Re: Issues with the include/contrib/courier.if policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Sam,

It looks like there is missing file context definition for files in
/usr/lib/courier/libexec/

Can you please try to label whole directory as "courier_exec_t" ?

# semanage fcontext -a -t courier_exec_t /usr/lib/courier/libexec(/.*)?
# restorecon -Rv /usr/lib/courier

Can you then reproduce your scenario?

Thanks,
Lukas.


On 5/12/20 11:54 PM, Sam Varshavchik wrote:
> Lukas Vrabec writes:
> 
>>
>> For some reason courierlogger runs as unconfined_service_t.
>>
>> Can you describe flow how binaries are executed? Also can you attach
>> systemd unit file executing this service?
> 
> The starting point is this unit file:
> 
> https://github.com/svarshavchik/courier/blob/master/courier/courier.service.in
> 
> 
> The @datadir@ placeholder is /usr/lib/courier/share
> 
> The courier.sysvinit script is this one:
> 
> https://github.com/svarshavchik/courier/blob/master/courier/courier.sysvinit.in
> 
> 
> The first of the two problems: the cgi-bin binary that gets blocked from
> connecting to the AF_UNIX socket that the webmail server is listening
> on. Line 76 in this courier.sysvinit script runs the webmaild script:
> 
> https://github.com/svarshavchik/courier/blob/master/courier/courier/webmaild.in
> 
> 
> Line 41 of this script executes @courierlogger@, which is going to be
> /usr/sbin/courierlogger
> 
> -rwxr-xr-x. 1 daemon daemon system_u:object_r:courier_exec_t:s0 25296
> May  9 23:19 /usr/sbin/courierlogger
> 
> As directed by the command on line 41, courierlogger forks and execs
> /usr/lib/courier/libexec/courier/sqwebmaild, which is:
> 
> -r-xr-xr-x. 1 daemon daemon system_u:object_r:bin_t:s0 1002664 May 10
> 01:14 /usr/lib/courier/libexec/courier/sqwebmaild
> 
> After fork/execing this, courierlogger drops root and runs as daemon
> uid/gid from this point on.
> 
> Meanwhile, the sqwebmaild binary creates this socket:
> 
> srwxrwxrwx. 1 root root system_u:object_r:courier_spool_t:s0 0 May 11
> 20:10 /var/spool/courier/sqwebmail.sock
> 
> And apache executes this:
> 
> r-xr-xr-x. 1 root bin system_u:object_r:httpd_sys_script_exec_t:s0 31464
> May 10 01:14 /var/www/cgi-bin/webmail
> 
> which gets an AVC connecting to /var/spool/courier/sqwebmail.sock
> 
> The other issue is the SIGTERM/SIGKILL to the courierlogger processes
> getting blocked.
> 
> Line 173 of the same courier.sysvinit script, that runs from this unit
> file, executes this imapd script:
> 
> https://github.com/svarshavchik/courier/blob/master/courier/courier/imapd.rc.in
> 
> 
> This one, on line 54, also runs courierlogger, and this instance forks
> and execs the imapd process (also dropping root after forking off the
> child process).
> 
> The imapd rpm's subpackage's %preun:
> 
> if test "$1" = "0"
> then
>     /usr/lib/courier/sbin/imapd stop
>     /usr/lib/courier/sbin/imapd-ssl stop
> fi
> 
> This ends up executing
> 
> @courierlogger@ -pid=$PIDFILE -stop
> 
> from line 63 of the same imapd(.rc) script, which executes the same
> courierlogger binary. This instance opens a pid file that has the pid of
> the daemon instance of courierlogger that's currently running, and
> attempts to SIGINT/SIGKILL it.
> 
> It opens and reads the pid file without issues, gets the pid, the
> sigint/sigkill gets blocked.
> 
> 
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
> 


-- 
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux