Bug 1301516 - mimedefang processes run as unconfined_service_t because their wrapper has bin_t
mimedefang processes run as unconfined_service_t because their wrapper has bin_t
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
All Linux
medium Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-25 04:31 EST by Milos Malik
Modified: 2016-11-03 22:40 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-81.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-03 22:40:49 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2016-01-25 04:31:58 EST
Description of problem:
* the mimedefang service file uses a wrapper which is labeled bin_t, therefore the mimedefang process ends up running as unconfined_service_t even if it should be confined

# grep Exec /usr/lib/systemd/system/mimedefang.service 
ExecStart=/usr/libexec/mimedefang-wrapper start
ExecReload=/usr/libexec/mimedefang-wrapper reload
# matchpathcon `which mimedefang`
/usr/bin/mimedefang	system_u:object_r:spamd_exec_t:s0
#

Version-Release number of selected component (if applicable):
mimedefang-2.78-6.el7.x86_64
selinux-policy-3.13.1-60.el7.noarch
selinux-policy-targeted-3.13.1-60.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-7.2 machine with active targeted policy
2. start the mimedefang service
3. ps -efZ | grep mimedefang
system_u:system_r:unconfined_service_t:s0 defang 32613 1  0 04:28 ?    00:00:00 /usr/bin/mimedefang-multiplexor -p /var/spool/MIMEDefang/mimedefang-multiplexor.pid -m 2 -x 10 -y 0 -U defang -b 600 -l -s /var/spool/MIMEDefang/mimedefang-multiplexor.sock
system_u:system_r:unconfined_service_t:s0 defang 32614 32613  0 04:28 ? 00:00:00 /usr/bin/perl /usr/bin/mimedefang.pl -server
system_u:system_r:unconfined_service_t:s0 defang 32629 1  0 04:28 ?    00:00:00 /usr/bin/mimedefang -P /var/spool/MIMEDefang/mimedefang.pid -m /var/spool/MIMEDefang/mimedefang-multiplexor.sock -y -R -1 -U defang -q -p /var/spool/MIMEDefang/mimedefang.sock
system_u:system_r:unconfined_service_t:s0 defang 32631 32613  1 04:28 ? 00:00:00 /usr/bin/perl /usr/bin/mimedefang.pl -server

Actual results:
# matchpathcon /usr/libexec/mimedefang-wrapper 
/usr/libexec/mimedefang-wrapper	system_u:object_r:bin_t:s0
#

Expected results:
# matchpathcon /usr/libexec/mimedefang-wrapper 
/usr/libexec/mimedefang-wrapper	system_u:object_r:spamd_exec_t:s0
#
Comment 5 errata-xmlrpc 2016-11-03 22:40:49 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.