List Archive: gentoo-hardened
Hi folks,
I'm currently setting up a mail system on an selinux-enabled system. System
software so far is up-to-date, running kernel 2.6.20-hardened-r5 on the
selinux/x86/2006.1 profile with managed strict policy version 21.
Installed policies are all 20070329, including courier-imap, which should
include the policies for courier-authlib and its authdaemon.
Now when I try to start authdaemon using
# run_init /etc/init.d/courier-authlib start
runscript.sh complains about not being able to
read the configuration at /etc/courier/authlib/authdaemonrc
The corresponding avc-message is:
denied { read } for pid=3172 comm="runscript.sh"
name="authdaemonrc" [...] scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:courier_etc_t tclass=file
The file itself is labeled correctly as courier_etc_t.
I had a look at the running policy using sesearch from app-admin/setools-3.2
# sesearch --allow | grep courier_etc_t
It tells me there is indeed no rule to allow that read operation.
Shouldn't there be one?
Next thing is:
Once I change into permissive mode, it (of course) works, but
# ps xZ
[...]
system_u:system_r:initrc_t 3234 ? S 0:00 /usr/sbin/courierlogger [...]
system_u:system_r:initrc_t 3235 ? S 0:00 /usr/lib/[...]/authdaemond
[...]
the processes have not changed into the right domain (might be
courier_authdaemon_t) but remain in the obviously wrong initrc_t.
Why is this?
I untarred refpolicy-20070329.tar.bz2 from distfiles since this seems to be
the file used by all sec-policy/* ebuilds to compile their policy-module
and did not find any of these rules in policy/modules/services/courier.te
Then did a search on the web and found
http://sources.gentoo.org/viewcvs.py/gentoo-projects/selinux/courier-imap/courier-imap.te
Even the very first release of this file (1.1, dating Feb 04 2004) contains
allow initrc_t courier_etc_t:file r_file_perms;
which is what is IMHO missing in the running policy.
I don't know in which way (if any) these file from the cvs are related to
the policy-module installed by emerge, since there has not been an update
wihtin the last 18 months (picked some random samples) to the tree. I guess
this is the 2005.1-profile policy since it contains a Makefile.
Nobody else seems to have this kind of problem or I'm using the wrong
keywords in searches. Can somebody please help me sort this out or at least
point me in the right direction?
Thanks in advance
Joern
--
gentoo-hardened@g.o mailing list
|
|
