Lukas Vrabec writes:
Hi Sam, It looks like there is missing file context definition for files in /usr/lib/courier/libexec/ Can you please try to label whole directory as "courier_exec_t" ? # semanage fcontext -a -t courier_exec_t /usr/lib/courier/libexec(/.*)? # restorecon -Rv /usr/lib/courier Can you then reproduce your scenario?
I tried this after also updating to F32. The resulting relabeling:Relabeled /usr/lib/courier/libexec from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/sqwebpasswd from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/courierd from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/aliascreate from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/sqwebmaild from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/submit from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/aliascombine from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/submitmkdir from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/imaplogin from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/makedatprog from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/fax from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/fax/courierfax from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/esmtp from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/esmtp/courieresmtp from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/esmtp/addcr from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/esmtp/courieresmtpd from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/uucp from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/uucp/courieruucp from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/dsn from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/dsn/courierdsn from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/local from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/local/courierdeliver from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/modules/local/courierlocal from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/aliasexp from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/courierfilter from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/courier/pcpd from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/filters from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/filters/perlfilter from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/filters/ratefilter from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/filters/verifyfilter from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0 Relabeled /usr/lib/courier/libexec/filters/dupfilter from system_u:object_r:bin_t:s0 to system_u:object_r:courier_exec_t:s0
After a server restart, the result was a slightly different AVC: Additional Information: Source Context system_u:system_r:httpd_sys_script_t:s0 Target Context system_u:object_r:courier_spool_t:s0 Target Objects /var/spool/courier [ dir ] Source webmail Source Path webmail Port <Unknown> Host jack Source RPM Packages Target RPM Packages courier-1.0.13.20200509-101.fc32.x86_64 SELinux Policy RPM selinux-policy-targeted-3.14.5-38.fc32.noarch Local Policy RPM selinux-policy-targeted-3.14.5-38.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name jackPlatform Linux jack 5.6.11-300.fc32.x86_64 #1 SMP Wed May 6
19:12:19 UTC 2020 x86_64 x86_64 Alert Count 8 First Seen 2020-05-16 21:43:39 EDT Last Seen 2020-05-16 22:07:47 EDT Local ID ac01b623-e181-48dc-a097-fea6c8dd27b3 Raw Audit Messagestype=AVC msg=audit(1589681267.341:2551): avc: denied { search } for pid=322657 comm="webmail" name="courier" dev="md125" ino=5901229 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:courier_spool_t:s0 tclass=dir permissive=0
It's still blocking the same connect() call:322694 connect(3, {sa_family=AF_UNIX, sun_path="/var/spool/courier/sqwebmail.sock"}, 110) = -1 EACCES (Permission denied)
The original avc was connectto, it's now search. The directory seems to be labeled:
drwxr-xr-x. 12 bin bin system_u:object_r:courier_spool_t:s0 4096 May 16 22:07 /var/spool/courier
srwxrwxrwx. 1 root root system_u:object_r:courier_spool_t:s0 0 May 16 22:13 /var/spool/courier/sqwebmail.sock
The other issue – with the SIGINT/SIGKILL from rpm scriptlets getting blocked – still exists too; however I'll work on changing the scriptlets to use systemctl to restart everything. This is less ideal than just stopping the individual service, but it should work.
The good news is that the relabeling does not appear to have any ill effects. /usr/lib/courier/libexec holds all core executables, so I wanted to spot-check; I spot checked a few, they seemed to work, but I haven't checked all of them.
Just to remain in sync on this, I restore the default configuration: semanage fcontext -d '/usr/lib/courier/libexec(/.*)?' restorecon -Rv /usr/lib/courier Thanks,
Attachment:
pgptNLg9QfKHG.pgp
Description: PGP signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx