Description of problem: Cannot execute locally installed daemon (pysieved) from stunnel. 2008.08.30 11:15:34 LOG5[9666:3085969104]: stunnel 4.15 on i686-redhat linux-gnu with OpenSSL 0.9.8b 04 May 2006 2008.08.30 11:15:34 LOG5[9666:3085969104]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2008.08.30 11:15:34 LOG5[9666:3085969104]: stunnel connected from 70.85.129.103:39222 2008.08.30 11:15:34 LOG3[9668:3085969104]: /usr/local/lib/pysieved/pysieved.py: Permission denied (13) 2008.08.30 11:15:34 LOG5[9666:3085969104]: Connection closed: 0 bytes sent to SSL, 0 bytes sent to socket Version-Release number of selected component (if applicable): selinux-policy-2.4.6-143 How reproducible: Always Steps to Reproduce: 1. Install pysieved in /usr/local/lib/pysieved as described in tarball available here: http://www.woozle.org/~neale/src/pysieved/ (AFAICT, pysieved's STARTTLS doesn't actually work...) 2. Pick a socket and add it to /etc/services: sieves 32000/tcp # Sieve Mail Filter Daemon (SSL) sieves 32000/udp # Sieve Mail Filter Daemon (SSL) 3. Setup xinetd accordingly: service sieves { disable = no socket_type = stream wait = no user = root group = root server = /usr/sbin/stunnel server_args = /etc/stunnel/sieves.conf # only_from = 127.0.0.1 log_on_failure += USERID } 4. Attempt to connect with openssel s_client: openssl s_client -connect your.host.name:32000 -crlf -tls1 Actual results: type=AVC msg=audit(1220109334.374:78913): avc: denied { execute } for pid=9668 comm="stunnel" name="pysieved.py" dev=dm-0 ino=4587607 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1220109334.374:78913): arch=40000003 syscall=11 success=no exit=-13 a0=84fb078 a1=84fb0d0 a2=bfe72490 a3=bfe71300 items=0 ppid=9666 pid=9668 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="stunnel" exe="/usr/sbin/stunnel" subj=user_u:system_r:stunnel_t:s0 s0:c0.c1023 key=(null) Expected results: Successful connection, nothing in audit.log (which is what I get with `setenforce 0`). Additional info: I suspect the cure is available in the thread here: https://www.redhat.com/archives/fedora-selinux-list/2008-March/msg00078.html Can we have that solution (or the equivalent) in the RHEL5 policy?
Forgot the contents of /etc/stunnel/sieves.conf: cert = /etc/pki/tls/certs/sieves.pem key = /etc/pki/tls/private/sieves.pem exec = /usr/local/lib/pysieved/pysieved.py execargs = /usr/local/lib/pysieved/pysieved.py --inetd
Does # restorecon -R -v /usr/local fix the problem?
No, sorry... [root@charlotte ~]# restorecon -R -v /usr/local/ [root@charlotte ~]# tail -f /var/log/audit/audit.log | grep stunn type=AVC msg=audit(1220387571.412:94093): avc: denied { execute_no_trans } for pid=5388 comm="stunnel" path="/usr/local/lib/pysieved/pysieved-stunnel.py" dev=dm-0 ino=4588686 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1220387571.412:94093): arch=40000003 syscall=11 success=no exit=-13 a0=8dad078 a1=8dad0e0 a2=bfd74b90 a3=bfd73a00 items=0 ppid=5386 pid=5388 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="stunnel" exe="/usr/sbin/stunnel" subj=user_u:system_r:stunnel_t:s0 s0:c0.c1023 key=(null) (Changed the name of the .py file for administrative reasons, otherwise it is the same as when I opened the bug...)
Does # chcon -R -t bin_t /usr/local/lib/pysieved Fix the problem? You can make this permanent by executing # semanage fcontext -a -t bin_t '/usr/local/lib/pysieved (/.*)?' If this works I can add this labeling to the policy package.
Doesn't like that one either... [root@charlotte ~]# chcon -R -t bin_t /usr/local/lib/pysieved/ [root@charlotte ~]# tail -f /var/log/audit/audit.log type=AVC msg=audit(1220450311.221:97676): avc: denied { search } for pid=20837 comm="stunnel" name="pysieved" dev=dm-0 ino=4587589 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir type=SYSCALL msg=audit(1220450311.221:97676): arch=40000003 syscall=11 success=no exit=-13 a0=8732078 a1=87320e0 a2=bf80b630 a3=bf80a4a0 items=0 ppid=20835 pid=20837 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="stunnel" exe="/usr/sbin/stunnel" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null) And just for verification, I repeated w/ "setenforce 0" and the connection was fine: [root@charlotte ~]# setenforce 0 [root@charlotte ~]# tail -f /var/log/audit/audit.log type=AVC msg=audit(1220450863.000:97729): avc: denied { search } for pid=21204 comm="stunnel" name="pysieved" dev=dm-0 ino=4587589 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir type=AVC msg=audit(1220450863.000:97729): avc: denied { execute } for pid=21204 comm="stunnel" name="pysieved-stunnel.py" dev=dm-0 ino=4588686 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1220450863.000:97729): avc: denied { execute_no_trans } for pid=21204 comm="stunnel" path="/usr/local/lib/pysieved/pysieved-stunnel.py" dev=dm-0 ino=4588686 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1220450863.000:97729): avc: denied { read } for pid=21204 comm="stunnel" path="/usr/local/lib/pysieved/pysieved-stunnel.py" dev=dm-0 ino=4588686 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1220450863.000:97729): avc: denied { read } for pid=21204 comm="stunnel" name="env" dev=dm-0 ino=4170776 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file type=AVC msg=audit(1220450863.000:97729): avc: denied { execute } for pid=21204 comm="stunnel" name="env" dev=dm-0 ino=6422599 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1220450863.000:97729): avc: denied { read } for pid=21204 comm="stunnel" path="/bin/env" dev=dm-0 ino=6422599 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=SYSCALL msg=audit(1220450863.000:97729): arch=40000003 syscall=11 success=yes exit=0 a0=9267080 a1=92670e8 a2=bfe28140 a3=bfe26fb0 items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="pysieved-stunne" exe="/bin/env" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1220450863.002:97730): avc: denied { search } for pid=21204 comm="pysieved-stunne" name="sbin" dev=dm-0 ino=7766017 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sbin_t:s0 tclass=dir type=SYSCALL msg=audit(1220450863.002:97730): arch=40000003 syscall=11 success=no exit=-2 a0=bfb10f98 a1=bfb110d8 a2=bfb110e8 a3=bfb11f3c items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="pysieved-stunne" exe="/bin/env" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1220450863.002:97731): avc: denied { execute_no_trans } for pid=21204 comm="pysieved-stunne" path="/usr/bin/python" dev=dm-0 ino=4168607 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=SYSCALL msg=audit(1220450863.002:97731): arch=40000003 syscall=11 success=yes exit=0 a0=bfb10f95 a1=bfb110d8 a2=bfb110e8 a3=bfb11f51 items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1220450863.004:97732): avc: denied { getattr } for pid=21204 comm="python" path="/usr/local/lib/pysieved/pysieved-stunnel.py" dev=dm-0 ino=4588686 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:bin_t:s0 tclass=file type=SYSCALL msg=audit(1220450863.004:97732): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfbb9874 a2=b5aff4 a3=0 items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1220450863.005:97733): avc: denied { getattr } for pid=21204 comm="python" path="/usr/bin/python" dev=dm-0 ino=4168607 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=SYSCALL msg=audit(1220450863.005:97733): arch=40000003 syscall=195 success=yes exit=0 a0=cc0400 a1=bfbb8a84 a2=b5aff4 a3=4 items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1220450863.021:97734): avc: denied { getattr } for pid=21204 comm="python" path="/usr/local/lib/pysieved" dev=dm-0 ino=4587589 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir type=SYSCALL msg=audit(1220450863.021:97734): arch=40000003 syscall=196 success=yes exit=0 a0=8f42c48 a1=bfbb9748 a2=b5aff4 a3=bfbb9ef3 items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1220450863.021:97735): avc: denied { ioctl } for pid=21204 comm="python" path="/usr/local/lib/pysieved/pysieved-stunnel.py" dev=dm-0 ino=4588686 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:bin_t:s0 tclass=file type=SYSCALL msg=audit(1220450863.021:97735): arch=40000003 syscall=54 success=no exit=-25 a0=3 a1=5401 a2=bfbb9738 a3=bfbb9778 items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1220450863.146:97736): avc: denied { search } for pid=21204 comm="python" name="dovecot" dev=dm-0 ino=6751028 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dovecot_var_run_t:s0 tclass=dir type=AVC msg=audit(1220450863.146:97736): avc: denied { dac_override } for pid=21204 comm="python" capability=1 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1220450863.146:97736): avc: denied { write } for pid=21204 comm="python" name="auth-client" dev=dm-0 ino=6751100 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:dovecot_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1220450863.146:97736): avc: denied { connectto } for pid=21204 comm="python" path="/var/run/dovecot/auth-client" scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:system_r:dovecot_auth_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1220450863.146:97736): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfbb75c0 a2=352118 a3=b7efff38 items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null) (The dovecot bits are there because pysieved talks to dovecot for some auth- and user-related services...) Hth! Thanks!
Does # chcon -R -t inetd_child_exec_t /usr/local/lib/pysieved Fix the problem? You can make this permanent by executing # semanage fcontext -a -t inetd_child_exec_t '/usr/local/lib/pysieved (/.*)?' If this works I can add this labeling to the policy package.
Lather, rinse,... :-) [root@charlotte ~]# chcon -R -t inetd_child_exec_t /usr/local/lib/pysieved [root@charlotte ~]# tail -f /var/log/audit/audit.log type=AVC msg=audit(1220464253.175:98232): avc: denied { search } for pid=25210 comm="stunnel" name="pysieved" dev=dm-0 ino=4587589 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inetd_child_exec_t:s0 tclass=dir type=SYSCALL msg=audit(1220464253.175:98232): arch=40000003 syscall=11 success=no exit=-13 a0=9a75078 a1=9a750e0 a2=bfff1e10 a3=bfff0c80 items=0 ppid=25208 pid=25210 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="stunnel" exe="/usr/sbin/stunnel" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
Ok this should work # restorecon -R -v /usr/local/lib/pysieved # chcon -t inetd_child_exec_t /usr/local/lib/pysieved/pysieved.py
Fixed in selinux-policy-2.4.6-152.el5
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Hmmm...do I need the updated selinux-policy package for that to work? [root@charlotte ~]# restorecon -R -v /usr/local/lib/pysieved/ restorecon reset /usr/local/lib/pysieved/pysieved.py context system_u:object_r:inetd_child_exec_t:s0->system_u:object_r:lib_t:s0 [root@charlotte ~]# chcon -t inetd_child_exec_t /usr/local/lib/pysieved/pysieved.py [root@charlotte ~]# tail -f /var/log/audit/audit.log type=AVC msg=audit(1220467354.839:98380): avc: denied { execute_no_trans } for pid=26443 comm="stunnel" path="/usr/local/lib/pysieved/pysieved-stunnel.py" dev=dm-0 ino=4588686 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1220467354.839:98380): arch=40000003 syscall=11 success=no exit=-13 a0=892c078 a1=892c0e0 a2=bf959f80 a3=bf958df0 items=0 ppid=26441 pid=26443 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="stunnel" exe="/usr/sbin/stunnel" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
Sets it context to inetd_child_exec_t also chcon -t inetd_child_exec_t /usr/local/lib/pysieved/pysieved-stunnel.py
Ah, I tricked myself with the pysieved-stunnel.py name. Oh well, that does look (incomprehensibly) different! :-) [root@charlotte ~]# restorecon -R -v /usr/local/ [root@charlotte ~]# chcon -t inetd_child_exec_t /usr/local/lib/pysieved/pysieved-stunnel.py [root@charlotte ~]# tail -f /var/log/audit/audit.log type=AVC msg=audit(1220483897.055:98876): avc: denied { search } for pid=30672 comm="stunnel" name="bin" dev=dm-0 ino=4161546 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir type=SYSCALL msg=audit(1220483897.055:98876): arch=40000003 syscall=11 success=no exit=-13 a0=8b8e078 a1=8b8e0e0 a2=bfd5ab80 a3=bfd599f0 items=0 ppid=30670 pid=30672 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="stunnel" exe="/usr/sbin/stunnel" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
As requested offline, the audit.log entries I get now w/ setenforc 0: type=AVC msg=audit(1220539210.157:100337): avc: denied { search } for pid=9957 comm="stunnel" name="bin" dev=dm-0 ino=4161546 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir type=AVC msg=audit(1220539210.157:100337): avc: denied { read } for pid=9957 comm="stunnel" name="env" dev=dm-0 ino=4170776 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file type=AVC msg=audit(1220539210.157:100337): avc: denied { execute } for pid=9957 comm="stunnel" name="env" dev=dm-0 ino=6422599 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1220539210.157:100337): avc: denied { read } for pid=9957 comm="stunnel" path="/bin/env" dev=dm-0 ino=6422599 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=SYSCALL msg=audit(1220539210.157:100337): arch=40000003 syscall=11 success=yes exit=0 a0=9419080 a1=94190e8 a2=bf848920 a3=bf847790 items=0 ppid=9955 pid=9957 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="pysieved-stunne" exe="/bin/env" subj=user_u:system_r:inetd_child_t:s0-s0:c0.c1023 key=(null)
ps -eZ | grep pysieved gives nothing. ps -eZ | grep python gives this: [root@charlotte ~]# ps -eZ | grep python user_u:system_r:inetd_child_t:SystemLow-SystemHigh 10120 ? 00:00:00 python
Fixed in selinux-policy-2.4.6-153.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0163.html