1 |
With a deeper search in the documentation, |
2 |
I started to watch the uncorrect labelled daemons (initrc_t type) |
3 |
And here is a few response : |
4 |
|
5 |
In the existing /etc/security/selinux/file_contexts file, I found |
6 |
uncorrect labelling definitions for the courier-imap package. |
7 |
|
8 |
So, I put here a few suggestion about this ... as I do not know |
9 |
weither I should tell this here or on bugzilla (is it really a bug ? ) |
10 |
|
11 |
|
12 |
## new entry |
13 |
/usr/lib(64)?/courier/courier-authlib/* |
14 |
system_u:object_r:courier_authdaemon_exec_t |
15 |
# chcon -t courier_authdaemon_exec_t /usr/lib/courier/courier-authlib/* |
16 |
|
17 |
## new entry |
18 |
/usr/lib/courier-imap/* system_u:object_r:courier_exec_t |
19 |
# chcon -t courier_exec_t /usr/lib/courier-imap/* |
20 |
|
21 |
|
22 |
(/usr/bin/imapd -- system_u:object_r:courier_pop_exec_t) |
23 |
## newentry |
24 |
/usr/sbin/courier-imapd system_u:object_r:courier_pop_exec_t |
25 |
/usr/sbin/courier-pop3d system_u:object_r:courier_pop_exec_t |
26 |
# chcon -t courier_pop_exec_t /usr/sbin/courier-imapd |
27 |
# chcon -t courier_pop_exec_t /usr/sbin/courier-pop3d |
28 |
|
29 |
(/usr/lib(64)?/courier/courier/imaplogin -- |
30 |
system_u:object_r:courier_pop_exec_t) |
31 |
## new entry |
32 |
/usr/sbin/imaplogin system_u:object_r:courier_pop_exec_t |
33 |
# chcon -t courier_pop_exec_t /usr/sbin/imaplogin |
34 |
|
35 |
## new entry |
36 |
/usr/sbin/couriertcpd -- system_u:object_r:courier_tcpd_exec_t |
37 |
# chcon -t courier_tcpd_exec_t couriertcpd |
38 |
|
39 |
## new entry |
40 |
/usr/sbin/courierlogger -- system_u:object_r:courier_exec_t |
41 |
# chcon -t courier_exec_t /usr/sbin/courierlogger |
42 |
|
43 |
For the following information of the file_contexts file, I did not |
44 |
find anything in courier-imap |
45 |
----- |
46 |
/usr/lib(64)?/courier/courier/courierpop.* -- |
47 |
system_u:object_r:courier_pop_exec_t |
48 |
/usr/lib(64)?/courier/imapd -- system_u:object_r:courier_pop_exec_t |
49 |
/usr/lib(64)?/courier/pop3d -- system_u:object_r:courier_pop_exec_t |
50 |
|
51 |
|
52 |
--- |
53 |
At the end, here is the result I got. |
54 |
Most of the daemon are correctly labelled, though courierlogger is |
55 |
still angry (why? initrc_t and also why courier_tcpd_t though I |
56 |
indicated courier_exec_t !) :D |
57 |
|
58 |
ps -eZ | grep cour |
59 |
|
60 |
system_u:system_r:initrc_t 4551 ? 00:00:00 courierlogger |
61 |
system_u:system_r:courier_authdaemon_t 4552 ? 00:00:00 authdaemond |
62 |
system_u:system_r:courier_authdaemon_t 4556 ? 00:00:00 authdaemond |
63 |
system_u:system_r:courier_authdaemon_t 4557 ? 00:00:00 authdaemond |
64 |
system_u:system_r:courier_authdaemon_t 4558 ? 00:00:00 authdaemond |
65 |
system_u:system_r:courier_authdaemon_t 4559 ? 00:00:00 authdaemond |
66 |
system_u:system_r:courier_authdaemon_t 4560 ? 00:00:00 authdaemond |
67 |
system_u:system_r:courier_tcpd_t 4625 ? 00:00:00 couriertcpd |
68 |
system_u:system_r:courier_tcpd_t 4627 ? 00:00:00 courierlogger |
69 |
|
70 |
|
71 |
I will btw post it on bugzilla when this will be over. |
72 |
|
73 |
Julien Thomas. |
74 |
|
75 |
julien.thomas@×××××××××××××.fr a écrit : |
76 |
|
77 |
> In fact, I think that there is no problem with protmap as I got |
78 |
> mv1 sbin # ls -lZ port* |
79 |
> -rwxr-xr-x root root system_u:object_r:portmap_exec_t portmap |
80 |
> |
81 |
> However, other binaries such as rpc.* or other are labelled as bin_t |
82 |
> which is not correct, I think. |
83 |
> |
84 |
> But as I work with managed SELinux (2006+), I do not have the src |
85 |
> directories and thus policy/ subdirectories ... So I'm quite blocked |
86 |
> here : |
87 |
> my filesystem is not correctly labelled and I cannot find which labels |
88 |
> I should have ! |
89 |
> |
90 |
> Is there a way to get these information ? |
91 |
> |
92 |
> Chris PeBenito <pebenito@g.o> a écrit : |
93 |
> |
94 |
>> On Wed, 2007-08-01 at 11:53 +0200, julien.thomas@×××××××××××××.fr wrote: |
95 |
>>> Thanks for the tip with ssh. This work really well now. |
96 |
>>> |
97 |
>>> Unefortunately, it is not the only error I got with SELinux. |
98 |
>>> Some files were not correctly labelled (though I don't know how many |
99 |
>>> rlpkg -ar were done ...) |
100 |
>>> |
101 |
>>> For example here is a result of audit2allow. But the most important |
102 |
>>> problem, I think, is the networks error with for example allow |
103 |
>>> kernel_t lo_node_t:node udp_recv. |
104 |
>>> |
105 |
>>> For a full example, I have added the kernel messages |
106 |
>>> (/var/log/kern.log | grep portmap) produced by the portmap daemon. I |
107 |
>>> think that it s a recurrent error that is not produced by the daemon |
108 |
>>> but more by a network/kernel wrong labelling/policy. |
109 |
>>> |
110 |
>>> If someone has any clue about this, I will take it as I cannot find |
111 |
>>> any relevant information on the web. |
112 |
>> |
113 |
>> At a minimum, the portmap service is running in the wrong domain: |
114 |
>> |
115 |
>>> allow initrc_t inaddr_any_node_t:tcp_socket node_bind; |
116 |
>>> allow initrc_t pop_port_t:tcp_socket name_bind; |
117 |
>>> allow initrc_t unspec_node_t:tcp_socket node_bind; |
118 |
>>> allow initrc_t var_lib_t:sock_file { create rename setattr unlink }; |
119 |
>> |
120 |
>> -- |
121 |
>> Chris PeBenito |
122 |
>> <pebenito@g.o> |
123 |
>> Developer, |
124 |
>> Hardened Gentoo Linux |
125 |
>> |
126 |
>> Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
127 |
>> Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
128 |
>> |
129 |
> |
130 |
> |
131 |
> |
132 |
> -- |
133 |
> gentoo-hardened@g.o mailing list |
134 |
|
135 |
|
136 |
|
137 |
-- |
138 |
gentoo-hardened@g.o mailing list |