postfix, procmail and SELinux - No Go
Paul Howarth
paul at city-fan.org
Sun Jun 25 08:40:27 UTC 2006
On Sat, 2006-06-24 at 17:40 -0500, Marc Schwartz wrote:
> On Sat, 2006-06-24 at 10:12 +0100, Paul Howarth wrote:
> > On Thu, 2006-06-22 at 20:19 -0500, Marc Schwartz wrote:
(snip)
> > > > > /.razor/*
> > > >
> > > > That looks rather dubious.
> > >
> > > I initially thought that these files in / were from the initial install.
> > >
> > > However, the dates on the log files in that path are current as of last
> > > night, when the cron jobs run.
> >
> > What are the cron jobs doing? We need to find a way of stopping them
> > writing here. There's no way I'm going to add policy to allow this.
>
> Here are the key entries:
>
> # Run ClamAV Update every hour
> 00 * * * * root freshclam --quiet
>
> # Run DCC Update at 1 am
> 00 01 * * * root /var/dcc/libexec/updatedcc > /dev/null
This one seems OK as it's not trying to write anything in the root
directory.
> # Run pyzor update at 1:10 am
> 10 01 * * * root /usr/bin/pyzor discover > /dev/null
>
> # Run razor update at 1:20 am
> 20 01 * * * root /usr/bin/razor-admin -discover > /dev/null
>
>
> updatedcc downloads and builds an updated DCC client each night.
>
> 'pyzor discover' updates the pyzor server list.
>
> 'razor-admin -discover' does the same for the razor servers.
Can these be made to write files somewhere other than /.razor etc?
Are the files written there just like the ones for regular users, e.g.
default preference settings?
> > > type=AVC msg=audit(1151025306.136:693): avc: denied { search } for pid=22051 comm="dccproc" name="dcc" dev=dm-1 ino=58510 scontex t=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir
> > > type=SYSCALL msg=audit(1151025306.136:693): arch=40000003 syscall=12 success=yes exit=0 a0=bfe79ac2 a1=0 a2=4891eff4 a3=37 items=1 p id=22051 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
> >
> > Failed to transition to dcc type, which will be because dccproc isn't
> > labelled correctly (it's in /usr/local/bin but policy expects it
> > in /usr/bin). Please check in dcc.fc if there are any other programs not
> > in the right place.
>
> These files:
>
> /usr/bin/cdcc
> /usr/bin/dccproc
>
> are in:
>
> /usr/local/bin/cdcc
> /usr/local/bin/dccproc
Got those yesterday :-)
> The files that are listed in /usr/libexec/dcc are in /var/dcc/libexec.
OK, added those file contexts.
> # semodule -l
> amavis 1.0.4
> clamav 1.0.1
> dcc 1.0.0
> myclamav 0.1.1
> mydcc 0.1.5
> mypostfix 0.1.0
> mypyzor 0.2.1
> myspamassassin 0.1.1
> procmail 0.5.4
> pyzor 1.0.1
> razor 1.0.0
>
>
> New messages:
>
> type=AVC msg=audit(1151188279.668:1444): avc: denied { read } for pid=6563 comm="dccproc" name=".spamassassin2378EoApLctmp" dev=dm-2 ino=24 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:spamd_tmp_t:s0 tclass=file
> type=SYSCALL msg=audit(1151188279.668:1444): arch=40000003 syscall=11 success=yes exit=0 a0=a6eece8 a1=9c6f400 a2=a8f8b08 a3=bfec81ac items=2 pid=6563 auid=4294967295 uid=500 gid=0 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
> type=AVC_PATH msg=audit(1151188279.668:1444): path="/tmp/.spamassassin2378EoApLctmp"
> type=CWD msg=audit(1151188279.668:1444): cwd="/"
> type=PATH msg=audit(1151188279.668:1444): item=0 name="/usr/local/bin/dccproc" inode=3122809 dev=16:07 mode=0104555 ouid=0 ogid=1 rdev=00:00 obj=system_u:object_r:dcc_client_exec_t:s0
> type=PATH msg=audit(1151188279.668:1444): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
dccproc trying to read a temp file created by spamd.
> type=AVC msg=audit(1151188279.672:1446): avc: denied { search } for pid=6563 comm="dccproc" name="dcc" dev=dm-1 ino=58510 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
> type=SYSCALL msg=audit(1151188279.672:1446): arch=40000003 syscall=12 success=yes exit=0 a0=bff9abe2 a1=0 a2=4891eff4 a3=37 items=1 pid=6563 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
> type=CWD msg=audit(1151188279.672:1446): cwd="/"
> type=PATH msg=audit(1151188279.672:1446): item=0 name="/var/dcc" inode=58510 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:unlabeled_t:s0
/var/dcc appears to have lost its label. I wonder how that happened?
> type=AVC msg=audit(1151188279.672:1450): avc: denied { node_bind } for pid=6563 comm="dccproc" scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=udp_socket
> type=SYSCALL msg=audit(1151188279.672:1450): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff9bab0 a2=4891eff4 a3=37 items=0 pid=6563 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
> type=SOCKADDR msg=audit(1151188279.672:1450): saddr=02000000000000000000000000000000
> type=SOCKETCALL msg=audit(1151188279.672:1450): nargs=3 a0=4 a1=bff9bb54 a2=10
I'm not sure what's that's doing. Will look at that again later.
I'm a bit surprised that nothing has turned up for clamassassin. Can''t
believe I got that right first time...
Here's the updated policy files:
::::::::::::::
mydcc.fc
::::::::::::::
/usr/local/bin/cdcc --
gen_context(system_u:object_r:cdcc_exec_t,s0)
/usr/local/bin/dccproc --
gen_context(system_u:object_r:dcc_client_exec_t,s0)
/var/dcc/libexec/dbclean --
gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
/var/dcc/libexec/dccd --
gen_context(system_u:object_r:dccd_exec_t,s0)
/var/dcc/libexec/dccifd --
gen_context(system_u:object_r:dccifd_exec_t,s0)
/var/dcc/libexec/dccm --
gen_context(system_u:object_r:dccm_exec_t,s0)
::::::::::::::
mydcc.te
::::::::::::::
policy_module(mydcc, 0.1.6)
# ==================================================
# Declarations
# ==================================================
require {
type dcc_client_t;
}
# ==================================================
# DCC client local policy
# ==================================================
spamassassin_read_spamd_tmp_files(dcc_client_t)
After loading the updated modules, you'll need to do:
# restorecon -rv /var/dcc
Paul.
More information about the fedora-selinux-list
mailing list