Re: [courier-users] 0.75
Sam Varshavchik writes: Gordon Messmer writes: courierlogger is set to courier_exec_t: /etc/selinux/targeted/contexts/files/file_contexts:/usr/sbin/courierlogger -- system_u:object_r:courier_exec_t:s0 # ls -lZ /usr/sbin/courierlogger -rwxr-xr-x. daemon daemon system_u:object_r:courier_exec_t:s0 /usr/sbin/courierlogger I think something treats courier_exec_t as an alias of system_mail_t, but I don't remember where that might be defined. I'm kind of getting tired of filing bugs with Red Hat because they treat Courier as if it were sendmail. Who set this SELinux context on courierlogger? My RPMs don't do anything, selinux-wise. Answering my own question: this configuration file is installed by Fedora's selinux package. The file_contexts file is missing any entries for /usr/libexec/courier- authlib, where courier-authlib gets installed. Looks to me like someone added these SELinux entries ages ago, before courier-authlib became a separate package, and nobody has maintained these entries ever since. This whole SELinux business is just one tangled mess of a hairball. No wonder I have it disabled. pgp0NCDGNRHBq.pgp Description: PGP signature -- Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] 0.75
Gordon Messmer writes: courierlogger is set to courier_exec_t: /etc/selinux/targeted/contexts/files/file_contexts:/usr/sbin/courierlogger -- system_u:object_r:courier_exec_t:s0 # ls -lZ /usr/sbin/courierlogger -rwxr-xr-x. daemon daemon system_u:object_r:courier_exec_t:s0 /usr/sbin/courierlogger I think something treats courier_exec_t as an alias of system_mail_t, but I don't remember where that might be defined. I'm kind of getting tired of filing bugs with Red Hat because they treat Courier as if it were sendmail. Who set this SELinux context on courierlogger? My RPMs don't do anything, selinux-wise. pgpAPn44Rvdq6.pgp Description: PGP signature -- Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] 0.75
On 07/06/2015 04:14 AM, Sam Varshavchik wrote: Looks to me like someone added these SELinux entries ages ago, before courier-authlib became a separate package, and nobody has maintained these entries ever since. authlib has contexts defined, too. That's not the problem. I don't know who put the contexts in place without any policy, but it's been a big headache all along. I was able to get Red Hat to stop mis-labelling Courier's sendmail in RHEL 7, at least. When I remember why courier_exec_t is being translated to system_mail_t I'll open another bug report. -- Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] 0.75
I had two minor problems with the upgrade to Courier 0.75 and authlib 0.66.3. The first is that Courier needs ps to build, and the spec need to be updated to reflect that. Otherwise, it doesn't build in mock. BuildRequires: procps-ng The other is that courier-authlib preuninstall script runs authdaemond stop and for some reason, that caused my rpm upgrade to hang. The process tree looked like this. I should have straced the children to see what they were doing, and I didn't. My bad. I was tired. In a separate terminal, I ran systemctl stop courier-authlib and the upgrade then finished properly. 4676 pts/3S+ 0:01 | \_ rpm -Fvh courier-0.75.0-1.el7.centos.x86_64.rpm courier-authlib-0.66.3-1.el7.centos.x86_64.rpm courier-authlib-debuginfo-0.66.3-1.el7. 4825 pts/3S+ 0:00 | \_ /bin/sh /var/tmp/rpm-tmp.9zDlMy 1 4826 pts/3S+ 0:00 | \_ /usr/sbin/courierlogger -pid=/var/spool/authdaemon/pid -stop /usr/libexec/courier-authlib/authdaemond 4827 pts/3S+ 0:00 | \_ /usr/sbin/courierlogger -pid=/var/spool/authdaemon/pid -stop /usr/libexec/courier-authlib/authdaemond 4828 pts/3S+ 0:00 | \_ /usr/sbin/courierlogger -pid=/var/spool/authdaemon/pid -stop /usr/libexec/courier-authlib/authdaemond -- Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] 0.75
Gordon Messmer writes: The other is that courier-authlib preuninstall script runs authdaemond stop and for some reason, that caused my rpm upgrade to hang. The process tree looked like this. I should have straced the children to see what they were doing, and I didn't. My bad. I was tired. In a separate terminal, I ran systemctl stop courier-authlib and the Which runs authdaemond stop. Did the systemd-initiated stop complete immediately, or did it also hang for a while. pgpP_xjHZG69_.pgp Description: PGP signature -- Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] 0.75
On 07/05/2015 04:22 PM, Sam Varshavchik wrote: Did the systemd-initiated stop complete immediately, or did it also hang for a while. It was immediate. If I see a similar hang in the future, I'll try to trace the process and see what's going on. -- Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] 0.75
Gordon Messmer writes: On 07/05/2015 04:22 PM, Sam Varshavchik wrote: Did the systemd-initiated stop complete immediately, or did it also hang for a while. It was immediate. If I see a similar hang in the future, I'll try to trace the process and see what's going on. Also, look at the pid and the lock files, and do an fuser to see who has the pid and the lock files open. -stop tries to lock the lock file, if it can't, it reads the pid from the pid file, sends a SIGTERM. If it's still can't lock the lock file after ten seconds have elapsed, it sends a SIGKILL; but it still tries to lock the lock file. A hanging -stop means that something has the lock file locked, and it escaped SIGKILL. pgp7uMBgYEEiw.pgp Description: PGP signature -- Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] 0.75
On 07/05/2015 06:35 PM, Sam Varshavchik wrote:
Also, look at the pid and the lock files, and do an fuser to see who has
the pid and the lock files open.
-stop tries to lock the lock file, if it can't, it reads the pid from
the pid file, sends a SIGTERM. If it's still can't lock the lock file
after ten seconds have elapsed, it sends a SIGKILL; but it still tries
to lock the lock file.
Surprise, it's an SELinux failure.
# lsof /var/spool/authdaemon/*
COMMAND PID USER FD TYPE DEVICE SIZE/OFFNODE NAME
courierlo 694 root 1023uW REG 253,20 5242943
/var/spool/authdaemon/pid.lock
courierlo 14264 root3u REG 253,20 5242943
/var/spool/authdaemon/pid.lock
# cat /var/spool/authdaemon/pid
694
# ps axf | grep authd
694 ?S 0:00 /usr/sbin/courierlogger
-pid=/var/spool/authdaemon/pid -start
/usr/libexec/courier-authlib/authdaemond
...all that looks fine.
type=AVC msg=audit(1436121128.545:4130): avc: denied { signal } for
pid=14263 comm=courierlogger
scontext=unconfined_u:unconfined_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process
type=AVC msg=audit(1436121138.546:4161): avc: denied { sigkill } for
pid=14263 comm=courierlogger
scontext=unconfined_u:unconfined_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process
...
The latter message repeats.
courierlogger is set to courier_exec_t:
/etc/selinux/targeted/contexts/files/file_contexts:/usr/sbin/courierlogger
-- system_u:object_r:courier_exec_t:s0
# ls -lZ /usr/sbin/courierlogger
-rwxr-xr-x. daemon daemon system_u:object_r:courier_exec_t:s0
/usr/sbin/courierlogger
I think something treats courier_exec_t as an alias of system_mail_t,
but I don't remember where that might be defined. I'm kind of getting
tired of filing bugs with Red Hat because they treat Courier as if it
were sendmail.
--
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
