| 1 |
Chris PeBenito <pebenito@g.o> a écrit : |
| 2 |
|
| 3 |
> On Thu, 2007-08-02 at 11:59 +0200, julien.thomas@×××××××××××××.fr wrote: |
| 4 |
>> With a deeper search in the documentation, |
| 5 |
>> I started to watch the uncorrect labelled daemons (initrc_t type) |
| 6 |
>> And here is a few response : |
| 7 |
>> |
| 8 |
>> In the existing /etc/security/selinux/file_contexts file, I found |
| 9 |
>> uncorrect labelling definitions for the courier-imap package. |
| 10 |
>> |
| 11 |
>> So, I put here a few suggestion about this ... as I do not know |
| 12 |
>> weither I should tell this here or on bugzilla (is it really a bug ? ) |
| 13 |
> |
| 14 |
> Yes, it is a bug. I guess some courier files have moved. |
| 15 |
> |
| 16 |
>> ## new entry |
| 17 |
>> /usr/lib(64)?/courier/courier-authlib/* |
| 18 |
>> system_u:object_r:courier_authdaemon_exec_t |
| 19 |
>> # chcon -t courier_authdaemon_exec_t /usr/lib/courier/courier-authlib/* |
| 20 |
>> |
| 21 |
>> ## new entry |
| 22 |
>> /usr/lib/courier-imap/* system_u:object_r:courier_exec_t |
| 23 |
>> # chcon -t courier_exec_t /usr/lib/courier-imap/* |
| 24 |
>> |
| 25 |
>> |
| 26 |
>> (/usr/bin/imapd -- system_u:object_r:courier_pop_exec_t) |
| 27 |
>> ## newentry |
| 28 |
>> /usr/sbin/courier-imapd system_u:object_r:courier_pop_exec_t |
| 29 |
>> /usr/sbin/courier-pop3d system_u:object_r:courier_pop_exec_t |
| 30 |
>> # chcon -t courier_pop_exec_t /usr/sbin/courier-imapd |
| 31 |
>> # chcon -t courier_pop_exec_t /usr/sbin/courier-pop3d |
| 32 |
>> |
| 33 |
>> (/usr/lib(64)?/courier/courier/imaplogin -- |
| 34 |
>> system_u:object_r:courier_pop_exec_t) |
| 35 |
>> ## new entry |
| 36 |
>> /usr/sbin/imaplogin system_u:object_r:courier_pop_exec_t |
| 37 |
>> # chcon -t courier_pop_exec_t /usr/sbin/imaplogin |
| 38 |
>> |
| 39 |
>> ## new entry |
| 40 |
>> /usr/sbin/couriertcpd -- system_u:object_r:courier_tcpd_exec_t |
| 41 |
>> # chcon -t courier_tcpd_exec_t couriertcpd |
| 42 |
>> |
| 43 |
>> ## new entry |
| 44 |
>> /usr/sbin/courierlogger -- system_u:object_r:courier_exec_t |
| 45 |
>> # chcon -t courier_exec_t /usr/sbin/courierlogger |
| 46 |
>> |
| 47 |
>> For the following information of the file_contexts file, I did not |
| 48 |
>> find anything in courier-imap |
| 49 |
>> ----- |
| 50 |
>> /usr/lib(64)?/courier/courier/courierpop.* -- |
| 51 |
>> system_u:object_r:courier_pop_exec_t |
| 52 |
>> /usr/lib(64)?/courier/imapd -- system_u:object_r:courier_pop_exec_t |
| 53 |
>> /usr/lib(64)?/courier/pop3d -- system_u:object_r:courier_pop_exec_t |
| 54 |
>> |
| 55 |
>> |
| 56 |
>> --- |
| 57 |
>> At the end, here is the result I got. |
| 58 |
>> Most of the daemon are correctly labelled, though courierlogger is |
| 59 |
>> still angry (why? initrc_t and also why courier_tcpd_t though I |
| 60 |
>> indicated courier_exec_t !) :D |
| 61 |
>> |
| 62 |
>> ps -eZ | grep cour |
| 63 |
>> |
| 64 |
>> system_u:system_r:initrc_t 4551 ? 00:00:00 courierlogger |
| 65 |
> [...] |
| 66 |
>> system_u:system_r:courier_tcpd_t 4627 ? 00:00:00 courierlogger |
| 67 |
> |
| 68 |
> There already is a courierlogger in a courier domain; perhaps the top |
| 69 |
> one is a stale courierlogger that wasn't killed when you restarted |
| 70 |
> courier? |
| 71 |
> |
| 72 |
In fact, I have restarted the server several times as it was required |
| 73 |
and I still have this problem. |
| 74 |
|
| 75 |
when the courier-imap process is started, everything is working (and |
| 76 |
thus here are the courierlogger processes in the good domain) |
| 77 |
|
| 78 |
but when courier-authlib is started, another courierlogger is |
| 79 |
launched in the initrc domain, as written in th rc file |
| 80 |
|
| 81 |
start() { |
| 82 |
checkconfig || return 1 |
| 83 |
setauth |
| 84 |
ebegin "Starting courier-authlib: ${AUTHDAEMOND}" |
| 85 |
start-stop-daemon --quiet --start --pidfile "${pidfile}" --exec \ |
| 86 |
/usr/bin/env ${logger} -- ${LOGGEROPTS} |
| 87 |
-pid="${pidfile}" -start "${AUTHLIB}/${AUTHDAEMOND}" |
| 88 |
eend $? |
| 89 |
} |
| 90 |
|
| 91 |
so, why is courierlogger launched in the initrc domain while |
| 92 |
authdaemon, launched in the same script, are in the correct domain ? |
| 93 |
For courrier-imap, the scripts command are rather different so no |
| 94 |
comparison are possible ... |
| 95 |
|
| 96 |
Julien Thomas |
| 97 |
|
| 98 |
> -- |
| 99 |
> Chris PeBenito |
| 100 |
> <pebenito@g.o> |
| 101 |
> Developer, |
| 102 |
> Hardened Gentoo Linux |
| 103 |
> |
| 104 |
> Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 105 |
> Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
| 106 |
> |
| 107 |
|
| 108 |
|
| 109 |
|
| 110 |
-- |
| 111 |
gentoo-hardened@g.o mailing list |
Archives