1 |
Hi. |
2 |
The problems of courier-imap began to be solved ... |
3 |
|
4 |
(The previous post where labelled by "SELinux - network streams" but |
5 |
as I am more focused with courier-imap now, I though it was good to |
6 |
change the subject) |
7 |
|
8 |
However, here is the problem I have with file labelling : |
9 |
|
10 |
I put it /etc/security/selinx/file_contexts the following lines |
11 |
/var/run/impad.* system_u:object_r:courier_var_run_t |
12 |
/var/run/pop3.* system_u:object_r:courier_var_run_t |
13 |
/var/run/authdaemon.* system_u:object_r:courier_var_run_t |
14 |
|
15 |
as the previous ones (/var/run/courier(/.*)?) where wrong. |
16 |
|
17 |
However, restorecon do not give the good contexts for these files |
18 |
(var_run_t). Besides, when the server are restarted or after let's say |
19 |
one hour, |
20 |
the files got the var_run_t context though I changed them with chcon. |
21 |
|
22 |
Where should I put this file_context information. |
23 |
(Do I have to add this I a QuickFix module ?) |
24 |
|
25 |
for the other problem, It was due to transition problems. |
26 |
I have added the following lines : |
27 |
type_transition initrc_t courier_exec_t:process courier_tcpd_t; |
28 |
type_transition courier_tcpd_t courier_authdaemon_exec_t:process |
29 |
courier_authdaemon_t; |
30 |
|
31 |
Julien Thomas. |
32 |
|
33 |
julien.thomas@×××××××××××××.fr a écrit : |
34 |
|
35 |
> Chris PeBenito <pebenito@g.o> a écrit : |
36 |
> |
37 |
>> On Thu, 2007-08-02 at 11:59 +0200, julien.thomas@×××××××××××××.fr wrote: |
38 |
>>> With a deeper search in the documentation, |
39 |
>>> I started to watch the uncorrect labelled daemons (initrc_t type) |
40 |
>>> And here is a few response : |
41 |
>>> |
42 |
>>> In the existing /etc/security/selinux/file_contexts file, I found |
43 |
>>> uncorrect labelling definitions for the courier-imap package. |
44 |
>>> |
45 |
>>> So, I put here a few suggestion about this ... as I do not know |
46 |
>>> weither I should tell this here or on bugzilla (is it really a bug ? ) |
47 |
>> |
48 |
>> Yes, it is a bug. I guess some courier files have moved. |
49 |
>> |
50 |
>>> ## new entry |
51 |
>>> /usr/lib(64)?/courier/courier-authlib/* |
52 |
>>> system_u:object_r:courier_authdaemon_exec_t |
53 |
>>> # chcon -t courier_authdaemon_exec_t /usr/lib/courier/courier-authlib/* |
54 |
>>> |
55 |
>>> ## new entry |
56 |
>>> /usr/lib/courier-imap/* system_u:object_r:courier_exec_t |
57 |
>>> # chcon -t courier_exec_t /usr/lib/courier-imap/* |
58 |
>>> |
59 |
>>> |
60 |
>>> (/usr/bin/imapd -- system_u:object_r:courier_pop_exec_t) |
61 |
>>> ## newentry |
62 |
>>> /usr/sbin/courier-imapd system_u:object_r:courier_pop_exec_t |
63 |
>>> /usr/sbin/courier-pop3d system_u:object_r:courier_pop_exec_t |
64 |
>>> # chcon -t courier_pop_exec_t /usr/sbin/courier-imapd |
65 |
>>> # chcon -t courier_pop_exec_t /usr/sbin/courier-pop3d |
66 |
>>> |
67 |
>>> (/usr/lib(64)?/courier/courier/imaplogin -- |
68 |
>>> system_u:object_r:courier_pop_exec_t) |
69 |
>>> ## new entry |
70 |
>>> /usr/sbin/imaplogin system_u:object_r:courier_pop_exec_t |
71 |
>>> # chcon -t courier_pop_exec_t /usr/sbin/imaplogin |
72 |
>>> |
73 |
>>> ## new entry |
74 |
>>> /usr/sbin/couriertcpd -- system_u:object_r:courier_tcpd_exec_t |
75 |
>>> # chcon -t courier_tcpd_exec_t couriertcpd |
76 |
>>> |
77 |
>>> ## new entry |
78 |
>>> /usr/sbin/courierlogger -- system_u:object_r:courier_exec_t |
79 |
>>> # chcon -t courier_exec_t /usr/sbin/courierlogger |
80 |
>>> |
81 |
>>> For the following information of the file_contexts file, I did not |
82 |
>>> find anything in courier-imap |
83 |
>>> ----- |
84 |
>>> /usr/lib(64)?/courier/courier/courierpop.* -- |
85 |
>>> system_u:object_r:courier_pop_exec_t |
86 |
>>> /usr/lib(64)?/courier/imapd -- |
87 |
>>> system_u:object_r:courier_pop_exec_t |
88 |
>>> /usr/lib(64)?/courier/pop3d -- |
89 |
>>> system_u:object_r:courier_pop_exec_t |
90 |
>>> |
91 |
>>> |
92 |
>>> --- |
93 |
>>> At the end, here is the result I got. |
94 |
>>> Most of the daemon are correctly labelled, though courierlogger is |
95 |
>>> still angry (why? initrc_t and also why courier_tcpd_t though I |
96 |
>>> indicated courier_exec_t !) :D |
97 |
>>> |
98 |
>>> ps -eZ | grep cour |
99 |
>>> |
100 |
>>> system_u:system_r:initrc_t 4551 ? 00:00:00 courierlogger |
101 |
>> [...] |
102 |
>>> system_u:system_r:courier_tcpd_t 4627 ? 00:00:00 courierlogger |
103 |
>> |
104 |
>> There already is a courierlogger in a courier domain; perhaps the top |
105 |
>> one is a stale courierlogger that wasn't killed when you restarted |
106 |
>> courier? |
107 |
>> |
108 |
> In fact, I have restarted the server several times as it was required |
109 |
> and I still have this problem. |
110 |
> |
111 |
> when the courier-imap process is started, everything is working (and |
112 |
> thus here are the courierlogger processes in the good domain) |
113 |
> |
114 |
> but when courier-authlib is started, another courierlogger is launched |
115 |
> in the initrc domain, as written in th rc file |
116 |
> |
117 |
> start() { |
118 |
> checkconfig || return 1 |
119 |
> setauth |
120 |
> ebegin "Starting courier-authlib: ${AUTHDAEMOND}" |
121 |
> start-stop-daemon --quiet --start --pidfile "${pidfile}" --exec \ |
122 |
> /usr/bin/env ${logger} -- ${LOGGEROPTS} |
123 |
> -pid="${pidfile}" -start "${AUTHLIB}/${AUTHDAEMOND}" |
124 |
> eend $? |
125 |
> } |
126 |
> |
127 |
> so, why is courierlogger launched in the initrc domain while |
128 |
> authdaemon, launched in the same script, are in the correct domain ? |
129 |
> For courrier-imap, the scripts command are rather different so no |
130 |
> comparison are possible ... |
131 |
> |
132 |
> Julien Thomas |
133 |
> |
134 |
>> -- |
135 |
>> Chris PeBenito |
136 |
>> <pebenito@g.o> |
137 |
>> Developer, |
138 |
>> Hardened Gentoo Linux |
139 |
>> |
140 |
>> Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
141 |
>> Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
142 |
>> |
143 |
> |
144 |
> |
145 |
> |
146 |
> -- |
147 |
> gentoo-hardened@g.o mailing list |
148 |
|
149 |
|
150 |
|
151 |
-- |
152 |
gentoo-hardened@g.o mailing list |