postfix, procmail and SELinux - No Go

Marc Schwartz MSchwartz at mn.rr.com
Sat Jun 24 22:40:42 UTC 2006 

On Sat, 2006-06-24 at 10:12 +0100, Paul Howarth wrote:
> On Thu, 2006-06-22 at 20:19 -0500, Marc Schwartz wrote:

<snip>

> > > I suspect that the current FC5 policy includes these interfaces but not 
> > > the policy modules or file contexts. Can anyone confirm this? 
> > > Renaming/removing the .if files makes these warnings go away anyway.
> > 
> > Yep. I removed the .if files and all seems well.
> 
> I'm going to rename the myclamscan module to myclamav, and merge
> together the myclamscan policy with some clamav tweaks I did for someone
> on fedora-list. This will make it easier to eventually merge it into the
> main policy.

OK. Makes sense

> > > > /.razor/*
> > > 
> > > That looks rather dubious.
> > 
> > I initially thought that these files in / were from the initial install.
> > 
> > However, the dates on the log files in that path are current as of last
> > night, when the cron jobs run.
> 
> What are the cron jobs doing? We need to find a way of stopping them
> writing here. There's no way I'm going to add policy to allow this.

Here are the key entries:

# Run ClamAV Update every hour
00 * * * * root freshclam --quiet

# Run DCC Update at 1 am
00 01 * * * root /var/dcc/libexec/updatedcc > /dev/null

# Run pyzor update at 1:10 am
10 01 * * * root /usr/bin/pyzor discover > /dev/null

# Run razor update at 1:20 am
20 01 * * * root /usr/bin/razor-admin -discover > /dev/null


updatedcc downloads and builds an updated DCC client each night.

'pyzor discover' updates the pyzor server list.

'razor-admin -discover' does the same for the razor servers.


> > The files in /root/.razor appear to be tagged as during the day today,
> > perhaps when cron jobs result in e-mails to root, which are then mapped
> > to my userID by postfix.
> 
> It's unfortunate that the mapping takes place later than the razor
> invocation.
> 
> (snip)

<snip>

> > type=AVC msg=audit(1151025306.136:693): avc:  denied  { search } for  pid=22051 comm="dccproc" name="dcc" dev=dm-1 ino=58510 scontex t=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir
> > type=SYSCALL msg=audit(1151025306.136:693): arch=40000003 syscall=12 success=yes exit=0 a0=bfe79ac2 a1=0 a2=4891eff4 a3=37 items=1 p id=22051 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
> 
> Failed to transition to dcc type, which will be because dccproc isn't
> labelled correctly (it's in /usr/local/bin but policy expects it
> in /usr/bin). Please check in dcc.fc if there are any other programs not
> in the right place.

These files:

/usr/bin/cdcc
/usr/bin/dccproc

are in:

/usr/local/bin/cdcc
/usr/local/bin/dccproc


There is no /etc/dcc tree


The files that are listed in /usr/libexec/dcc are in /var/dcc/libexec.


There is no /var/run/dcc tree.


<snip of new policy files>

> After localing these modules, please do:
> # restorecon -rv /usr/local/bin

Done.

> Moving clamassassin into its own domain may cause lots of new AVCs. This
> is expected...

OK.

# semodule -l
amavis  1.0.4
clamav  1.0.1
dcc     1.0.0
myclamav        0.1.1
mydcc   0.1.5
mypostfix       0.1.0
mypyzor 0.2.1
myspamassassin  0.1.1
procmail        0.5.4
pyzor   1.0.1
razor   1.0.0


New messages:

type=AVC msg=audit(1151188279.668:1444): avc:  denied  { read } for  pid=6563 comm="dccproc" name=".spamassassin2378EoApLctmp" dev=dm-2 ino=24 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:spamd_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1151188279.668:1444): arch=40000003 syscall=11 success=yes exit=0 a0=a6eece8 a1=9c6f400 a2=a8f8b08 a3=bfec81ac items=2 pid=6563 auid=4294967295 uid=500 gid=0 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
type=AVC_PATH msg=audit(1151188279.668:1444):  path="/tmp/.spamassassin2378EoApLctmp"
type=CWD msg=audit(1151188279.668:1444):  cwd="/"
type=PATH msg=audit(1151188279.668:1444): item=0 name="/usr/local/bin/dccproc" inode=3122809 dev=16:07 mode=0104555 ouid=0 ogid=1 rdev=00:00 obj=system_u:object_r:dcc_client_exec_t:s0
type=PATH msg=audit(1151188279.668:1444): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
type=AVC msg=audit(1151188279.672:1445): avc:  denied  { getattr } for  pid=6563 comm="dccproc" name=".spamassassin2378EoApLctmp" dev=dm-2 ino=24 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:spamd_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1151188279.672:1445): arch=40000003 syscall=197 success=yes exit=0 a0=0 a1=bff9ba98 a2=4891eff4 a3=3 items=0 pid=6563 auid=4294967295 uid=500 gid=0 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
type=AVC_PATH msg=audit(1151188279.672:1445):  path="/tmp/.spamassassin2378EoApLctmp"
type=AVC msg=audit(1151188279.672:1446): avc:  denied  { search } for  pid=6563 comm="dccproc" name="dcc" dev=dm-1 ino=58510 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
type=SYSCALL msg=audit(1151188279.672:1446): arch=40000003 syscall=12 success=yes exit=0 a0=bff9abe2 a1=0 a2=4891eff4 a3=37 items=1 pid=6563 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
type=CWD msg=audit(1151188279.672:1446):  cwd="/"
type=PATH msg=audit(1151188279.672:1446): item=0 name="/var/dcc" inode=58510 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:unlabeled_t:s0
type=AVC msg=audit(1151188279.672:1447): avc:  denied  { read write } for  pid=6563 comm="dccproc" name="map" dev=dm-1 ino=59007 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=SYSCALL msg=audit(1151188279.672:1447): arch=40000003 syscall=5 success=yes exit=3 a0=80ba6e0 a1=2 a2=180 a3=37 items=1 pid=6563 auid=4294967295 uid=500 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
type=CWD msg=audit(1151188279.672:1447):  cwd="/var/dcc"
type=PATH msg=audit(1151188279.672:1447): item=0 name="/var/dcc/map" inode=59007 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:unlabeled_t:s0
type=AVC msg=audit(1151188279.672:1448): avc:  denied  { getattr } for  pid=6563 comm="dccproc" name="map" dev=dm-1 ino=59007 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=SYSCALL msg=audit(1151188279.672:1448): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bff9a9f8 a2=4891eff4 a3=3 items=0 pid=6563 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
type=AVC_PATH msg=audit(1151188279.672:1448):  path="/var/dcc/map"
type=AVC msg=audit(1151188279.672:1449): avc:  denied  { lock } for  pid=6563 comm="dccproc" name="map" dev=dm-1 ino=59007 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=SYSCALL msg=audit(1151188279.672:1449): arch=40000003 syscall=221 success=yes exit=0 a0=3 a1=7 a2=bff9bb74 a3=bff9bb74 items=0 pid=6563 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
type=AVC_PATH msg=audit(1151188279.672:1449):  path="/var/dcc/map"
type=AVC msg=audit(1151188279.672:1450): avc:  denied  { node_bind } for  pid=6563 comm="dccproc" scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1151188279.672:1450): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff9bab0 a2=4891eff4 a3=37 items=0 pid=6563 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
type=SOCKADDR msg=audit(1151188279.672:1450): saddr=02000000000000000000000000000000
type=SOCKETCALL msg=audit(1151188279.672:1450): nargs=3 a0=4 a1=bff9bb54 a2=10


Thanks,

Marc

More information about the fedora-selinux-list mailing list