Gentoo Archives: gentoo-hardened

From: Joern Wittek <webmaster@××××××××.de>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] Policy problem with courier authlib
Date: Wed, 04 Jul 2007 22:37:53
Message-Id: 200707050029.45342.webmaster@ttw-tool.de
1 Hi folks,
2
3 I'm currently setting up a mail system on an selinux-enabled system. System
4 software so far is up-to-date, running kernel 2.6.20-hardened-r5 on the
5 selinux/x86/2006.1 profile with managed strict policy version 21.
6 Installed policies are all 20070329, including courier-imap, which should
7 include the policies for courier-authlib and its authdaemon.
8
9 Now when I try to start authdaemon using
10
11 # run_init /etc/init.d/courier-authlib start
12
13 runscript.sh complains about not being able to
14 read the configuration at /etc/courier/authlib/authdaemonrc
15
16 The corresponding avc-message is:
17
18 denied { read } for pid=3172 comm="runscript.sh"
19 name="authdaemonrc" [...] scontext=system_u:system_r:initrc_t
20 tcontext=system_u:object_r:courier_etc_t tclass=file
21
22 The file itself is labeled correctly as courier_etc_t.
23 I had a look at the running policy using sesearch from app-admin/setools-3.2
24
25 # sesearch --allow | grep courier_etc_t
26
27 It tells me there is indeed no rule to allow that read operation.
28 Shouldn't there be one?
29
30 Next thing is:
31 Once I change into permissive mode, it (of course) works, but
32
33 # ps xZ
34 [...]
35 system_u:system_r:initrc_t 3234 ? S 0:00 /usr/sbin/courierlogger [...]
36 system_u:system_r:initrc_t 3235 ? S 0:00 /usr/lib/[...]/authdaemond
37 [...]
38
39 the processes have not changed into the right domain (might be
40 courier_authdaemon_t) but remain in the obviously wrong initrc_t.
41 Why is this?
42
43 I untarred refpolicy-20070329.tar.bz2 from distfiles since this seems to be
44 the file used by all sec-policy/* ebuilds to compile their policy-module
45 and did not find any of these rules in policy/modules/services/courier.te
46
47 Then did a search on the web and found
48 http://sources.gentoo.org/viewcvs.py/gentoo-projects/selinux/courier-imap/courier-imap.te
49
50 Even the very first release of this file (1.1, dating Feb 04 2004) contains
51
52 allow initrc_t courier_etc_t:file r_file_perms;
53
54 which is what is IMHO missing in the running policy.
55 I don't know in which way (if any) these file from the cvs are related to
56 the policy-module installed by emerge, since there has not been an update
57 wihtin the last 18 months (picked some random samples) to the tree. I guess
58 this is the 2005.1-profile policy since it contains a Makefile.
59
60 Nobody else seems to have this kind of problem or I'm using the wrong
61 keywords in searches. Can somebody please help me sort this out or at least
62 point me in the right direction?
63
64 Thanks in advance
65 Joern
66 --
67 gentoo-hardened@g.o mailing list