Bug 1301516 - mimedefang processes run as unconfined_service_t because their wrapper has bin_t
Summary: mimedefang processes run as unconfined_service_t because their wrapper has bin_t
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-25 09:31 UTC by Milos Malik
Modified: 2016-11-04 02:40 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-81.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 02:40:49 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2283 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2016-11-03 13:36:25 UTC

Description Milos Malik 2016-01-25 09:31:58 UTC 
Description of problem:
* the mimedefang service file uses a wrapper which is labeled bin_t, therefore the mimedefang process ends up running as unconfined_service_t even if it should be confined

# grep Exec /usr/lib/systemd/system/mimedefang.service 
ExecStart=/usr/libexec/mimedefang-wrapper start
ExecReload=/usr/libexec/mimedefang-wrapper reload
# matchpathcon `which mimedefang`
/usr/bin/mimedefang	system_u:object_r:spamd_exec_t:s0
#

Version-Release number of selected component (if applicable):
mimedefang-2.78-6.el7.x86_64
selinux-policy-3.13.1-60.el7.noarch
selinux-policy-targeted-3.13.1-60.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-7.2 machine with active targeted policy
2. start the mimedefang service
3. ps -efZ | grep mimedefang
system_u:system_r:unconfined_service_t:s0 defang 32613 1  0 04:28 ?    00:00:00 /usr/bin/mimedefang-multiplexor -p /var/spool/MIMEDefang/mimedefang-multiplexor.pid -m 2 -x 10 -y 0 -U defang -b 600 -l -s /var/spool/MIMEDefang/mimedefang-multiplexor.sock
system_u:system_r:unconfined_service_t:s0 defang 32614 32613  0 04:28 ? 00:00:00 /usr/bin/perl /usr/bin/mimedefang.pl -server
system_u:system_r:unconfined_service_t:s0 defang 32629 1  0 04:28 ?    00:00:00 /usr/bin/mimedefang -P /var/spool/MIMEDefang/mimedefang.pid -m /var/spool/MIMEDefang/mimedefang-multiplexor.sock -y -R -1 -U defang -q -p /var/spool/MIMEDefang/mimedefang.sock
system_u:system_r:unconfined_service_t:s0 defang 32631 32613  1 04:28 ? 00:00:00 /usr/bin/perl /usr/bin/mimedefang.pl -server

Actual results:
# matchpathcon /usr/libexec/mimedefang-wrapper 
/usr/libexec/mimedefang-wrapper	system_u:object_r:bin_t:s0
#

Expected results:
# matchpathcon /usr/libexec/mimedefang-wrapper 
/usr/libexec/mimedefang-wrapper	system_u:object_r:spamd_exec_t:s0
#
Comment 5 errata-xmlrpc 2016-11-04 02:40:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html
Note You need to log in before you can comment on or make changes to this bug.