Re: Issues with the include/contrib/courier.if policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Lukas Vrabec writes:


Hi Sam,

It looks like there is missing file context definition for files in
/usr/lib/courier/libexec/

Can you please try to label whole directory as "courier_exec_t" ?

# semanage fcontext -a -t courier_exec_t /usr/lib/courier/libexec(/.*)?
# restorecon -Rv /usr/lib/courier

Can you then reproduce your scenario?


I tried this after also updating to F32. The resulting relabeling:
Relabeled /usr/lib/courier/libexec from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/sqwebpasswd from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/courierd from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/aliascreate from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/sqwebmaild from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/submit from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/aliascombine from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/submitmkdir from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/imaplogin from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/makedatprog from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/fax from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/fax/courierfax from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/esmtp from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/esmtp/courieresmtp from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/esmtp/addcr from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/esmtp/courieresmtpd from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/uucp from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/uucp/courieruucp from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/dsn from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/dsn/courierdsn from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/local from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/local/courierdeliver from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/local/courierlocal from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/aliasexp from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/courierfilter from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/pcpd from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/filters from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/filters/perlfilter from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/filters/ratefilter from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/filters/verifyfilter from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/filters/dupfilter from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 

After a server restart, the result was a slightly different AVC:

Additional Information:
Source Context                system_u:system_r:httpd_sys_script_t:s0
Target Context                system_u:object_r:courier_spool_t:s0
Target Objects                /var/spool/courier [ dir ]
Source                        webmail
Source Path                   webmail
Port                          <Unknown>
Host                          jack
Source RPM Packages
Target RPM Packages           courier-1.0.13.20200509-101.fc32.x86_64
SELinux Policy RPM            selinux-policy-targeted-3.14.5-38.fc32.noarch
Local Policy RPM              selinux-policy-targeted-3.14.5-38.fc32.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     jack
Platform Linux jack 5.6.11-300.fc32.x86_64 #1 SMP Wed May 6 
                             19:12:19 UTC 2020 x86_64 x86_64
Alert Count                   8
First Seen                    2020-05-16 21:43:39 EDT
Last Seen                     2020-05-16 22:07:47 EDT
Local ID                      ac01b623-e181-48dc-a097-fea6c8dd27b3

Raw Audit Messages
type=AVC msg=audit(1589681267.341:2551): avc: denied { search } for pid=322657 comm="webmail" name="courier" dev="md125" ino=5901229 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:courier_spool_t:s0 tclass=dir permissive=0 


It's still blocking the same connect() call:
322694 connect(3, {sa_family=AF_UNIX, sun_path="/var/spool/courier/sqwebmail.sock"}, 110) = -1 EACCES (Permission denied)
The original avc was connectto, it's now search. The directory seems to be labeled:
drwxr-xr-x. 12 bin bin system_u:object_r:courier_spool_t:s0 4096 May 16 22:07 /var/spool/courier
srwxrwxrwx. 1 root root system_u:object_r:courier_spool_t:s0 0 May 16 22:13 /var/spool/courier/sqwebmail.sock
The other issue – with the SIGINT/SIGKILL from rpm scriptlets getting blocked – still exists too; however I'll work on changing the scriptlets to use systemctl to restart everything. This is less ideal than just stopping the individual service, but it should work.
The good news is that the relabeling does not appear to have any ill effects. /usr/lib/courier/libexec holds all core executables, so I wanted to spot-check; I spot checked a few, they seemed to work, but I haven't checked all of them. 

Just to remain in sync on this, I restore the default configuration:

semanage fcontext -d '/usr/lib/courier/libexec(/.*)?'
restorecon -Rv /usr/lib/courier

Thanks,

Attachment: pgptNLg9QfKHG.pgp
Description: PGP signature

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux