| 1 |
With a deeper search in the documentation, |
| 2 |
I started to watch the uncorrect labelled daemons (initrc_t type) |
| 3 |
And here is a few response : |
| 4 |
|
| 5 |
In the existing /etc/security/selinux/file_contexts file, I found |
| 6 |
uncorrect labelling definitions for the courier-imap package. |
| 7 |
|
| 8 |
So, I put here a few suggestion about this ... as I do not know |
| 9 |
weither I should tell this here or on bugzilla (is it really a bug ? ) |
| 10 |
|
| 11 |
|
| 12 |
## new entry |
| 13 |
/usr/lib(64)?/courier/courier-authlib/* |
| 14 |
system_u:object_r:courier_authdaemon_exec_t |
| 15 |
# chcon -t courier_authdaemon_exec_t /usr/lib/courier/courier-authlib/* |
| 16 |
|
| 17 |
## new entry |
| 18 |
/usr/lib/courier-imap/* system_u:object_r:courier_exec_t |
| 19 |
# chcon -t courier_exec_t /usr/lib/courier-imap/* |
| 20 |
|
| 21 |
|
| 22 |
(/usr/bin/imapd -- system_u:object_r:courier_pop_exec_t) |
| 23 |
## newentry |
| 24 |
/usr/sbin/courier-imapd system_u:object_r:courier_pop_exec_t |
| 25 |
/usr/sbin/courier-pop3d system_u:object_r:courier_pop_exec_t |
| 26 |
# chcon -t courier_pop_exec_t /usr/sbin/courier-imapd |
| 27 |
# chcon -t courier_pop_exec_t /usr/sbin/courier-pop3d |
| 28 |
|
| 29 |
(/usr/lib(64)?/courier/courier/imaplogin -- |
| 30 |
system_u:object_r:courier_pop_exec_t) |
| 31 |
## new entry |
| 32 |
/usr/sbin/imaplogin system_u:object_r:courier_pop_exec_t |
| 33 |
# chcon -t courier_pop_exec_t /usr/sbin/imaplogin |
| 34 |
|
| 35 |
## new entry |
| 36 |
/usr/sbin/couriertcpd -- system_u:object_r:courier_tcpd_exec_t |
| 37 |
# chcon -t courier_tcpd_exec_t couriertcpd |
| 38 |
|
| 39 |
## new entry |
| 40 |
/usr/sbin/courierlogger -- system_u:object_r:courier_exec_t |
| 41 |
# chcon -t courier_exec_t /usr/sbin/courierlogger |
| 42 |
|
| 43 |
For the following information of the file_contexts file, I did not |
| 44 |
find anything in courier-imap |
| 45 |
----- |
| 46 |
/usr/lib(64)?/courier/courier/courierpop.* -- |
| 47 |
system_u:object_r:courier_pop_exec_t |
| 48 |
/usr/lib(64)?/courier/imapd -- system_u:object_r:courier_pop_exec_t |
| 49 |
/usr/lib(64)?/courier/pop3d -- system_u:object_r:courier_pop_exec_t |
| 50 |
|
| 51 |
|
| 52 |
--- |
| 53 |
At the end, here is the result I got. |
| 54 |
Most of the daemon are correctly labelled, though courierlogger is |
| 55 |
still angry (why? initrc_t and also why courier_tcpd_t though I |
| 56 |
indicated courier_exec_t !) :D |
| 57 |
|
| 58 |
ps -eZ | grep cour |
| 59 |
|
| 60 |
system_u:system_r:initrc_t 4551 ? 00:00:00 courierlogger |
| 61 |
system_u:system_r:courier_authdaemon_t 4552 ? 00:00:00 authdaemond |
| 62 |
system_u:system_r:courier_authdaemon_t 4556 ? 00:00:00 authdaemond |
| 63 |
system_u:system_r:courier_authdaemon_t 4557 ? 00:00:00 authdaemond |
| 64 |
system_u:system_r:courier_authdaemon_t 4558 ? 00:00:00 authdaemond |
| 65 |
system_u:system_r:courier_authdaemon_t 4559 ? 00:00:00 authdaemond |
| 66 |
system_u:system_r:courier_authdaemon_t 4560 ? 00:00:00 authdaemond |
| 67 |
system_u:system_r:courier_tcpd_t 4625 ? 00:00:00 couriertcpd |
| 68 |
system_u:system_r:courier_tcpd_t 4627 ? 00:00:00 courierlogger |
| 69 |
|
| 70 |
|
| 71 |
I will btw post it on bugzilla when this will be over. |
| 72 |
|
| 73 |
Julien Thomas. |
| 74 |
|
| 75 |
julien.thomas@×××××××××××××.fr a écrit : |
| 76 |
|
| 77 |
> In fact, I think that there is no problem with protmap as I got |
| 78 |
> mv1 sbin # ls -lZ port* |
| 79 |
> -rwxr-xr-x root root system_u:object_r:portmap_exec_t portmap |
| 80 |
> |
| 81 |
> However, other binaries such as rpc.* or other are labelled as bin_t |
| 82 |
> which is not correct, I think. |
| 83 |
> |
| 84 |
> But as I work with managed SELinux (2006+), I do not have the src |
| 85 |
> directories and thus policy/ subdirectories ... So I'm quite blocked |
| 86 |
> here : |
| 87 |
> my filesystem is not correctly labelled and I cannot find which labels |
| 88 |
> I should have ! |
| 89 |
> |
| 90 |
> Is there a way to get these information ? |
| 91 |
> |
| 92 |
> Chris PeBenito <pebenito@g.o> a écrit : |
| 93 |
> |
| 94 |
>> On Wed, 2007-08-01 at 11:53 +0200, julien.thomas@×××××××××××××.fr wrote: |
| 95 |
>>> Thanks for the tip with ssh. This work really well now. |
| 96 |
>>> |
| 97 |
>>> Unefortunately, it is not the only error I got with SELinux. |
| 98 |
>>> Some files were not correctly labelled (though I don't know how many |
| 99 |
>>> rlpkg -ar were done ...) |
| 100 |
>>> |
| 101 |
>>> For example here is a result of audit2allow. But the most important |
| 102 |
>>> problem, I think, is the networks error with for example allow |
| 103 |
>>> kernel_t lo_node_t:node udp_recv. |
| 104 |
>>> |
| 105 |
>>> For a full example, I have added the kernel messages |
| 106 |
>>> (/var/log/kern.log | grep portmap) produced by the portmap daemon. I |
| 107 |
>>> think that it s a recurrent error that is not produced by the daemon |
| 108 |
>>> but more by a network/kernel wrong labelling/policy. |
| 109 |
>>> |
| 110 |
>>> If someone has any clue about this, I will take it as I cannot find |
| 111 |
>>> any relevant information on the web. |
| 112 |
>> |
| 113 |
>> At a minimum, the portmap service is running in the wrong domain: |
| 114 |
>> |
| 115 |
>>> allow initrc_t inaddr_any_node_t:tcp_socket node_bind; |
| 116 |
>>> allow initrc_t pop_port_t:tcp_socket name_bind; |
| 117 |
>>> allow initrc_t unspec_node_t:tcp_socket node_bind; |
| 118 |
>>> allow initrc_t var_lib_t:sock_file { create rename setattr unlink }; |
| 119 |
>> |
| 120 |
>> -- |
| 121 |
>> Chris PeBenito |
| 122 |
>> <pebenito@g.o> |
| 123 |
>> Developer, |
| 124 |
>> Hardened Gentoo Linux |
| 125 |
>> |
| 126 |
>> Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 127 |
>> Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
| 128 |
>> |
| 129 |
> |
| 130 |
> |
| 131 |
> |
| 132 |
> -- |
| 133 |
> gentoo-hardened@g.o mailing list |
| 134 |
|
| 135 |
|
| 136 |
|
| 137 |
-- |
| 138 |
gentoo-hardened@g.o mailing list |
Archives