[debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Luke Kenneth Casson Leighton]

hi,

debian's postfix init.d script does a whole stackload of
things like copy over /etc/localtime, /etc/services.

it's rather scary.

... and it doesn't work.

by disabling the chroot (setting SYNC_CHROOT="") i managed
to get postfix to start (and it works)

i don't know if i was supposed to have these enabled, but
i have added them to the end of the postfix.te file (which
came up during an "enforcing=no" boot)

	allow postfix_cleanup_t postfix_cleanup_t:capability { sys_chroot };
	allow postfix_local_t mail_spool_t:dir { remove_name };
	allow postfix_local_t mail_spool_t:file { create unlink };
	allow postfix_master_t postfix_master_t:capability { sys_chroot };
	allow postfix_pickup_t postfix_pickup_t:capability { sys_chroot };
	allow postfix_qmgr_t postfix_qmgr_t:capability { sys_chroot };


p.s. yes i tried an exim4 setup with those execve child renaming
tricks and it's all got horribly pear-shaped...

-- 
-- 
expecting email to be received and understood is a bit like
picking up the telephone and immediately dialing without
checking for a dial-tone; speaking immediately without listening
for either an answer or ring-tone; hanging up immediately and
believing that you have actually started a conversation.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Thomas Bleher]

[-- Attachment #1: Type: text/plain, Size: 986 bytes --]

* Luke Kenneth Casson Leighton <lkcl@lkcl.net> [2004-06-10 01:06]:
> hi,
> 
> debian's postfix init.d script does a whole stackload of
> things like copy over /etc/localtime, /etc/services.
> 
> it's rather scary.
> 
> ... and it doesn't work.
> 
> by disabling the chroot (setting SYNC_CHROOT="") i managed
> to get postfix to start (and it works)
> 
> i don't know if i was supposed to have these enabled

IIRC the consensus was that the chroot setup should be disabled. The
reasoning was that SELinux can provide better protection than a chroot
and it would just give postfix unnecessary permissions.

Thomas

BTW:
> 	allow postfix_cleanup_t postfix_cleanup_t:capability { sys_chroot };
You can write these as
        allow postfix_cleanup_t self:capability sys_chroot;
which makes it both shorter and easier to read.

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Luke Kenneth Casson Leighton]

On Thu, Jun 10, 2004 at 01:29:32AM +0200, Thomas Bleher wrote:
> * Luke Kenneth Casson Leighton <lkcl@lkcl.net> [2004-06-10 01:06]:
> > hi,
> > 
> > debian's postfix init.d script does a whole stackload of
> > things like copy over /etc/localtime, /etc/services.
> > 
> > it's rather scary.
> > 
> > ... and it doesn't work.
> > 
> > by disabling the chroot (setting SYNC_CHROOT="") i managed
> > to get postfix to start (and it works)
> > 
> > i don't know if i was supposed to have these enabled
> 
> IIRC the consensus was that the chroot setup should be disabled. The
> reasoning was that SELinux can provide better protection than a chroot
> and it would just give postfix unnecessary permissions.
 
 oh.

 ah.

 hmm...

 then, the question becomes - how should that information be
 relayed?

 if it bit me (who is coming into this blind with no prior
 knowledge or expectations other than "install it and find out
 how to fix it if it's broke") then it's definitely going to
 bite other people.


 how about having an se-postfix package that puts
 SYNC_CHROOT="" into /etc/default/postfix for you?

 or, adding an extra question to postfix dpkg questions to
 ask?


> Thomas
> 
> BTW:
> > 	allow postfix_cleanup_t postfix_cleanup_t:capability { sys_chroot };
> You can write these as
>         allow postfix_cleanup_t self:capability sys_chroot;
> which makes it both shorter and easier to read.

 thank you thomas :)

-- 
-- 
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility for acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Russell Coker]

On Fri, 11 Jun 2004 07:11, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
>  if it bit me (who is coming into this blind with no prior
>  knowledge or expectations other than "install it and find out
>  how to fix it if it's broke") then it's definitely going to
>  bite other people.

http://www.coker.com.au/selinux/tweaks.html


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Luke Kenneth Casson Leighton]

On Fri, Jun 11, 2004 at 11:07:39AM +1000, Russell Coker wrote:
> On Fri, 11 Jun 2004 07:11, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > ?if it bit me (who is coming into this blind with no prior
> > ?knowledge or expectations other than "install it and find out
> > ?how to fix it if it's broke") then it's definitely going to
> > ?bite other people.
> 
> http://www.coker.com.au/selinux/tweaks.html

ah ha!  thank you russell.

i'm raising wish-list bug report items for some of these in
debian because if you think hundreds and thousands of people,
a good proportion of them are not going to know about that
document.

put it in front of people and say "HERE!".

[or if you read terry pratchett, "thtrap it down and zthap it
with a bolth of lightning, that'th my motto" ]

-- 
-- 
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility for acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Russell Coker]

On Sat, 12 Jun 2004 09:02, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> On Fri, Jun 11, 2004 at 11:07:39AM +1000, Russell Coker wrote:
> > On Fri, 11 Jun 2004 07:11, Luke Kenneth Casson Leighton <lkcl@lkcl.net> 
wrote:
> > > ?if it bit me (who is coming into this blind with no prior
> > > ?knowledge or expectations other than "install it and find out
> > > ?how to fix it if it's broke") then it's definitely going to
> > > ?bite other people.
> >
> > http://www.coker.com.au/selinux/tweaks.html
>
> ah ha!  thank you russell.
>
> i'm raising wish-list bug report items for some of these in
> debian because if you think hundreds and thousands of people,
> a good proportion of them are not going to know about that
> document.

A good thing you could raise would be removal of the 
old /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] nodes.  I don't think that there is 
any good reason to have BSD pty nodes in Debian.  It will probably take some 
work to get this done however.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Luke Kenneth Casson Leighton]

On Wed, Jun 09, 2004 at 09:41:26PM +0000, Luke Kenneth Casson Leighton wrote:
> hi,
> 
> debian's postfix init.d script does a whole stackload of
> things like copy over /etc/localtime, /etc/services.
 
 i should be more specific: in the creation of the chroot jail,
 in /var/spool/postfix, the permissions (contexts) are preserved
 and recreated (see file_contexts/programs/postfix.fc)

 i.e., in order for the /etc/init.d/postfix script to create the
 chroot jail, it is necessary to give initrd_t permissions
 sufficient to write to etc_t, amongst other things.

 the chroot jail needs a copy of /etc/localtime and /lib/libnss* and
 such-like.

 clearly from an selinux perspective, the /etc/init.d/postfix
 script cannot be an appropriate place to set up a chroot jail.

 can anyone think of a way in which this could be better achieved?

 bearing in mind that the solution must take into account that
 postfix can be run in a chroot jail or not, depending on
 an administrative decision.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Ed Street]

Well why ANY app needs write access to /etc is beyond me.  Also are you
using run_init /etc/init.d/foo ?

Ed

-----Original Message-----
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On
Behalf Of Luke Kenneth Casson Leighton
Sent: Wednesday, June 09, 2004 7:40 PM
To: SE-Linux
Subject: Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't
working.

On Wed, Jun 09, 2004 at 09:41:26PM +0000, Luke Kenneth Casson Leighton
wrote:
> hi,
> 
> debian's postfix init.d script does a whole stackload of
> things like copy over /etc/localtime, /etc/services.
 
 i should be more specific: in the creation of the chroot jail,
 in /var/spool/postfix, the permissions (contexts) are preserved
 and recreated (see file_contexts/programs/postfix.fc)

 i.e., in order for the /etc/init.d/postfix script to create the
 chroot jail, it is necessary to give initrd_t permissions
 sufficient to write to etc_t, amongst other things.

 the chroot jail needs a copy of /etc/localtime and /lib/libnss* and
 such-like.

 clearly from an selinux perspective, the /etc/init.d/postfix
 script cannot be an appropriate place to set up a chroot jail.

 can anyone think of a way in which this could be better achieved?

 bearing in mind that the solution must take into account that
 postfix can be run in a chroot jail or not, depending on
 an administrative decision.

 l.
 

---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.698 / Virus Database: 455 - Release Date: 6/2/2004
 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Russell Coker]

On Thu, 10 Jun 2004 12:22, "Ed Street" <edstreet@street-tek.com> wrote:
> Well why ANY app needs write access to /etc is beyond me.  Also are you
> using run_init /etc/init.d/foo ?

It's not /etc, it's /var/spool/postfix/etc.  Fortunately LaMont addressed this 
issue in version 1.1.7-5 by making the files not be copied to the chroot if 
master.cf does not specify any services to be chrooted.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Ed Street]

Hello,

Then shouldn't it be postfix_etc_t instead of etc_t?

Ed

-----Original Message-----
From: Russell Coker [mailto:russell@coker.com.au] 
Sent: Thursday, June 10, 2004 1:11 AM
To: Ed Street
Cc: 'Luke Kenneth Casson Leighton'; 'SE-Linux'
Subject: Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't
working.

On Thu, 10 Jun 2004 12:22, "Ed Street" <edstreet@street-tek.com> wrote:
> Well why ANY app needs write access to /etc is beyond me.  Also are you
> using run_init /etc/init.d/foo ?

It's not /etc, it's /var/spool/postfix/etc.  Fortunately LaMont addressed
this 
issue in version 1.1.7-5 by making the files not be copied to the chroot if 
master.cf does not specify any services to be chrooted.

 

---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.698 / Virus Database: 455 - Release Date: 6/2/2004
 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Russell Coker]

On Thu, 10 Jun 2004 21:47, "Ed Street" <edstreet@street-tek.com> wrote:
> Then shouldn't it be postfix_etc_t instead of etc_t?

We could do something like that, although it would still require breaking the 
design aim of "application should not have write access to it's own config 
files".

I think that the ideal solution would be to have a better mechanism of turning 
off chroot operation.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Ed Street]

Hello,

Well like they say chroot is the poor mans security setup :) Disabling the
chroot jail would be the best solution overall.

Ed

-----Original Message-----
From: Russell Coker [mailto:russell@coker.com.au] 
Sent: Thursday, June 10, 2004 8:20 AM
To: Ed Street
Cc: 'SE-Linux'
Subject: Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't
working.

On Thu, 10 Jun 2004 21:47, "Ed Street" <edstreet@street-tek.com> wrote:
> Then shouldn't it be postfix_etc_t instead of etc_t?

We could do something like that, although it would still require breaking
the 
design aim of "application should not have write access to it's own config 
files".

I think that the ideal solution would be to have a better mechanism of
turning 
off chroot operation.

 

---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.698 / Virus Database: 455 - Release Date: 6/2/2004
 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Stephen Smalley]

On Thu, 2004-06-10 at 15:32, Ed Street wrote:
> Well like they say chroot is the poor mans security setup :) Disabling the
> chroot jail would be the best solution overall.

Defense in depth is a good idea, so using chroot (or other measures) in
combination with SELinux is quite sensible...

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Luke Kenneth Casson Leighton]

On Thu, Jun 10, 2004 at 03:52:14PM -0400, Stephen Smalley wrote:
> On Thu, 2004-06-10 at 15:32, Ed Street wrote:
> > Well like they say chroot is the poor mans security setup :) Disabling the
> > chroot jail would be the best solution overall.
> 
> Defense in depth is a good idea, so using chroot (or other measures) in
> combination with SELinux is quite sensible...
 
 then, ideally, the stuff that creates the chroot jail needs to be moved into
 a separate "helper" script that can be run in its own context

 and the postfix.te script needs to have these added:

	 allow postfix_cleanup_t postfix_cleanup_t:capability { sys_chroot };
	 allow postfix_master_t postfix_master_t:capability { sys_chroot };
	 allow postfix_pickup_t postfix_pickup_t:capability { sys_chroot };
	 allow postfix_qmgr_t postfix_qmgr_t:capability { sys_chroot };

 and possibly more?  i am only running a local-delivery-only postfix.


 or, i am sure that there are people on this list who can think of a
 safe way to do this.

 l.

-- 
-- 
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility for acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Luke Kenneth Casson Leighton]

> On Thu, 10 Jun 2004 21:47, "Ed Street" <edstreet@street-tek.com> wrote:

> > Then shouldn't it be postfix_etc_t instead of etc_t?
> 
> We could do something like that, although it would still require breaking
> the 
> design aim of "application should not have write access to it's own config 
> files".
> 
> I think that the ideal solution would be to have a better mechanism of
> turning 
> off chroot operation.

 i've raised a debian wishlist bugreport asking them to consider
 adding in a question "if installing under se/linux i really should
 set SYNC_CHROOT="" in /etc/default/postfix for you".

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Luke Kenneth Casson Leighton]

On Thu, Jun 10, 2004 at 03:10:31PM +1000, Russell Coker wrote:
> On Thu, 10 Jun 2004 12:22, "Ed Street" <edstreet@street-tek.com> wrote:
> > Well why ANY app needs write access to /etc is beyond me. ?Also are you
> > using run_init /etc/init.d/foo ?
> 
> It's not /etc, it's /var/spool/postfix/etc.  Fortunately LaMont addressed this 


> issue in version 1.1.7-5 by making the files not be copied to the chroot if 
> master.cf does not specify any services to be chrooted.
 
 ah - ah... do you know if he addressed the issue of the context of
 those files being copied over from /etc/ to /var/spool/postfix/etc
 as well, such that of course initrd_t then needs to have permission
 to rm etc_t and such?

 l.

-- 
-- 
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility for acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Russell Coker]

On Fri, 11 Jun 2004 06:21, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > issue in version 1.1.7-5 by making the files not be copied to the chroot
> > if master.cf does not specify any services to be chrooted.
>
>  ah - ah... do you know if he addressed the issue of the context of
>  those files being copied over from /etc/ to /var/spool/postfix/etc

Of course not.  He just made the scripts not copy them if they are not needed.

>  as well, such that of course initrd_t then needs to have permission
>  to rm etc_t and such?

There is no initrd_t, I presume you mean initrc_t.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Luke Kenneth Casson Leighton]

On Fri, Jun 11, 2004 at 10:46:51AM +1000, Russell Coker wrote:
> On Fri, 11 Jun 2004 06:21, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > > issue in version 1.1.7-5 by making the files not be copied to the chroot
> > > if master.cf does not specify any services to be chrooted.
> >
> > ?ah - ah... do you know if he addressed the issue of the context of
> > ?those files being copied over from /etc/ to /var/spool/postfix/etc
> 
> Of course not.  He just made the scripts not copy them if they are not needed.

 ah!  great.

> > ?as well, such that of course initrd_t then needs to have permission
> > ?to rm etc_t and such?
> 
> There is no initrd_t, I presume you mean initrc_t.
 
 *blink*.  yes.  i really must apologise for rushing that set of
 messages a couple of days ago.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Luke Kenneth Casson Leighton]

On Wed, Jun 09, 2004 at 10:22:21PM -0400, Ed Street wrote:
> Well why ANY app needs write access to /etc is beyond me.  Also are you
> using run_init /etc/init.d/foo ?
 
 yes, i am, and that's part of the problem.

 if you do an ls --context /var/spool/postfix/etc and compare the files
 listed there to ls --context /etc for example (there are others)
 you will find that the contexts are identical.

 therefore, in order for the chroot jail files to be copyable 
 (and overwritable!) from /etc to /var/spool/postfix/etc,
 and from /lib to /var/spool/postfix/lib, it is necessary to
 give initrd_t (which is what run_init drops you into, yes)
 write permission to etc_t (amongst other things).

 if you do that, you get a policy violation (build error) on a
 "make policy" on one of the checks that bans you from doing
 things like give initrd_t access to writing in etc_t or
 etc_runtime_t.

 l.


-- 
-- 
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility for acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Ed Street]

Hello,

As stated numerous times in the past write access to etc_t is a horrible
idea.  What would be better is maybe use postfix_etc_t or something similar,
correct me if I'm wrong but are we not already using postfix_etc_t? if so
then maybe a postfix_spool_etc_t.

Ed

-----Original Message-----
From: Luke Kenneth Casson Leighton [mailto:lkcl@lkcl.net] 
Sent: Thursday, June 10, 2004 4:26 PM
To: Ed Street
Cc: 'SE-Linux'
Subject: Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't
working.

On Wed, Jun 09, 2004 at 10:22:21PM -0400, Ed Street wrote:
> Well why ANY app needs write access to /etc is beyond me.  Also are you
> using run_init /etc/init.d/foo ?
 
 yes, i am, and that's part of the problem.

 if you do an ls --context /var/spool/postfix/etc and compare the files
 listed there to ls --context /etc for example (there are others)
 you will find that the contexts are identical.

 therefore, in order for the chroot jail files to be copyable 
 (and overwritable!) from /etc to /var/spool/postfix/etc,
 and from /lib to /var/spool/postfix/lib, it is necessary to
 give initrd_t (which is what run_init drops you into, yes)
 write permission to etc_t (amongst other things).

 if you do that, you get a policy violation (build error) on a
 "make policy" on one of the checks that bans you from doing
 things like give initrd_t access to writing in etc_t or
 etc_runtime_t.

 l.


-- 
-- 
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility for acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />

---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.698 / Virus Database: 455 - Release Date: 6/2/2004
 

---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.698 / Virus Database: 455 - Release Date: 6/2/2004
 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Luke Kenneth Casson Leighton]

On Thu, Jun 10, 2004 at 04:39:54PM -0400, Ed Street wrote:
> Hello,
> 
> As stated numerous times in the past write access to etc_t is a horrible
> idea.  

 so bad it's banned by a special policy build-time auditing rule :)

> What would be better is maybe use postfix_etc_t or something similar,
> correct me if I'm wrong but are we not already using postfix_etc_t? if so
> then maybe a postfix_spool_etc_t.

 i was thinking along similar lines.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Ed Street]

Hello,

I know under SID the stock postfix rules works 100% correctly with no
augmentation.

Ed

-----Original Message-----
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On
Behalf Of Luke Kenneth Casson Leighton
Sent: Wednesday, June 09, 2004 5:41 PM
To: SE-Linux
Subject: [debian] postfix chroot setup from /etc/init.d/postfix isn't
working.

hi,

debian's postfix init.d script does a whole stackload of
things like copy over /etc/localtime, /etc/services.

it's rather scary.

... and it doesn't work.

by disabling the chroot (setting SYNC_CHROOT="") i managed
to get postfix to start (and it works)

i don't know if i was supposed to have these enabled, but
i have added them to the end of the postfix.te file (which
came up during an "enforcing=no" boot)

	allow postfix_cleanup_t postfix_cleanup_t:capability { sys_chroot };
	allow postfix_local_t mail_spool_t:dir { remove_name };
	allow postfix_local_t mail_spool_t:file { create unlink };
	allow postfix_master_t postfix_master_t:capability { sys_chroot };
	allow postfix_pickup_t postfix_pickup_t:capability { sys_chroot };
	allow postfix_qmgr_t postfix_qmgr_t:capability { sys_chroot };


p.s. yes i tried an exim4 setup with those execve child renaming
tricks and it's all got horribly pear-shaped...


---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.698 / Virus Database: 455 - Release Date: 6/2/2004
 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Luke Kenneth Casson Leighton]

On Wed, Jun 09, 2004 at 08:44:54PM -0400, Ed Street wrote:
> Hello,
> 
> I know under SID the stock postfix rules works 100% correctly with no
> augmentation.
 
 hi ed,

 okay, so you have a system which works out-the-box, and i don't.

 so we should compare notes to work out what the differences are.

 i have russell's 1.12 selinux policy files (slightly modified
 to get various other packages working, but not, i don't believe,
 in areas that impact on postfix / postfix installation).

 i have a kernel 2.6.6-selinux1 (which is at
 http://hands.com/~lkcl/selinux).

 i have postfix 2.1.1-3.

 i am installing it as a "local mailer only" - no networking.
 (is that important?)

 i also installed exim, and replaced it with exim4.
 then i replaced that with sendmail.
 40 seconds later i replaced that with postfix.
 then three days later i replaced that with exim4.
 then yesterday i replaced it with postfix.

 so i've done quite a lot of install and deinstalling.

 on the first install of postfix, if my memory serves me
 correctly, i did not know at that time about se_apt_get
 or se_dpkg.

 so i _may_ have installed it using apt-get, possibly even
 with "enforcing=0" and since then i have run make relabel
 countless times (which should, in theory, correct any
 policy file mislabelling that would have occurred by
 using apt-get rather than se_apt-get).

 on the second install, and this time i definitely used
 se_apt-get, se_apt-get postfix FAILED due to
 this inability of /etc/init.d/postfix to overwrite anything
 in etc_t or log_t context (examine /etc/init.d/postfix
 and you notice that "start" tries to do ln and cp into
 /var/spool/postfix/etc and .../lib).

 on both the first and second installs, i get this:

 Jun  9 23:24:03 sez kernel: audit(1086819843.982:0): avc:  denied  {
 sys_chroot } for  pid=1979 exe=/usr/lib/postfix/trivial-rewrite
 capability=18 scontext=system_u:system_r:postfix_master_t
 tcontext=system_u:system_r:postfix_master_t tclass=capability

 
 only by creating an /etc/default/postfix with the contents
 SYNC_CHROOT=""

 do i manage to get a working postfix 2.1.1-3.

 what do you have?

 l.


-- 
-- 
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility for acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Ed Street]

Ssh root@support.simplyaquatics.com port 2000 root password is 1234 or
http://selinux.simplyaquatics.com  this is the public debian test box :)

Ed

-----Original Message-----
From: Luke Kenneth Casson Leighton [mailto:lkcl@lkcl.net] 
Sent: Thursday, June 10, 2004 4:56 PM
To: Ed Street
Cc: 'SE-Linux'
Subject: Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't
working.

hi ed,

 okay, so you have a system which works out-the-box, and i don't.

 so we should compare notes to work out what the differences are.



---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.698 / Virus Database: 455 - Release Date: 6/2/2004
 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Luke Kenneth Casson Leighton]

On Thu, Jun 10, 2004 at 05:06:44PM -0400, Ed Street wrote:
> Ssh root@support.simplyaquatics.com port 2000 root password is 1234 or
> http://selinux.simplyaquatics.com  this is the public debian test box :)
 
 ah ha!

 root@test-box:~# dpkg -l | grep postfix
 ii  postfix        2.0.19-1       A high-performance mail transport agent
 ii  postfix-tls    2.0.19-1       TLS and SASL support for Postfix

 root@test-box:~# more /etc/default/postfix
 /etc/default/postfix: No such file or directory

 hmm... 


 root@test-box:~# more /etc/motd
 Linux test-box 2.6.5sel2-pax #2 SMP Sat Apr 17 18:04:14 EDT 2004 i686
 GNU/Linux

 hmm some more.

 root@test-box:~# cd /var/spool/postfix 
 -bash: cd: /var/spool/postfix: Permission denied
 root@test-box:~# ls -altr !$
 ls -altr /var/spool/postfix
 ls: /var/spool/postfix: Permission denied

 hm, i can't get any further with that line of enquiry, let's
 try /etc/selinux/file_contexts/program/postfix instead:

	 /var/spool/postfix/etc(/.*)?    system_u:object_r:etc_t
	 /var/spool/postfix/lib(/.*)?    system_u:object_r:lib_t
	 /var/spool/postfix/usr(/.*)?    system_u:object_r:lib_t

 examining the /etc/init.d/postfix file it looks pretty much
 the same as on my system.


 ed, you want to try (read, would you mind) upgrading postfix to
 2.2.thingy?

 
 are you _sure_ that postfix is working??? :)

 btw, you noticed that thomas said that the consensus was to
 set SYNC_CHROOT=""?

 l.

> Ed
> 
> -----Original Message-----
> From: Luke Kenneth Casson Leighton [mailto:lkcl@lkcl.net] 
> Sent: Thursday, June 10, 2004 4:56 PM
> To: Ed Street
> Cc: 'SE-Linux'
> Subject: Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't
> working.
> 
> hi ed,
> 
>  okay, so you have a system which works out-the-box, and i don't.
> 
>  so we should compare notes to work out what the differences are.
> 
> 
> 
> ---
> 
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.698 / Virus Database: 455 - Release Date: 6/2/2004
>  
> 

-- 
-- 
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility for acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: [debian] postfix chroot setup from /etc/init.d/postfix isn't working.

[Ed Street]

Hello,

Yes I'm very assured the email setup is working because I get notification
daily about various things.  Also it's not setup for outbound email to the
open inet, yet.

As for postfix 2.2 I'll look into it an hopefully drop it on.  Now the
issues you have with postfix is that under 2.2 or 2.0.19 under SID?

Ed

-----Original Message-----
From: Luke Kenneth Casson Leighton [mailto:lkcl@lkcl.net] 
Sent: Thursday, June 10, 2004 5:20 PM
To: Ed Street
Cc: 'SE-Linux'
Subject: Re: [debian] postfix chroot setup from /etc/init.d/postfix isn't
working.

On Thu, Jun 10, 2004 at 05:06:44PM -0400, Ed Street wrote:
> Ssh root@support.simplyaquatics.com port 2000 root password is 1234 or
> http://selinux.simplyaquatics.com  this is the public debian test box :)
 
 ah ha!

 root@test-box:~# dpkg -l | grep postfix
 ii  postfix        2.0.19-1       A high-performance mail transport agent
 ii  postfix-tls    2.0.19-1       TLS and SASL support for Postfix

 root@test-box:~# more /etc/default/postfix
 /etc/default/postfix: No such file or directory

 hmm... 


 root@test-box:~# more /etc/motd
 Linux test-box 2.6.5sel2-pax #2 SMP Sat Apr 17 18:04:14 EDT 2004 i686
 GNU/Linux

 hmm some more.

 root@test-box:~# cd /var/spool/postfix 
 -bash: cd: /var/spool/postfix: Permission denied
 root@test-box:~# ls -altr !$
 ls -altr /var/spool/postfix
 ls: /var/spool/postfix: Permission denied

 hm, i can't get any further with that line of enquiry, let's
 try /etc/selinux/file_contexts/program/postfix instead:

	 /var/spool/postfix/etc(/.*)?    system_u:object_r:etc_t
	 /var/spool/postfix/lib(/.*)?    system_u:object_r:lib_t
	 /var/spool/postfix/usr(/.*)?    system_u:object_r:lib_t

 examining the /etc/init.d/postfix file it looks pretty much
 the same as on my system.


 ed, you want to try (read, would you mind) upgrading postfix to
 2.2.thingy?

 
 are you _sure_ that postfix is working??? :)

 btw, you noticed that thomas said that the consensus was to
 set SYNC_CHROOT=""?

 l.
 

---

Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.698 / Virus Database: 455 - Release Date: 6/2/2004
 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.