postfix, procmail and SELinux - No Go

Paul Howarth paul at city-fan.org
Tue Jun 27 16:20:19 UTC 2006 

Marc Schwartz wrote:
> On Tue, 2006-06-27 at 00:05 +0100, Paul Howarth wrote:
>> I share Nicolas' feelings about having hidden directories in /etc; this
>> could be mitigated perhaps by having something like the ".pyzor"
>> directory being replaced by a symlink to a "pyzor" directory.
> 
> No disagreement with either of you here.
> 
> The key here I believe is that we demonstrated a proof of concept, in
> that we can control the locations where these files get written and do
> so in a system-wide fashion. Even if this ends up being unique to FC/FE
> based installations due to SELinux requirements.
> 
> I have no vested interest in the specific locations and only used the
> examples from the SA wiki as the basis for the initial attempt.
> 
> We can certainly come to some appropriate consensus as to where we want
> them, whether higher in /etc or perhaps in /var.
> 
> If you guys provide some feedback, I can make the requisite changes.

I think the main issue isn't really whether the directories live under 
/var, /etc etc., but that they are "hidden" directories with names 
starting with a dot. Can the tools be persuaded to use other, more 
visible directory names?

>> Updated policy:
> 
> <snip>
> 
> # semodule -l
> amavis  1.0.4
> clamav  1.0.1
> dcc     1.0.0
> myclamav        0.1.2
> mydcc   0.1.7
> mypostfix       0.1.0
> mypyzor 0.2.2
> myspamassassin  0.1.1
> procmail        0.5.4
> pyzor   1.0.1
> razor   1.0.0
> 
> 
> New avc's:
> 
> type=AVC msg=audit(1151379242.395:1987): avc:  denied  { use } for  pid=32340 comm="clamassassin" name="[125798]" dev=pipefs ino=125 798 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fd
> type=AVC msg=audit(1151379242.395:1987): avc:  denied  { write } for  pid=32340 comm="clamassassin" name="[125798]" dev=pipefs ino=1 25798 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
> type=SYSCALL msg=audit(1151379242.395:1987): arch=40000003 syscall=11 success=yes exit=0 a0=98dfd60 a1=98df008 a2=98e2bc8 a3=0 items =3 pid=32340 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamassassin" exe="/bin/bash" subj=system_u:system_r:clamassassin_t:s0
> type=AVC_PATH msg=audit(1151379242.395:1987):  path="pipe:[125798]"
> type=AVC_PATH msg=audit(1151379242.395:1987):  path="pipe:[125798]"
> type=CWD msg=audit(1151379242.395:1987):  cwd="/home/marcs"
> type=PATH msg=audit(1151379242.395:1987): item=0 name="/usr/local/bin/clamassassin" inode=3115337 dev=16:07 mode=0100555 ouid=0 ogid =0 rdev=00:00 obj=system_u:object_r:clamassassin_exec_t:s0
> type=PATH msg=audit(1151379242.395:1987): item=1 name=(null) inode=1966191 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=syste m_u:object_r:shell_exec_t:s0
> type=PATH msg=audit(1151379242.395:1987): item=2 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system _u:object_r:ld_so_t:s0

I *think* this is clamassassin output being piped into postfix_local_t.

> type=AVC msg=audit(1151379242.411:1988): avc:  denied  { read } for  pid=32344 comm="clamscan" name="[125803]" dev=pipefs ino=125803  scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=fifo_file
> type=AVC msg=audit(1151379242.411:1988): avc:  denied  { use } for  pid=32344 comm="clamscan" name="[125798]" dev=pipefs ino=125798 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fd
> type=AVC msg=audit(1151379242.411:1988): avc:  denied  { write } for  pid=32344 comm="clamscan" name="[125798]" dev=pipefs ino=12579 8 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
> type=SYSCALL msg=audit(1151379242.411:1988): arch=40000003 syscall=11 success=yes exit=0 a0=8477c00 a1=8477210 a2=8477dd0 a3=8477d90  items=2 pid=32344 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamscan " exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0
> type=AVC_PATH msg=audit(1151379242.411:1988):  path="pipe:[125798]"
> type=AVC_PATH msg=audit(1151379242.411:1988):  path="pipe:[125798]"
> type=AVC_PATH msg=audit(1151379242.411:1988):  path="pipe:[125803]"
> type=CWD msg=audit(1151379242.411:1988):  cwd="/home/marcs"
> type=PATH msg=audit(1151379242.411:1988): item=0 name="/usr/bin/clamscan" inode=3123838 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00 :00 obj=system_u:object_r:clamscan_exec_t:s0
> type=PATH msg=audit(1151379242.411:1988): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system _u:object_r:ld_so_t:s0

audit2allow -R suggested clamav_domtrans_clamscan(clamscan_t) for this.

I don't know exactly what's happening here, why audit2allow suggested 
that solution, nor why that solution didn't work (as it was in 
yesterday's version). Any ideas anyone?

I'll add the raw allow rules for now.

> type=AVC msg=audit(1151379270.259:1989): avc:  denied  { search } for  pid=32363 comm="dccproc" name="/" dev=proc ino=1 scontext=sys tem_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=dir
> type=AVC msg=audit(1151379270.259:1989): avc:  denied  { read } for  pid=32363 comm="dccproc" name="meminfo" dev=proc ino=-268435454  scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
> type=SYSCALL msg=audit(1151379270.259:1989): arch=40000003 syscall=5 success=yes exit=5 a0=489093ef a1=0 a2=1b6 a3=9d26630 items=1 p id=32363 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/b in/dccproc" subj=system_u:system_r:dcc_client_t:s0
> type=CWD msg=audit(1151379270.259:1989):  cwd="/var/dcc"
> type=PATH msg=audit(1151379270.259:1989): item=0 name="/proc/meminfo" inode=4026531842 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00: 00 obj=system_u:object_r:proc_t:s0
> type=AVC msg=audit(1151379270.259:1990): avc:  denied  { getattr } for  pid=32363 comm="dccproc" name="meminfo" dev=proc ino=-268435 454 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
> type=SYSCALL msg=audit(1151379270.259:1990): arch=40000003 syscall=197 success=yes exit=0 a0=5 a1=bfb18dfc a2=4891eff4 a3=5 items=0 pid=32363 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/ bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
> type=AVC_PATH msg=audit(1151379270.259:1990):  path="/proc/meminfo"

I think this may be generic startup code, probably dontaudit-able. We'll 
see.

The rest are repeats.

Updated policy:

::::::::::::::
myclamav.te
::::::::::::::
policy_module(myclamav, 0.1.3)

require {
         type clamd_t;
         type clamscan_t;
         type clamscan_tmp_t;
         type freshclam_t;
         type postfix_local_t;
         type procmail_t;
};

type clamassassin_t;
domain_type(clamassassin_t)

type clamassassin_exec_t;
domain_entry_file(clamassassin_t,clamassassin_exec_t)

# ========================================
# clamassassin local policy
# ========================================

# Transition from unconfined for command-line usage
ifdef(`targeted_policy',`
         clamav_domtrans_clamassassin(unconfined_t)
')

# clamassassin uses pipes
allow clamassassin_t self:fifo_file rw_file_perms;

# When clamassassin writes temp files, they're for clamscan to process
# so make them clamscan_tmp_t
allow clamassassin_t clamscan_tmp_t:dir create_dir_perms;
allow clamassassin_t clamscan_tmp_t:file create_file_perms;
files_tmp_filetrans(clamassassin_t, clamscan_tmp_t, { file dir })

# Use shared libraries
libs_use_ld_so(clamassassin_t)
libs_use_shared_libs(clamassassin_t)

# Run binaries such as /bin/mktemp
corecmd_exec_bin(clamassassin_t)
files_search_usr(clamassassin_t)

# Allow clamassassin (mktemp) to read /dev/urandom
dev_read_urand(clamassassin_t)

# Is this clamassassin writing via a pipe to postfix_local_t?
allow clamassassin_t postfix_local_t:fd use;
allow clamassassin_t postfix_local_t:fifo_file write;

# clamassassin probably doesn't need to be able to read /proc/meminfo
kernel_dontaudit_list_proc(clamassassin_t)
kernel_dontaudit_read_system_state(clamassassin_t)

# clamassassin needs to be able to call clamscan
clamav_domtrans_clamscan(clamassassin_t)

# ========================================
# clamd local policy
# ========================================

kernel_read_kernel_sysctls(clamd_t)

# ========================================
# clamscan local policy
# ========================================

# Is this clamscan writing via a pipe to postfix_local_t?
allow clamscan_t postfix_local_t:fd use;
allow clamscan_t postfix_local_t:fifo_file write;

# Is this clamscan_t reading via a pipe from procmail_t?
allow clamscan_t procmail_t:fifo_file read;

# ========================================
# freshclam local policy
# ========================================

# Allow freshclam to send syslog messages
logging_send_syslog_msg(freshclam_t)

# Allow freshclam to read generic kernel sysctls
kernel_read_kernel_sysctls(freshclam_t)
::::::::::::::
mydcc.te
::::::::::::::
policy_module(mydcc, 0.1.8)

# ==================================================
# Declarations
# ==================================================

require {
         type dcc_client_t;
}

# ==================================================
# DCC client local policy
# ==================================================

allow dcc_client_t self:netlink_route_socket r_netlink_socket_perms;

corenet_udp_bind_inaddr_any_node(dcc_client_t)

# dcc_client probably doesn't need to be able to read /proc/meminfo
kernel_dontaudit_list_proc(dcc_client_t)
kernel_dontaudit_read_system_state(dcc_client_t)

spamassassin_read_spamd_tmp_files(dcc_client_t)



Paul.

More information about the fedora-selinux-list mailing list