On 5/10/20 3:20 PM, Sam Varshavchik wrote:
Fedora's selinux package has a contributed policy for Courier, include/contrib/courier.if, which has two issues (that I found so far) with my upstream rpm packages. My rpm packages have worked this way for a long time, probably 15+ years, or so, this is not a recent change. The only thing that changed is that I'm actually tried to run in enforcing mode late last year, and ran into this. I'm picking this issue up now, for one last college try to figure out the fix.
I couldn't figure out how courier.if works; so last time after doing some random reading, I was able to come up with a band-aid for the first issue. The rpm package installs a binary in /var/www/cgi-bin that talks to the running webmail daemon over an AF_Unix socket. selinux's policy was labeling the /var/www/cgi-bin binary, and blocking its socket connection. The band-aid was this additional local policy:
policy_module(courier_webmail, 1.0)
require { type httpd_sys_script_t; type courier_spool_t; };
allow httpd_sys_script_t courier_spool_t:dir search_dir_perms; allow httpd_sys_script_t courier_spool_t:sock_file manage_sock_file_perms;
That seemed innocent enough. But I revisited the entire package this week, and found two more issues.
The first one is an additional AVC that was now blocking the same webmail binary:
type=AVC msg=audit(1589086763.118:1319): avc: denied { connectto } for pid=674413 comm="webmail" path="/var/spool/courier/sqwebmail.sock" scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0
This was new, I could not figure out why the target context was unconfined, because:
[root@jack ~]# ls -alZ /var/spool/courier/sqwebmail.sock srwxrwxrwx. 1 root root system_u:object_r:courier_spool_t:s0 0 May 10 01:15 /var/spool/courier/sqwebmail.sock
As a band-aid on top of the first band-aid, I added
allow httpd_sys_script_t unconfined_service_t:unix_stream_socket connectto;
to the local policy, to get it working. But this doesn't seem ideal.
The second issue was that an individual uninstall of one of the rpm-subpackages was hanging. selinux was blocking a signal sent by binary that %preun runs. The signal is sent to the running process:
type=AVC msg=audit(1589082060.526:1156): avc: denied { signal } for pid=672912 comm="courierlogger" scontext=unconfined_u:unconfined_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0
and
type=AVC msg=audit(1589082160.527:1172): avc: denied { sigkill } for pid=672912 comm="courierlogger" scontext=unconfined_u:unconfined_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0
The main rpm package's systemd unit runs a startup script that inventories which subpackages are installed, and starts each one's service. Manually uninstalling an rpm subpackage executes a %preun that stops just its own service, and this part is getting blocked. The binary that sends the signal appears to be labeled by the contributed Fedora policy:
rwxr-xr-x. 1 daemon daemon system_u:object_r:courier_exec_t:s0 25296 May 9 23:19 /usr/sbin/courierlogger
The binary is trying to send a signal to one of these processes:
system_u:system_r:unconfined_service_t:s0 root 780748 780747 0 01:15 ? 00:00:00 /usr/lib/courier/sbin/couriertcpd [parameters]
r-xr-xr-x. 1 daemon daemon system_u:object_r:bin_t:s0 142456 May 10 01:14
I could avoid this by systemctl stop in %preun and systemctl start in%postun, I suppose. Startup and shutdown, which sends the same signal via the same binary, seems to work when the main rpm package runs systemctl stop. But doing it this way stops and restarts everything when a single subpackage gets removed, this is not ideal.
Hi,
Thank you for reporting this issue to us.
Can please run following commands before you reproduce the scenario again:
# chcon -t courier_exec_t /usr/lib/courier/sbin/couriertcpd # dnf install selinux-policy-devel -y $ cat httpd_courier.te policy_module(httpd_courier, 1.0) gen_require(` type httpd_sys_script_t; type courier_spool_t; type system_mail_t; ')
stream_connect_pattern(httpd_sys_script_t, courier_spool_t, courier_spool_t, system_mail_t)
# make -f /usr/share/selinux/devel/Makefile httpd_courier.pp # semodule -i httpd_courier.pp
### reproduce the scenario
And attach output of: # ausearch -m AVC -ts today
Thanks, Lukas.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...