postfix, procmail and SELinux - No Go

Marc Schwartz (via MN) mschwartz at mn.rr.com
Wed Jun 28 20:56:20 UTC 2006 

On Wed, 2006-06-28 at 21:13 +0100, Paul Howarth wrote:
> On Wed, 2006-06-28 at 14:22 -0500, Marc Schwartz (via MN) wrote:
> > 
> > <snip old avc's> 
> > <snip new policies>
> > 
> > # semodule -l
> > amavis  1.0.4
> > clamav  1.0.1
> > dcc     1.0.0
> > myclamav        0.1.4
> > mydcc   0.1.8
> > mypostfix       0.1.0
> > mypyzor 0.2.3
> > myspamassassin  0.1.1
> > procmail        0.5.4
> > pyzor   1.0.1
> > razor   1.0.0
> > 
> > 
> > New avc's:
> > 
> > type=AVC msg=audit(1151521329.964:1158): avc:  denied  { search } for  pid=5442 comm="local" name="clamav" dev=dm-1 ino=44957 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir
> > type=SYSCALL msg=audit(1151521329.964:1158): arch=40000003 syscall=196 success=no exit=-2 a0=939f848 a1=bffd2e80 a2=721ff4 a3=3 items=1 pid=5442 auid=4294967295 uid=0 gid=0 euid=100 suid=0 fsuid=100 egid=101 sgid=0 fsgid=101 tty=(none) comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0
> > type=CWD msg=audit(1151521329.964:1158):  cwd="/var/spool/postfix"
> > type=PATH msg=audit(1151521329.964:1158): item=0 name="/var/lib/clamav/.forward" obj=system_u:object_r:etc_t:s0
> 
> postfix local looking in /var/lib/clamav
> 
> > type=AVC msg=audit(1151521329.988:1159): avc:  denied  { search } for  pid=5449 comm="procmail" name="clamav" dev=dm-1 ino=44957 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir
> > type=SYSCALL msg=audit(1151521329.988:1159): arch=40000003 syscall=195 success=no exit=-2 a0=8dd0d60 a1=bfe27a6c a2=4891eff4 a3=0 items=1 pid=5449 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101 fsgid=101 tty=(none) comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0
> > type=CWD msg=audit(1151521329.988:1159):  cwd="/var/spool/postfix"
> 
> same for procmail
> 
> This appears to be postfix local and procmail trying to
> read /var/lib/clamav/.forward; does that sound reasonable?

There are no .forward files on my system at all, unless that is a temp
file, which does not make sense location-wise.

A Google search came up empty for that file, so I can only presume that
there are certain configuration scenarios where the pipelining of
e-mails would require that file.

Since I am using clamassassin, I also searched through that script and
noted nothing relevant here.

Not sure what else to make of it.

> You can bump myclamav.te to version 0.1.5 and append the following:
> 
> # ===========================================
> # things that should be done via an interface
> # ===========================================
> allow postfix_local_t clamd_var_lib_t:dir r_dir_perms;
> allow procmail_t clamd_var_lib_t:dir r_dir_perms;
> 
> Paul.

Done, including the add in your second e-mail.

# semodule -l
amavis  1.0.4
clamav  1.0.1
dcc     1.0.0
myclamav        0.1.5
mydcc   0.1.8
mypostfix       0.1.0
mypyzor 0.2.3
myspamassassin  0.1.1
procmail        0.5.4
pyzor   1.0.1
razor   1.0.0


No further avc's at this time.

Is it time to venture back into the Enforcing World once again?

Thanks,

Marc

More information about the fedora-selinux-list mailing list