[DSE-Dev] Bug#738950: selinux-policy-default: mailman qrunner starting in initrc_t

Devin Carraway devin at debian.org
Fri Feb 14 07:56:43 UTC 2014 

Package: selinux-policy-default
Version: 2:2.20140206-1
Severity: normal

mailman's qrunner and friends aren't being properly labelled and so aren't
transitioning properly on startup:

system_u:system_r:initrc_t:s0    3523 ?        S      0:00 /usr/bin/python /var/lib/mailman/bin/qrunner --runner=ArchRunner:0:1 -s
system_u:system_r:initrc_t:s0    3524 ?        S      0:00 /usr/bin/python /var/lib/mailman/bin/qrunner --runner=BounceRunner:0:1 -s
system_u:system_r:initrc_t:s0    3525 ?        S      0:00 /usr/bin/python /var/lib/mailman/bin/qrunner --runner=CommandRunner:0:1 -s
system_u:system_r:initrc_t:s0    3526 ?        S      0:00 /usr/bin/python /var/lib/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s
system_u:system_r:initrc_t:s0    3527 ?        S      0:00 /usr/bin/python /var/lib/mailman/bin/qrunner --runner=NewsRunner:0:1 -s
system_u:system_r:initrc_t:s0    3528 ?        S      0:00 /usr/bin/python /var/lib/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s
system_u:system_r:initrc_t:s0    3529 ?        S      0:00 /usr/bin/python /var/lib/mailman/bin/qrunner --runner=VirginRunner:0:1 -s
system_u:system_r:initrc_t:s0    3530 ?        S      0:00 /usr/bin/python /var/lib/mailman/bin/qrunner --runner=RetryRunner:0:1 -s

These are actually started via /usr/lib/mailman/bin/mailmanctl.  FC rules say to label that as mailman_mail_exec_t and qrunner as mailman_queue_exec_t, but neither is labelled that way with
the mailman module 1.10.0 installed:

-rwxr-xr-x. 1 root list system_u:object_r:bin_t:SystemLow 21412 Feb  3 05:30 /usr/lib/mailman/bin/mailmanctl
-rwxr-xr-x. 1 root list system_u:object_r:bin_t:SystemLow  9612 Feb  3 05:30 /usr/lib/mailman/bin/qrunner

The reason may be that they're losing a specificity contest with a conflicting FC rule; if the .* is removed from the path in the .fc for those files, it gets labelled correctly:

/usr/lib/mailman.*/bin/qrunner  --      gen_context(system_u:object_r:mailman_queue_exec_t,s0)


-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-updates'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.12-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-9
ii  libselinux1      2.2.2-1
ii  libsepol1        2.2-1
ii  policycoreutils  2.2.5-1
ii  python           2.7.5-5
ii  selinux-utils    2.2.2-1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.2-1
ii  setools      3.3.8-3

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local'

-- no debconf information

More information about the SELinux-devel mailing list