Comment 1 Sven Vermeulen (RETIRED) 2014-03-24 19:33:40 UTC

The denial shows that thunderbird is still running in the user context (staff_t) instead of the thunderbird context (thunderbird_t).

Check the context of the thunderbird binary (and if it isn't thunderbird_exec_t, tell me the location of the binary).

The staff user should have thunderbird rights - you can validate that through "seinfo -rstaff_r -x | grep thunderbird" or with sesearch.

The context of the Thunderbird binary is:
# getfattr -m security.selinux -d /usr/bin/thunderbird 
security.selinux="system_u:object_r:bin_t"

The staff user has the thunderbird rights:
# seinfo -rstaff_r -x | grep thunderbird
         thunderbird_t

Comment 3 Sven Vermeulen (RETIRED) 2014-03-26 08:18:00 UTC

The context of the binary should be thunderbird_exec_t.

If you run "restorecon /usr/bin/thunderbird" does it then change the context correctly?

In thunderbird.fc we have the following expression which should match:

/usr/bin/thunderbird.*  --      gen_context(system_u:object_r:thunderbird_exec_t,s0)

restorecon changes nothing

# restorecon /usr/bin/thunderbird 
# getfattr -m security.selinux -d /usr/bin/thunderbird
security.selinux="system_u:object_r:bin_t"

But on my System seems to be no thunderbird.fc file
# find / | grep "thunderbird\.fc"
#

Comment 5 Sven Vermeulen (RETIRED) 2014-03-26 09:14:03 UTC

thunderbird.fc is part of the policy; all contexts are aggregated in /etc/selinux/*/contexts/files/file_contexts so you should find the match there.

Perhaps /usr/bin/thunderbird.* is a wrong definition.

First check if /usr/bin/thunderbird.* is defined on your system:

~# semanage fcontext -l | grep thunderbird_exec_t

If you can find that expression, and restorecon doesn't want to restore it, try the following:

~# semanage fcontext -a -t thunderbird_exec_t "/usr/bin/thunderbird(.*)?"
~# restorecon -v /usr/bin/thunderbird

Does that help?

# semanage fcontext -l | grep thunderbird_exec_t
/usr/bin/thunderbird.*                             regular file       system_u:object_r:thunderbird_exec_t 

# semanage fcontext -a -t thunderbird_exec_t "/usr/bin/thunderbird(.*)?" 
# restorecon -v /usr/bin/thunderbird 
restorecon reset /usr/bin/thunderbird context system_u:object_r:bin_t->system_u:object_r:thunderbird_exec_t

It did something. I cannot run thunderbird with staff_u anymore.

$ thunderbird
bash: thunderbird: command not found

$ /usr/bin/thunderbird
bash: /usr/bin/thunderbird: Permission denied

# getfattr -m security.selinux -d /usr/bin/thunderbird
security.selinux="system_u:object_r:bin_t"

autit shows
# cat /var/log/audit/audit.log | grep thunderbird
type=AVC msg=audit(1395827126.119:111): avc:  denied  { read } for  pid=2850 comm="bash" name="thunderbird" dev="sda4" ino=2625532 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:thunderbird_exec_t tclass=lnk_file
type=AVC msg=audit(1395827126.119:112): avc:  denied  { read } for  pid=2850 comm="bash" name="thunderbird" dev="sda4" ino=2625532 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:thunderbird_exec_t tclass=lnk_file

Comment 7 Sven Vermeulen (RETIRED) 2014-03-26 11:47:57 UTC

The audit logs talks about a symlink (lnk_file). Is /usr/bin/thunderbird a symbolic link? If so, where does it point to?

If not, which symlink would this be then?

It might be sufficient to allow staff_t to read thunderbird_exec_t links, although it probably makes more sense to have the link remain bin_t and the target it points to be thunderbird_exec_t.

# file /usr/bin/thunderbird
/usr/bin/thunderbird: symbolic link to `/usr/lib64/thunderbird/thunderbird'

# file /usr/lib64/thunderbird/thunderbird
/usr/lib64/thunderbird/thunderbird: ELF 64-bit LSB shared object, x86-64, version$


I restore the file context of /usr/bin/thunderbird to bin_t and set the context of /usr/lib/thunderbird/thunderbird to thunderbird_exec_t

# semanage fcontext -a -t thunderbird_exec_t "/usr/lib64/thunderbird/thunderbird" 
ValueError: File spec /usr/lib64/thunderbird/thunderbird conflicts with equivalency rule '/usr/lib64 /usr/lib'; Try adding '/usr/lib/thunderbird/thunderbird' instead

# semanage fcontext -a -t thunderbird_exec_t "/usr/lib/thunderbird/thunderbird"

# restorecon -v -r /usr/
restorecon reset /usr/lib64/thunderbird/thunderbird context system_u:object_r:bin_t->system_u:object_r:thunderbird_exec_t


Now thunderbirds starts but it shows only a error message: "Your Thunderbird profile cannot be loaded. It may be missing or inaccessible". 
I solved this by writing a small policy module. 
Now thunderbird is running normaly.

policy_module(thunderbird_test, 1.0.0)
require {
  type thunderbird_t;
  type user_devpts_t;
  type xdg_cache_home_t;
  type sysfs_t;
  class chr_file {write read};
  class file {read open getattr};
  class dir {read write search add_name create};
}
allow thunderbird_t user_devpts_t:chr_file {read write};
allow thunderbird_t xdg_cache_home_t:dir {search write add_name create};
allow thunderbird_t sysfs_t:file {read open getattr};
allow thunderbird_t sysfs_t:dir {read};

this fixes the following issues from audit.log 
type=AVC msg=audit(1395852448.592:18396): avc:  denied  { read write } for  pid=22397 comm="thunderbird" path="/dev/pts/5" dev="devpts" ino=8 scontext=staff_u:staff_r:thunderbird_t tcontext=staff_u:object_r:user_devpts_t tclass=chr_file
type=AVC msg=audit(1395852448.748:18397): avc:  denied  { search } for  pid=22397 comm="thunderbird" name=".cache" dev="sda4" ino=1048589 scontext=staff_u:staff_r:thunderbird_t tcontext=staff_u:object_r:xdg_cache_home_t tclass=dir
type=AVC msg=audit(1395852448.748:18398): avc:  denied  { search } for  pid=22397 comm="thunderbird" name=".cache" dev="sda4" ino=1048589 scontext=staff_u:staff_r:thunderbird_t tcontext=staff_u:object_r:xdg_cache_home_t tclass=dir
type=AVC msg=audit(1395852449.298:18399): avc:  denied  { read } for  pid=22397 comm="thunderbird" name="present" dev="sysfs" ino=31 scontext=staff_u:staff_r:thunderbird_t tcontext=system_u:object_r:sysfs_t tclass=file
type=AVC msg=audit(1395852449.298:18400): avc:  denied  { read } for  pid=22397 comm="thunderbird" name="cpu" dev="sysfs" ino=27 scontext=staff_u:staff_r:thunderbird_t tcontext=system_u:object_r:sysfs_t tclass=dir
type=AVC msg=audit(1395861888.424:18442): avc:  denied  { write } for  pid=12380 comm="thunderbird" name=".cache" dev="sda4" ino=1048589 scontext=staff_u:staff_r:thunderbird_t tcontext=staff_u:object_r:xdg_cache_home_t tclass=dir
type=AVC msg=audit(1395861889.038:18443): avc:  denied  { open } for  pid=12380 comm="thunderbird" path="/sys/devices/system/cpu/present" dev="sysfs" ino=31 scontext=staff_u:staff_r:thunderbird_t tcontext=system_u:object_r:sysfs_t tclass=file
type=AVC msg=audit(1395862084.872:18445): avc:  denied  { add_name } for  pid=12560 comm="thunderbird" name="thunderbird" scontext=staff_u:staff_r:thunderbird_t tcontext=staff_u:object_r:xdg_cache_home_t tclass=dir
type=AVC msg=audit(1395862085.591:18446): avc:  denied  { getattr } for  pid=12560 comm="thunderbird" path="/sys/devices/system/cpu/present" dev="sysfs" ino=31 scontext=staff_u:staff_r:thunderbird_t tcontext=system_u:object_r:sysfs_t tclass=file
type=AVC msg=audit(1395862458.739:18449): avc:  denied  { create } for  pid=12913 comm="thunderbird" name="thunderbird" scontext=staff_u:staff_r:thunderbird_t tcontext=staff_u:object_r:xdg_cache_home_t tclass=dir

audit shows also the following message, but this shouln't be a problem
type=SYSCALL msg=audit(1395862458.739:18449): arch=c000003e syscall=83 success=no exit=-13 a0=7f63be1b03c8 a1=1c0 a2=1c0 a3=7f63bf3d3308 items=2 ppid=20796 pid=12913 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=3 tty=pts5 comm="thunderbird" exe="/usr/lib64/thunderbird/thunderbird" subj=staff_u:staff_r:thunderbird_t key=(null)


Thank you for your help.

Comment 9 Sven Vermeulen (RETIRED) 2014-03-26 20:19:20 UTC

Glad to hear this got it working for you.

Sadly, I can't just add this to our policy as it wouldn't be mergeable upstream - I need to have the error(s) and purposes of each addition to the policy in order to be able to upstream it.

The good thing is that I can now just build thunderbird and follow the steps (and policy) you did, record the errors and build up the policy changes so they can be merged upstream.

I encouter some more trouble, when I tried to send mails:

"Sending of message failed.
Please verify that your Mail & Newsgroups account settings are correct and try again."

I added some more policies to the policy module. Now audit.log contains no new entries for thunderbird_t, but the error remains.

Comment 11 Sven Vermeulen (RETIRED) 2014-08-10 14:06:03 UTC

Finally got around to testing thunderbird myself (it's thunderbird-bin, but that's a start, no? ;-)

I had to make a few changes to the policy, such as
- introduce support for thunderbird temporary files (thunderbird_tmp_t)
- add in support for the XDG ~/.cache directory
- read access to XDG ~/.local 
- access to sysfs (read-privileges)
- rw-privileges to DRI device

If you use the live ebuilds (selinux-thunderbird-9999) then you might want to test the changes and see if that helps for you. I only did basic testing (sending & receiving e-mails) with this and things seem to work well.

The contexts for thunderbird-bin are in /opt/thunderbird, but I also added in the /usr/lib/thunderbird/thunderbird one.

See http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commitdiff;h=15f4cb7c1387e72719c9948281f4818842baea96 and http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commitdiff;h=ac63ef72892a2cc20406cf1951998e2c15361f6a for the related commits.

Comment 12 Sven Vermeulen (RETIRED) 2014-08-22 17:48:33 UTC

r6 is in the tree, ~arch

Thank you.
the policy r6 works well.
I can know read and write mails with enabled selinux.


I encountered an minor bug on a fresh installed Linux.
On the first start, thunderbird exit with an error "cannot create /home/*/.catch/thunderbird"
so I stated thunderbird in permissive mode for the first time. afterwards in enforcing everything works well.

Thank you. You did a good work.

Comment 14 Sven Vermeulen (RETIRED) 2014-11-01 18:37:23 UTC

r6 is now stable