postfix, procmail and SELinux - No Go
Marc Schwartz
MSchwartz at mn.rr.com
Sat Jun 24 22:40:42 UTC 2006
On Sat, 2006-06-24 at 10:12 +0100, Paul Howarth wrote:
> On Thu, 2006-06-22 at 20:19 -0500, Marc Schwartz wrote:
<snip>
> > > I suspect that the current FC5 policy includes these interfaces but not
> > > the policy modules or file contexts. Can anyone confirm this?
> > > Renaming/removing the .if files makes these warnings go away anyway.
> >
> > Yep. I removed the .if files and all seems well.
>
> I'm going to rename the myclamscan module to myclamav, and merge
> together the myclamscan policy with some clamav tweaks I did for someone
> on fedora-list. This will make it easier to eventually merge it into the
> main policy.
OK. Makes sense
> > > > /.razor/*
> > >
> > > That looks rather dubious.
> >
> > I initially thought that these files in / were from the initial install.
> >
> > However, the dates on the log files in that path are current as of last
> > night, when the cron jobs run.
>
> What are the cron jobs doing? We need to find a way of stopping them
> writing here. There's no way I'm going to add policy to allow this.
Here are the key entries:
# Run ClamAV Update every hour
00 * * * * root freshclam --quiet
# Run DCC Update at 1 am
00 01 * * * root /var/dcc/libexec/updatedcc > /dev/null
# Run pyzor update at 1:10 am
10 01 * * * root /usr/bin/pyzor discover > /dev/null
# Run razor update at 1:20 am
20 01 * * * root /usr/bin/razor-admin -discover > /dev/null
updatedcc downloads and builds an updated DCC client each night.
'pyzor discover' updates the pyzor server list.
'razor-admin -discover' does the same for the razor servers.
> > The files in /root/.razor appear to be tagged as during the day today,
> > perhaps when cron jobs result in e-mails to root, which are then mapped
> > to my userID by postfix.
>
> It's unfortunate that the mapping takes place later than the razor
> invocation.
>
> (snip)
<snip>
> > type=AVC msg=audit(1151025306.136:693): avc: denied { search } for pid=22051 comm="dccproc" name="dcc" dev=dm-1 ino=58510 scontex t=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir
> > type=SYSCALL msg=audit(1151025306.136:693): arch=40000003 syscall=12 success=yes exit=0 a0=bfe79ac2 a1=0 a2=4891eff4 a3=37 items=1 p id=22051 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
>
> Failed to transition to dcc type, which will be because dccproc isn't
> labelled correctly (it's in /usr/local/bin but policy expects it
> in /usr/bin). Please check in dcc.fc if there are any other programs not
> in the right place.
These files:
/usr/bin/cdcc
/usr/bin/dccproc
are in:
/usr/local/bin/cdcc
/usr/local/bin/dccproc
There is no /etc/dcc tree
The files that are listed in /usr/libexec/dcc are in /var/dcc/libexec.
There is no /var/run/dcc tree.
<snip of new policy files>
> After localing these modules, please do:
> # restorecon -rv /usr/local/bin
Done.
> Moving clamassassin into its own domain may cause lots of new AVCs. This
> is expected...
OK.
# semodule -l
amavis 1.0.4
clamav 1.0.1
dcc 1.0.0
myclamav 0.1.1
mydcc 0.1.5
mypostfix 0.1.0
mypyzor 0.2.1
myspamassassin 0.1.1
procmail 0.5.4
pyzor 1.0.1
razor 1.0.0
New messages:
type=AVC msg=audit(1151188279.668:1444): avc: denied { read } for pid=6563 comm="dccproc" name=".spamassassin2378EoApLctmp" dev=dm-2 ino=24 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:spamd_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1151188279.668:1444): arch=40000003 syscall=11 success=yes exit=0 a0=a6eece8 a1=9c6f400 a2=a8f8b08 a3=bfec81ac items=2 pid=6563 auid=4294967295 uid=500 gid=0 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
type=AVC_PATH msg=audit(1151188279.668:1444): path="/tmp/.spamassassin2378EoApLctmp"
type=CWD msg=audit(1151188279.668:1444): cwd="/"
type=PATH msg=audit(1151188279.668:1444): item=0 name="/usr/local/bin/dccproc" inode=3122809 dev=16:07 mode=0104555 ouid=0 ogid=1 rdev=00:00 obj=system_u:object_r:dcc_client_exec_t:s0
type=PATH msg=audit(1151188279.668:1444): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
type=AVC msg=audit(1151188279.672:1445): avc: denied { getattr } for pid=6563 comm="dccproc" name=".spamassassin2378EoApLctmp" dev=dm-2 ino=24 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:spamd_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1151188279.672:1445): arch=40000003 syscall=197 success=yes exit=0 a0=0 a1=bff9ba98 a2=4891eff4 a3=3 items=0 pid=6563 auid=4294967295 uid=500 gid=0 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
type=AVC_PATH msg=audit(1151188279.672:1445): path="/tmp/.spamassassin2378EoApLctmp"
type=AVC msg=audit(1151188279.672:1446): avc: denied { search } for pid=6563 comm="dccproc" name="dcc" dev=dm-1 ino=58510 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
type=SYSCALL msg=audit(1151188279.672:1446): arch=40000003 syscall=12 success=yes exit=0 a0=bff9abe2 a1=0 a2=4891eff4 a3=37 items=1 pid=6563 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
type=CWD msg=audit(1151188279.672:1446): cwd="/"
type=PATH msg=audit(1151188279.672:1446): item=0 name="/var/dcc" inode=58510 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:unlabeled_t:s0
type=AVC msg=audit(1151188279.672:1447): avc: denied { read write } for pid=6563 comm="dccproc" name="map" dev=dm-1 ino=59007 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=SYSCALL msg=audit(1151188279.672:1447): arch=40000003 syscall=5 success=yes exit=3 a0=80ba6e0 a1=2 a2=180 a3=37 items=1 pid=6563 auid=4294967295 uid=500 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
type=CWD msg=audit(1151188279.672:1447): cwd="/var/dcc"
type=PATH msg=audit(1151188279.672:1447): item=0 name="/var/dcc/map" inode=59007 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:unlabeled_t:s0
type=AVC msg=audit(1151188279.672:1448): avc: denied { getattr } for pid=6563 comm="dccproc" name="map" dev=dm-1 ino=59007 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=SYSCALL msg=audit(1151188279.672:1448): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bff9a9f8 a2=4891eff4 a3=3 items=0 pid=6563 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
type=AVC_PATH msg=audit(1151188279.672:1448): path="/var/dcc/map"
type=AVC msg=audit(1151188279.672:1449): avc: denied { lock } for pid=6563 comm="dccproc" name="map" dev=dm-1 ino=59007 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=SYSCALL msg=audit(1151188279.672:1449): arch=40000003 syscall=221 success=yes exit=0 a0=3 a1=7 a2=bff9bb74 a3=bff9bb74 items=0 pid=6563 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
type=AVC_PATH msg=audit(1151188279.672:1449): path="/var/dcc/map"
type=AVC msg=audit(1151188279.672:1450): avc: denied { node_bind } for pid=6563 comm="dccproc" scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1151188279.672:1450): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff9bab0 a2=4891eff4 a3=37 items=0 pid=6563 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
type=SOCKADDR msg=audit(1151188279.672:1450): saddr=02000000000000000000000000000000
type=SOCKETCALL msg=audit(1151188279.672:1450): nargs=3 a0=4 a1=bff9bb54 a2=10
Thanks,
Marc
More information about the fedora-selinux-list
mailing list