Bug 1301516 - mimedefang processes run as unconfined_service_t because their wrapper has bin_t
mimedefang processes run as unconfined_service_t because their wrapper has bin_t
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
medium Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
Depends On:
  Show dependency treegraph
Reported: 2016-01-25 04:31 EST by Milos Malik
Modified: 2016-11-03 22:40 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-81.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-11-03 22:40:49 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2016-01-25 04:31:58 EST
Description of problem:
* the mimedefang service file uses a wrapper which is labeled bin_t, therefore the mimedefang process ends up running as unconfined_service_t even if it should be confined

# grep Exec /usr/lib/systemd/system/mimedefang.service 
ExecStart=/usr/libexec/mimedefang-wrapper start
ExecReload=/usr/libexec/mimedefang-wrapper reload
# matchpathcon `which mimedefang`
/usr/bin/mimedefang	system_u:object_r:spamd_exec_t:s0

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. get a RHEL-7.2 machine with active targeted policy
2. start the mimedefang service
3. ps -efZ | grep mimedefang
system_u:system_r:unconfined_service_t:s0 defang 32613 1  0 04:28 ?    00:00:00 /usr/bin/mimedefang-multiplexor -p /var/spool/MIMEDefang/mimedefang-multiplexor.pid -m 2 -x 10 -y 0 -U defang -b 600 -l -s /var/spool/MIMEDefang/mimedefang-multiplexor.sock
system_u:system_r:unconfined_service_t:s0 defang 32614 32613  0 04:28 ? 00:00:00 /usr/bin/perl /usr/bin/mimedefang.pl -server
system_u:system_r:unconfined_service_t:s0 defang 32629 1  0 04:28 ?    00:00:00 /usr/bin/mimedefang -P /var/spool/MIMEDefang/mimedefang.pid -m /var/spool/MIMEDefang/mimedefang-multiplexor.sock -y -R -1 -U defang -q -p /var/spool/MIMEDefang/mimedefang.sock
system_u:system_r:unconfined_service_t:s0 defang 32631 32613  1 04:28 ? 00:00:00 /usr/bin/perl /usr/bin/mimedefang.pl -server

Actual results:
# matchpathcon /usr/libexec/mimedefang-wrapper 
/usr/libexec/mimedefang-wrapper	system_u:object_r:bin_t:s0

Expected results:
# matchpathcon /usr/libexec/mimedefang-wrapper 
/usr/libexec/mimedefang-wrapper	system_u:object_r:spamd_exec_t:s0
Comment 5 errata-xmlrpc 2016-11-03 22:40:49 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.