postfix, procmail and SELinux - No Go

Paul Howarth paul at city-fan.org
Wed Jun 21 17:33:51 UTC 2006 

Marc Schwartz (via MN) wrote:
> On Wed, 2006-06-21 at 16:53 +0100, Paul Howarth wrote:
>> Marc Schwartz (via MN) wrote:
> 
> <snip>
> 
>>> The current modules then are:
>>>
>>> # semodule -l
>>> amavis  1.0.4
>>> clamav  1.0.1
>>> myclamscan      0.2.0
>>> mydcc   0.1.3
>>> mypyzor 0.2.1
>>> procmail        0.5.3
>>> pyzor   1.0.1
>>>
>>>
>>> No msgs are being reported by avclist subsequent to the above changes.
>>> Specifically nothing wrt the postfix manpage weirdness.
>>>
>>> All else appears to be OK so far.
>> Can you try restarting postfix? I think the manpage thing happened at 
>> that point.
> 
> Interesting. Recalling that, I had re-booted before my reply above and
> had no msgs. However doing a service restart post-boot using
> system-config-services, I get:
> 
> type=AVC msg=audit(1150906621.693:641): avc:  denied  { read } for  pid=12784 comm="postfix" name=".fonts.cache-2" dev=hdc7 ino=427877 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file
> type=SYSCALL msg=audit(1150906621.693:641): arch=40000003 syscall=11 success=yes exit=0 a0=9e14f80 a1=9dfb478 a2=9e14f98 a3=9e14e68 items=2 pid=12784 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postfix" exe="/usr/sbin/postfix"
> type=AVC_PATH msg=audit(1150906621.693:641):  path="/root/.rh-fontconfig/.fonts.cache-2"
> type=CWD msg=audit(1150906621.693:641):  cwd="/"
> type=PATH msg=audit(1150906621.693:641): item=0 name="/usr/sbin/postfix" flags=101  inode=3132499 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
> type=PATH msg=audit(1150906621.693:641): item=1 flags=101  inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1150906621.829:642): avc:  denied  { read } for  pid=12796 comm="postfix" name=".fonts.cache-2" dev=hdc7 ino=427877 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file
> type=SYSCALL msg=audit(1150906621.829:642): arch=40000003 syscall=11 success=yes exit=0 a0=9e15318 a1=9e00e50 a2=9e14f98 a3=9e14d00 items=2 pid=12796 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postfix" exe="/usr/sbin/postfix"
> type=AVC_PATH msg=audit(1150906621.829:642):  path="/root/.rh-fontconfig/.fonts.cache-2"
> type=CWD msg=audit(1150906621.829:642):  cwd="/"
> type=PATH msg=audit(1150906621.829:642): item=0 name="/usr/sbin/postfix" flags=101  inode=3132499 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
> type=PATH msg=audit(1150906621.829:642): item=1 flags=101  inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
> 
> Which seems to not involve the man pages, but font caches for some
> reason.

That's just completely weird. I wonder if it's a filehandle left open 
from somewhere. I wonder how to diagnose this further? Since the types 
aren't consistent, they can't even be dontaudit-ed. I trust nothing has 
broken anyway?

>> Once that's done I'd like to try out the dcc and razor modules that are 
>> now in rawhide. That will involve going back to permissive mode for a 
>> while though.

OK, I've attached the dcc and razor policy files from the current FC5 
selinux-policy package. Try installing those, put selinux in permissive 
mode, do a restorecon on all of your dcc and razor files/directories and 
see what happens.

Paul.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: dcc.fc
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20060621/5e8c8442/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: dcc.if
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20060621/5e8c8442/attachment-0001.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: dcc.te
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20060621/5e8c8442/attachment-0002.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: razor.fc
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20060621/5e8c8442/attachment-0003.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: razor.if
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20060621/5e8c8442/attachment-0004.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: razor.te
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20060621/5e8c8442/attachment-0005.ksh>

More information about the fedora-selinux-list mailing list