1 |
On Thu, 2007-08-02 at 11:59 +0200, julien.thomas@×××××××××××××.fr wrote: |
2 |
> With a deeper search in the documentation, |
3 |
> I started to watch the uncorrect labelled daemons (initrc_t type) |
4 |
> And here is a few response : |
5 |
> |
6 |
> In the existing /etc/security/selinux/file_contexts file, I found |
7 |
> uncorrect labelling definitions for the courier-imap package. |
8 |
> |
9 |
> So, I put here a few suggestion about this ... as I do not know |
10 |
> weither I should tell this here or on bugzilla (is it really a bug ? ) |
11 |
|
12 |
Yes, it is a bug. I guess some courier files have moved. |
13 |
|
14 |
> ## new entry |
15 |
> /usr/lib(64)?/courier/courier-authlib/* |
16 |
> system_u:object_r:courier_authdaemon_exec_t |
17 |
> # chcon -t courier_authdaemon_exec_t /usr/lib/courier/courier-authlib/* |
18 |
> |
19 |
> ## new entry |
20 |
> /usr/lib/courier-imap/* system_u:object_r:courier_exec_t |
21 |
> # chcon -t courier_exec_t /usr/lib/courier-imap/* |
22 |
> |
23 |
> |
24 |
> (/usr/bin/imapd -- system_u:object_r:courier_pop_exec_t) |
25 |
> ## newentry |
26 |
> /usr/sbin/courier-imapd system_u:object_r:courier_pop_exec_t |
27 |
> /usr/sbin/courier-pop3d system_u:object_r:courier_pop_exec_t |
28 |
> # chcon -t courier_pop_exec_t /usr/sbin/courier-imapd |
29 |
> # chcon -t courier_pop_exec_t /usr/sbin/courier-pop3d |
30 |
> |
31 |
> (/usr/lib(64)?/courier/courier/imaplogin -- |
32 |
> system_u:object_r:courier_pop_exec_t) |
33 |
> ## new entry |
34 |
> /usr/sbin/imaplogin system_u:object_r:courier_pop_exec_t |
35 |
> # chcon -t courier_pop_exec_t /usr/sbin/imaplogin |
36 |
> |
37 |
> ## new entry |
38 |
> /usr/sbin/couriertcpd -- system_u:object_r:courier_tcpd_exec_t |
39 |
> # chcon -t courier_tcpd_exec_t couriertcpd |
40 |
> |
41 |
> ## new entry |
42 |
> /usr/sbin/courierlogger -- system_u:object_r:courier_exec_t |
43 |
> # chcon -t courier_exec_t /usr/sbin/courierlogger |
44 |
> |
45 |
> For the following information of the file_contexts file, I did not |
46 |
> find anything in courier-imap |
47 |
> ----- |
48 |
> /usr/lib(64)?/courier/courier/courierpop.* -- |
49 |
> system_u:object_r:courier_pop_exec_t |
50 |
> /usr/lib(64)?/courier/imapd -- system_u:object_r:courier_pop_exec_t |
51 |
> /usr/lib(64)?/courier/pop3d -- system_u:object_r:courier_pop_exec_t |
52 |
> |
53 |
> |
54 |
> --- |
55 |
> At the end, here is the result I got. |
56 |
> Most of the daemon are correctly labelled, though courierlogger is |
57 |
> still angry (why? initrc_t and also why courier_tcpd_t though I |
58 |
> indicated courier_exec_t !) :D |
59 |
> |
60 |
> ps -eZ | grep cour |
61 |
> |
62 |
> system_u:system_r:initrc_t 4551 ? 00:00:00 courierlogger |
63 |
[...] |
64 |
> system_u:system_r:courier_tcpd_t 4627 ? 00:00:00 courierlogger |
65 |
|
66 |
There already is a courierlogger in a courier domain; perhaps the top |
67 |
one is a stale courierlogger that wasn't killed when you restarted |
68 |
courier? |
69 |
|
70 |
-- |
71 |
Chris PeBenito |
72 |
<pebenito@g.o> |
73 |
Developer, |
74 |
Hardened Gentoo Linux |
75 |
|
76 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
77 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |