postfix, procmail and SELinux - No Go

Paul Howarth paul at city-fan.org
Sun Jun 25 08:40:27 UTC 2006 

On Sat, 2006-06-24 at 17:40 -0500, Marc Schwartz wrote:
> On Sat, 2006-06-24 at 10:12 +0100, Paul Howarth wrote:
> > On Thu, 2006-06-22 at 20:19 -0500, Marc Schwartz wrote:

(snip)

> > > > > /.razor/*
> > > > 
> > > > That looks rather dubious.
> > > 
> > > I initially thought that these files in / were from the initial install.
> > > 
> > > However, the dates on the log files in that path are current as of last
> > > night, when the cron jobs run.
> > 
> > What are the cron jobs doing? We need to find a way of stopping them
> > writing here. There's no way I'm going to add policy to allow this.
> 
> Here are the key entries:
> 
> # Run ClamAV Update every hour
> 00 * * * * root freshclam --quiet
> 
> # Run DCC Update at 1 am
> 00 01 * * * root /var/dcc/libexec/updatedcc > /dev/null

This one seems OK as it's not trying to write anything in the root
directory.

> # Run pyzor update at 1:10 am
> 10 01 * * * root /usr/bin/pyzor discover > /dev/null
> 
> # Run razor update at 1:20 am
> 20 01 * * * root /usr/bin/razor-admin -discover > /dev/null
> 
> 
> updatedcc downloads and builds an updated DCC client each night.
> 
> 'pyzor discover' updates the pyzor server list.
> 
> 'razor-admin -discover' does the same for the razor servers.

Can these be made to write files somewhere other than /.razor etc?

Are the files written there just like the ones for regular users, e.g.
default preference settings?

> > > type=AVC msg=audit(1151025306.136:693): avc:  denied  { search } for  pid=22051 comm="dccproc" name="dcc" dev=dm-1 ino=58510 scontex t=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir
> > > type=SYSCALL msg=audit(1151025306.136:693): arch=40000003 syscall=12 success=yes exit=0 a0=bfe79ac2 a1=0 a2=4891eff4 a3=37 items=1 p id=22051 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
> > 
> > Failed to transition to dcc type, which will be because dccproc isn't
> > labelled correctly (it's in /usr/local/bin but policy expects it
> > in /usr/bin). Please check in dcc.fc if there are any other programs not
> > in the right place.
> 
> These files:
> 
> /usr/bin/cdcc
> /usr/bin/dccproc
> 
> are in:
> 
> /usr/local/bin/cdcc
> /usr/local/bin/dccproc

Got those yesterday :-)

> The files that are listed in /usr/libexec/dcc are in /var/dcc/libexec.

OK, added those file contexts.

> # semodule -l
> amavis  1.0.4
> clamav  1.0.1
> dcc     1.0.0
> myclamav        0.1.1
> mydcc   0.1.5
> mypostfix       0.1.0
> mypyzor 0.2.1
> myspamassassin  0.1.1
> procmail        0.5.4
> pyzor   1.0.1
> razor   1.0.0
> 
> 
> New messages:
> 
> type=AVC msg=audit(1151188279.668:1444): avc:  denied  { read } for  pid=6563 comm="dccproc" name=".spamassassin2378EoApLctmp" dev=dm-2 ino=24 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:spamd_tmp_t:s0 tclass=file
> type=SYSCALL msg=audit(1151188279.668:1444): arch=40000003 syscall=11 success=yes exit=0 a0=a6eece8 a1=9c6f400 a2=a8f8b08 a3=bfec81ac items=2 pid=6563 auid=4294967295 uid=500 gid=0 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
> type=AVC_PATH msg=audit(1151188279.668:1444):  path="/tmp/.spamassassin2378EoApLctmp"
> type=CWD msg=audit(1151188279.668:1444):  cwd="/"
> type=PATH msg=audit(1151188279.668:1444): item=0 name="/usr/local/bin/dccproc" inode=3122809 dev=16:07 mode=0104555 ouid=0 ogid=1 rdev=00:00 obj=system_u:object_r:dcc_client_exec_t:s0
> type=PATH msg=audit(1151188279.668:1444): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0

dccproc trying to read a temp file created by spamd.

> type=AVC msg=audit(1151188279.672:1446): avc:  denied  { search } for  pid=6563 comm="dccproc" name="dcc" dev=dm-1 ino=58510 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
> type=SYSCALL msg=audit(1151188279.672:1446): arch=40000003 syscall=12 success=yes exit=0 a0=bff9abe2 a1=0 a2=4891eff4 a3=37 items=1 pid=6563 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
> type=CWD msg=audit(1151188279.672:1446):  cwd="/"
> type=PATH msg=audit(1151188279.672:1446): item=0 name="/var/dcc" inode=58510 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:unlabeled_t:s0

/var/dcc appears to have lost its label. I wonder how that happened?

> type=AVC msg=audit(1151188279.672:1450): avc:  denied  { node_bind } for  pid=6563 comm="dccproc" scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=udp_socket
> type=SYSCALL msg=audit(1151188279.672:1450): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff9bab0 a2=4891eff4 a3=37 items=0 pid=6563 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
> type=SOCKADDR msg=audit(1151188279.672:1450): saddr=02000000000000000000000000000000
> type=SOCKETCALL msg=audit(1151188279.672:1450): nargs=3 a0=4 a1=bff9bb54 a2=10

I'm not sure what's that's doing. Will look at that again later.

I'm a bit surprised that nothing has turned up for clamassassin. Can''t
believe I got that right first time...

Here's the updated policy files:

::::::::::::::
mydcc.fc
::::::::::::::
/usr/local/bin/cdcc             --
gen_context(system_u:object_r:cdcc_exec_t,s0)
/usr/local/bin/dccproc          --
gen_context(system_u:object_r:dcc_client_exec_t,s0)

/var/dcc/libexec/dbclean        --
gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
/var/dcc/libexec/dccd           --
gen_context(system_u:object_r:dccd_exec_t,s0)
/var/dcc/libexec/dccifd         --
gen_context(system_u:object_r:dccifd_exec_t,s0)
/var/dcc/libexec/dccm           --
gen_context(system_u:object_r:dccm_exec_t,s0)

::::::::::::::
mydcc.te
::::::::::::::
policy_module(mydcc, 0.1.6)

# ==================================================
# Declarations
# ==================================================

require {
        type dcc_client_t;
}

# ==================================================
# DCC client local policy
# ==================================================

spamassassin_read_spamd_tmp_files(dcc_client_t)


After loading the updated modules, you'll need to do:

# restorecon -rv /var/dcc

Paul.

More information about the fedora-selinux-list mailing list