1 |
On Thu, 2007-08-02 at 16:25 +0200, julien.thomas@×××××××××××××.fr wrote: |
2 |
> Chris PeBenito <pebenito@g.o> a écrit : |
3 |
> |
4 |
> > On Thu, 2007-08-02 at 11:59 +0200, julien.thomas@×××××××××××××.fr wrote: |
5 |
> >> With a deeper search in the documentation, |
6 |
> >> I started to watch the uncorrect labelled daemons (initrc_t type) |
7 |
> >> And here is a few response : |
8 |
> >> |
9 |
> >> In the existing /etc/security/selinux/file_contexts file, I found |
10 |
> >> uncorrect labelling definitions for the courier-imap package. |
11 |
> >> |
12 |
> >> So, I put here a few suggestion about this ... as I do not know |
13 |
> >> weither I should tell this here or on bugzilla (is it really a bug ? ) |
14 |
> > |
15 |
> > Yes, it is a bug. I guess some courier files have moved. |
16 |
> > |
17 |
> >> ## new entry |
18 |
> >> /usr/lib(64)?/courier/courier-authlib/* |
19 |
> >> system_u:object_r:courier_authdaemon_exec_t |
20 |
> >> # chcon -t courier_authdaemon_exec_t /usr/lib/courier/courier-authlib/* |
21 |
> >> |
22 |
> >> ## new entry |
23 |
> >> /usr/lib/courier-imap/* system_u:object_r:courier_exec_t |
24 |
> >> # chcon -t courier_exec_t /usr/lib/courier-imap/* |
25 |
> >> |
26 |
> >> |
27 |
> >> (/usr/bin/imapd -- system_u:object_r:courier_pop_exec_t) |
28 |
> >> ## newentry |
29 |
> >> /usr/sbin/courier-imapd system_u:object_r:courier_pop_exec_t |
30 |
> >> /usr/sbin/courier-pop3d system_u:object_r:courier_pop_exec_t |
31 |
> >> # chcon -t courier_pop_exec_t /usr/sbin/courier-imapd |
32 |
> >> # chcon -t courier_pop_exec_t /usr/sbin/courier-pop3d |
33 |
> >> |
34 |
> >> (/usr/lib(64)?/courier/courier/imaplogin -- |
35 |
> >> system_u:object_r:courier_pop_exec_t) |
36 |
> >> ## new entry |
37 |
> >> /usr/sbin/imaplogin system_u:object_r:courier_pop_exec_t |
38 |
> >> # chcon -t courier_pop_exec_t /usr/sbin/imaplogin |
39 |
> >> |
40 |
> >> ## new entry |
41 |
> >> /usr/sbin/couriertcpd -- system_u:object_r:courier_tcpd_exec_t |
42 |
> >> # chcon -t courier_tcpd_exec_t couriertcpd |
43 |
> >> |
44 |
> >> ## new entry |
45 |
> >> /usr/sbin/courierlogger -- system_u:object_r:courier_exec_t |
46 |
> >> # chcon -t courier_exec_t /usr/sbin/courierlogger |
47 |
> >> |
48 |
> >> For the following information of the file_contexts file, I did not |
49 |
> >> find anything in courier-imap |
50 |
> >> ----- |
51 |
> >> /usr/lib(64)?/courier/courier/courierpop.* -- |
52 |
> >> system_u:object_r:courier_pop_exec_t |
53 |
> >> /usr/lib(64)?/courier/imapd -- system_u:object_r:courier_pop_exec_t |
54 |
> >> /usr/lib(64)?/courier/pop3d -- system_u:object_r:courier_pop_exec_t |
55 |
> >> |
56 |
> >> |
57 |
> >> --- |
58 |
> >> At the end, here is the result I got. |
59 |
> >> Most of the daemon are correctly labelled, though courierlogger is |
60 |
> >> still angry (why? initrc_t and also why courier_tcpd_t though I |
61 |
> >> indicated courier_exec_t !) :D |
62 |
> >> |
63 |
> >> ps -eZ | grep cour |
64 |
> >> |
65 |
> >> system_u:system_r:initrc_t 4551 ? 00:00:00 courierlogger |
66 |
> > [...] |
67 |
> >> system_u:system_r:courier_tcpd_t 4627 ? 00:00:00 courierlogger |
68 |
> > |
69 |
> > There already is a courierlogger in a courier domain; perhaps the top |
70 |
> > one is a stale courierlogger that wasn't killed when you restarted |
71 |
> > courier? |
72 |
> > |
73 |
> In fact, I have restarted the server several times as it was required |
74 |
> and I still have this problem. |
75 |
> |
76 |
> when the courier-imap process is started, everything is working (and |
77 |
> thus here are the courierlogger processes in the good domain) |
78 |
> |
79 |
> but when courier-authlib is started, another courierlogger is |
80 |
> launched in the initrc domain, as written in th rc file |
81 |
> |
82 |
> start() { |
83 |
> checkconfig || return 1 |
84 |
> setauth |
85 |
> ebegin "Starting courier-authlib: ${AUTHDAEMOND}" |
86 |
> start-stop-daemon --quiet --start --pidfile "${pidfile}" --exec \ |
87 |
> /usr/bin/env ${logger} -- ${LOGGEROPTS} |
88 |
> -pid="${pidfile}" -start "${AUTHLIB}/${AUTHDAEMOND}" |
89 |
> eend $? |
90 |
> } |
91 |
> |
92 |
> so, why is courierlogger launched in the initrc domain while |
93 |
> authdaemon, launched in the same script, are in the correct domain ? |
94 |
> For courrier-imap, the scripts command are rather different so no |
95 |
> comparison are possible ... |
96 |
|
97 |
Unfortunately I'm not really familiar with courier, so I don't know |
98 |
exactly whats happening. From analyzing the policy, there is no way for |
99 |
the courier domains to transition back to initrc_t, so if there are |
100 |
multiple courierloggers, when one being in initrc_t, then its probably |
101 |
because of the init script. What I can't explain is why one is in the |
102 |
correct domain but another isn't. |
103 |
|
104 |
-- |
105 |
Chris PeBenito |
106 |
<pebenito@g.o> |
107 |
Developer, |
108 |
Hardened Gentoo Linux |
109 |
|
110 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
111 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |