On 5/10/20 3:20 PM, Sam Varshavchik wrote:
Fedora's selinux package has a contributed policy for Courier,
include/contrib/courier.if, which has two issues (that I found so far)
with my upstream rpm packages. My rpm packages have worked this way for
a long time, probably 15+ years, or so, this is not a recent change. The
only thing that changed is that I'm actually tried to run in enforcing
mode late last year, and ran into this. I'm picking this issue up now,
for one last college try to figure out the fix.
I couldn't figure out how courier.if works; so last time after doing
some random reading, I was able to come up with a band-aid for the first
issue. The rpm package installs a binary in /var/www/cgi-bin that talks
to the running webmail daemon over an AF_Unix socket. selinux's policy
was labeling the /var/www/cgi-bin binary, and blocking its socket
connection. The band-aid was this additional local policy:
policy_module(courier_webmail, 1.0)
require {
type httpd_sys_script_t;
type courier_spool_t;
};
allow httpd_sys_script_t courier_spool_t:dir search_dir_perms;
allow httpd_sys_script_t courier_spool_t:sock_file manage_sock_file_perms;
That seemed innocent enough. But I revisited the entire package this
week, and found two more issues.
The first one is an additional AVC that was now blocking the same
webmail binary:
type=AVC msg=audit(1589086763.118:1319): avc: denied { connectto }
for pid=674413 comm="webmail"
path="/var/spool/courier/sqwebmail.sock"
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:unconfined_service_t:s0
tclass=unix_stream_socket permissive=0
This was new, I could not figure out why the target context was
unconfined, because:
[root@jack ~]# ls -alZ /var/spool/courier/sqwebmail.sock
srwxrwxrwx. 1 root root system_u:object_r:courier_spool_t:s0 0 May 10
01:15 /var/spool/courier/sqwebmail.sock
As a band-aid on top of the first band-aid, I added
allow httpd_sys_script_t unconfined_service_t:unix_stream_socket connectto;
to the local policy, to get it working. But this doesn't seem ideal.
The second issue was that an individual uninstall of one of the
rpm-subpackages was hanging. selinux was blocking a signal sent by
binary that %preun runs. The signal is sent to the running process:
type=AVC msg=audit(1589082060.526:1156): avc: denied { signal } for
pid=672912 comm="courierlogger"
scontext=unconfined_u:unconfined_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process
permissive=0
and
type=AVC msg=audit(1589082160.527:1172): avc: denied { sigkill } for
pid=672912 comm="courierlogger"
scontext=unconfined_u:unconfined_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process
permissive=0
The main rpm package's systemd unit runs a startup script that
inventories which subpackages are installed, and starts each one's
service. Manually uninstalling an rpm subpackage executes a %preun that
stops just its own service, and this part is getting blocked. The binary
that sends the signal appears to be labeled by the contributed Fedora
policy:
rwxr-xr-x. 1 daemon daemon system_u:object_r:courier_exec_t:s0 25296
May 9 23:19 /usr/sbin/courierlogger
The binary is trying to send a signal to one of these processes:
system_u:system_r:unconfined_service_t:s0 root 780748 780747 0 01:15
? 00:00:00 /usr/lib/courier/sbin/couriertcpd [parameters]
r-xr-xr-x. 1 daemon daemon system_u:object_r:bin_t:s0 142456 May 10
01:14
I could avoid this by systemctl stop in %preun and systemctl start
in%postun, I suppose. Startup and shutdown, which sends the same signal
via the same binary, seems to work when the main rpm package runs
systemctl stop. But doing it this way stops and restarts everything when
a single subpackage gets removed, this is not ideal.
Hi,
Thank you for reporting this issue to us.
Can please run following commands before you reproduce the scenario again:
# chcon -t courier_exec_t /usr/lib/courier/sbin/couriertcpd
# dnf install selinux-policy-devel -y
$ cat httpd_courier.te
policy_module(httpd_courier, 1.0)
gen_require(`
type httpd_sys_script_t;
type courier_spool_t;
type system_mail_t;
')
stream_connect_pattern(httpd_sys_script_t, courier_spool_t,
courier_spool_t, system_mail_t)
# make -f /usr/share/selinux/devel/Makefile httpd_courier.pp
# semodule -i httpd_courier.pp
### reproduce the scenario
And attach output of:
# ausearch -m AVC -ts today
Thanks,
Lukas.
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
--
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.