Kernel audit messages

Russell Coker russell at coker.com.au
Tue Apr 13 13:36:53 UTC 2004 

On Tue, 13 Apr 2004 20:36, Mike Chambers <mike at netlyncs.com> wrote:
> I have found these this morning in my logs after the latest kernel from
> rawhide on a FC2T2 system...

I've attached a new procmail policy, please check it out.

I would like to know what procmail is doing with Perl, is it just for 
spamassasin?  If so then we probably need a domain transition.

In any case we don't want to grant procmail_t access to shadow_t.  Either the 
access is not needed and we can use a dontaudit, or we need to change 
procmail to use unix_chkpwd or some other method of doing whatever it may 
want to do.  It's bad enough that we have to grant RADIUS servers access to 
it!

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
-------------- next part --------------
#DESC Procmail - Mail delivery agent for mail servers
#
# Author:  Russell Coker <russell at coker.com.au>
# X-Debian-Packages: procmail
#

#################################
#
# Rules for the procmail_t domain.
#
# procmail_exec_t is the type of the procmail executable.
#
# privhome only works until we define a different type for maildir
type procmail_t, domain, privlog, privhome;
type procmail_exec_t, file_type, sysadmfile, exec_type;

role system_r types procmail_t;

uses_shlib(procmail_t)
allow procmail_t device_t:dir search;
can_network(procmail_t)
can_ypbind(procmail_t)

allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };

allow procmail_t etc_t:dir r_dir_perms;
allow procmail_t { etc_t etc_runtime_t }:file { getattr read };
allow procmail_t etc_t:lnk_file read;
read_locale(procmail_t)
read_sysctl(procmail_t)

allow procmail_t sysctl_t:dir search;

allow procmail_t self:process { setsched fork sigchld signal };
can_exec(procmail_t, { bin_t shell_exec_t })
allow procmail_t bin_t:dir { getattr search };
allow procmail_t bin_t:lnk_file read;
allow procmail_t self:fifo_file rw_file_perms;

allow procmail_t self:unix_stream_socket create_socket_perms;
allow procmail_t self:unix_dgram_socket create_socket_perms;

# for /var/mail
rw_dir_create_file(procmail_t, mail_spool_t)

allow procmail_t var_t:dir { getattr search };
allow procmail_t var_spool_t:dir r_dir_perms;

allow procmail_t fs_t:filesystem getattr;
allow procmail_t { self proc_t }:dir search;
allow procmail_t proc_t:file { getattr read };
allow procmail_t { self proc_t }:lnk_file read;

# for if /var/mail is a symlink to /var/spool/mail
#allow procmail_t mail_spool_t:lnk_file r_file_perms;

# for spamassasin
allow procmail_t usr_t:file { getattr ioctl read };

# Search /var/run.
allow procmail_t var_run_t:dir { getattr search };

# Do not audit attempts to access /root.
dontaudit procmail_t sysadm_home_dir_t:dir { getattr search };

allow procmail_t devtty_t:chr_file { read write };

allow procmail_t urandom_device_t:chr_file { getattr read };

ifdef(`sendmail.te', `
r_dir_file(procmail_t, etc_mail_t)
')

More information about the fedora-selinux-list mailing list