1 |
Hi folks, |
2 |
|
3 |
I'm currently setting up a mail system on an selinux-enabled system. System |
4 |
software so far is up-to-date, running kernel 2.6.20-hardened-r5 on the |
5 |
selinux/x86/2006.1 profile with managed strict policy version 21. |
6 |
Installed policies are all 20070329, including courier-imap, which should |
7 |
include the policies for courier-authlib and its authdaemon. |
8 |
|
9 |
Now when I try to start authdaemon using |
10 |
|
11 |
# run_init /etc/init.d/courier-authlib start |
12 |
|
13 |
runscript.sh complains about not being able to |
14 |
read the configuration at /etc/courier/authlib/authdaemonrc |
15 |
|
16 |
The corresponding avc-message is: |
17 |
|
18 |
denied { read } for pid=3172 comm="runscript.sh" |
19 |
name="authdaemonrc" [...] scontext=system_u:system_r:initrc_t |
20 |
tcontext=system_u:object_r:courier_etc_t tclass=file |
21 |
|
22 |
The file itself is labeled correctly as courier_etc_t. |
23 |
I had a look at the running policy using sesearch from app-admin/setools-3.2 |
24 |
|
25 |
# sesearch --allow | grep courier_etc_t |
26 |
|
27 |
It tells me there is indeed no rule to allow that read operation. |
28 |
Shouldn't there be one? |
29 |
|
30 |
Next thing is: |
31 |
Once I change into permissive mode, it (of course) works, but |
32 |
|
33 |
# ps xZ |
34 |
[...] |
35 |
system_u:system_r:initrc_t 3234 ? S 0:00 /usr/sbin/courierlogger [...] |
36 |
system_u:system_r:initrc_t 3235 ? S 0:00 /usr/lib/[...]/authdaemond |
37 |
[...] |
38 |
|
39 |
the processes have not changed into the right domain (might be |
40 |
courier_authdaemon_t) but remain in the obviously wrong initrc_t. |
41 |
Why is this? |
42 |
|
43 |
I untarred refpolicy-20070329.tar.bz2 from distfiles since this seems to be |
44 |
the file used by all sec-policy/* ebuilds to compile their policy-module |
45 |
and did not find any of these rules in policy/modules/services/courier.te |
46 |
|
47 |
Then did a search on the web and found |
48 |
http://sources.gentoo.org/viewcvs.py/gentoo-projects/selinux/courier-imap/courier-imap.te |
49 |
|
50 |
Even the very first release of this file (1.1, dating Feb 04 2004) contains |
51 |
|
52 |
allow initrc_t courier_etc_t:file r_file_perms; |
53 |
|
54 |
which is what is IMHO missing in the running policy. |
55 |
I don't know in which way (if any) these file from the cvs are related to |
56 |
the policy-module installed by emerge, since there has not been an update |
57 |
wihtin the last 18 months (picked some random samples) to the tree. I guess |
58 |
this is the 2005.1-profile policy since it contains a Makefile. |
59 |
|
60 |
Nobody else seems to have this kind of problem or I'm using the wrong |
61 |
keywords in searches. Can somebody please help me sort this out or at least |
62 |
point me in the right direction? |
63 |
|
64 |
Thanks in advance |
65 |
Joern |
66 |
-- |
67 |
gentoo-hardened@g.o mailing list |