIX socket that the webmail server is listening on. Line 76 in this courier.sysvinit script runs the webmaild script:
https://github.com/svarshavchik/courier/blob/master/courier/courier/webmaild.inLine 41 of this script executes @courierlogger@, which is going to be /usr/sbin/courierlogger
-rwxr-xr-x. 1 daemon daemon system_u:object_r:courier_exec_t:s0 25296 May 9 23:19 /usr/sbin/courierlogger
As directed by the command on line 41, courierlogger forks and execs /usr/lib/courier/libexec/courier/sqwebmaild, which is:
-r-xr-xr-x. 1 daemon daemon system_u:object_r:bin_t:s0 1002664 May 10 01:14 /usr/lib/courier/libexec/courier/sqwebmaild
After fork/execing this, courierlogger drops root and runs as daemon uid/gid from this point on.
Meanwhile, the sqwebmaild binary creates this socket:srwxrwxrwx. 1 root root system_u:object_r:courier_spool_t:s0 0 May 11 20:10 /var/spool/courier/sqwebmail.sock
And apache executes this:r-xr-xr-x. 1 root bin system_u:object_r:httpd_sys_script_exec_t:s0 31464 May 10 01:14 /var/www/cgi-bin/webmail
which gets an AVC connecting to /var/spool/courier/sqwebmail.sockThe other issue is the SIGTERM/SIGKILL to the courierlogger processes getting blocked.
Line 173 of the same courier.sysvinit script, that runs from this unit file, executes this imapd script:
https://github.com/svarshavchik/courier/blob/master/courier/courier/imapd.rc.inThis one, on line 54, also runs courierlogger, and this instance forks and execs the imapd process (also dropping root after forking off the child process).
The imapd rpm's subpackage's %preun: if test "$1" = "0" then /usr/lib/courier/sbin/imapd stop /usr/lib/courier/sbin/imapd-ssl stop fi This ends up executing @courierlogger@ -pid=$PIDFILE -stopfrom line 63 of the same imapd(.rc) script, which executes the same courierlogger binary. This instance opens a pid file that has the pid of the daemon instance of courierlogger that's currently running, and attempts to SIGINT/SIGKILL it.
It opens and reads the pid file without issues, gets the pid, the sigint/sigkill gets blocked.
Attachment:
pgp0NoE2Di33A.pgp
Description: PGP signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
