postfix, procmail and SELinux - No Go

Marc Schwartz (via MN) mschwartz at mn.rr.com
Mon Jul 17 13:58:33 UTC 2006 

On Fri, 2006-07-14 at 18:14 +0100, Paul Howarth wrote:

<snip>

> I think I've got to the bottom of this now. I actually installed 
> perl-Razor-Agent myself (I'm using sendmail but that doesn't really 
> matter) to figure out what was happening.
> 
> razor, like spamassassin, is written in perl. This allows spamassassin 
> to call razor directly by simply using the razor perl modules rather 
> than the razor client "binaries" in /usr/bin. Thus spamassassin runs a 
> razor client in its own domain, spamd_t. There is in fact no need for a 
> domain transition from spamd_t to razor_t.
> 
> Now to get rid of the AVCs. Please update to the policy modules included 
> below. Then:
> 
> # mkdir /var/log/spamassassin
> # restorecon -v /var/log/spamassassin
> 
> Edit /etc/mail/spamassassin/razor/razor-agent.conf and set:
> 
> logfile                = /var/log/spamassassin/razor-agent.log
> 
> Then restart spamassassin.

Thanks Paul.  I appreciate your persistence with this.

All done.

> >> Any thoughts on why dccproc might be wanting to read 
> >> /root/.rh-fontconfig/.fonts.cache-2?
> > 
> > No definitive answer.
> > 
> > Checking the dcc source code tree using grep, the only references to
> > 'font' are in the cgi-bin files (common and common.in) and then in the
> > HTML files (FAQ.HTML and INSTALL.HTML).
> 
> I think this is probably a leaked file descriptor. I don't know where 
> the leak is or what to do about it though.

<snip of policies>

Latest avc's below, subsequent to the updates and reboots. I have tried
to remove a lot of the dups. If you need more info, let me know.

Marc


type=AVC msg=audit(1153023605.343:2448): avc:  denied  { getattr } for  pid=11448 comm="spamd" name="dccproc" dev=hdc7 ino=1245188 s context=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1153023605.343:2448): arch=40000003 syscall=195 success=no exit=-13 a0=999da10 a1=95f30c8 a2=4891eff4 a3=999d a10 items=1 pid=11448 auid=500 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="spamd" exe="/usr/bin /perl" subj=system_u:system_r:spamd_t:s0
type=AVC_PATH msg=audit(1153023605.343:2448):  path="/usr/local/bin/dccproc"
type=CWD msg=audit(1153023605.343:2448):  cwd="/"
type=PATH msg=audit(1153023605.343:2448): item=0 name="/usr/local/bin/dccproc" inode=1245188 dev=16:07 mode=0104555 ouid=0 ogid=1 rd ev=00:00 obj=system_u:object_r:dcc_client_exec_t:s0
type=AVC msg=audit(1153023963.916:2467): avc:  denied  { getattr } for  pid=11448 comm="spamd" name="dccproc" dev=hdc7 ino=1245188 s context=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1153023963.916:2467): arch=40000003 syscall=195 success=no exit=-13 a0=999da10 a1=95f30c8 a2=4891eff4 a3=999d a10 items=1 pid=11448 auid=500 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="spamd" exe="/usr/bin /perl" subj=system_u:system_r:spamd_t:s0
type=AVC_PATH msg=audit(1153023963.916:2467):  path="/usr/local/bin/dccproc"
type=CWD msg=audit(1153023963.916:2467):  cwd="/"
type=PATH msg=audit(1153024204.542:2488): item=0 name="/usr/local/bin/dccproc" inode=1245188 dev=16:07 mode=0104555 ouid=0 ogid=1 rd ev=00:00 obj=system_u:object_r:dcc_client_exec_t:s0
type=AVC msg=audit(1153024564.267:2507): avc:  denied  { name_bind } for  pid=11448 comm="spamd" src=7002 scontext=system_u:system_r :spamd_t:s0 tcontext=system_u:object_r:afs_pt_port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1153024564.267:2507): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfa7e6e0 a2=2b5b8c a3=10 items=0 pid=11448 auid=500 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="spamd" exe="/usr/bin/perl" subj= system_u:system_r:spamd_t:s0
type=SOCKADDR msg=audit(1153024564.267:2507): saddr=02001B5A000000000000000000000000
type=SOCKETCALL msg=audit(1153024564.267:2507): nargs=3 a0=b a1=a238438 a2=10
type=PATH msg=audit(1153028525.987:2792): item=0 name="/usr/local/bin/dccproc" inode=1245188 dev=16:07 mode=0104555 ouid=0 ogid=1 rd ev=00:00 obj=system_u:object_r:dcc_client_exec_t:s0
type=AVC msg=audit(1153029648.965:2883): avc:  denied  { search } for  pid=9095 comm="dccproc" name="dcc" dev=dm-1 ino=58510 scontex t=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir
type=SYSCALL msg=audit(1153029648.965:2883): arch=40000003 syscall=12 success=no exit=-13 a0=bfd65a42 a1=0 a2=4891eff4 a3=37 items=1  pid=9095 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dcc proc" subj=system_u:system_r:spamd_t:s0
type=CWD msg=audit(1153029648.965:2883):  cwd="/"
type=PATH msg=audit(1153029648.965:2883): item=0 name="/var/dcc" inode=58510 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=syst em_u:object_r:dcc_var_t:s0
type=AVC msg=audit(1153030201.398:2924): avc:  denied  { read } for  pid=11167 comm="restorecon" name="[220111]" dev=pipefs ino=2201 11 scontext=user_u:system_r:restorecon_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=fifo_file
type=AVC msg=audit(1153030201.398:2924): avc:  denied  { write } for  pid=11167 comm="restorecon" name="[220112]" dev=pipefs ino=220 112 scontext=user_u:system_r:restorecon_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=fifo_file
type=AVC msg=audit(1153030201.398:2924): avc:  denied  { write } for  pid=11167 comm="restorecon" name="[220112]" dev=pipefs ino=220 112 scontext=user_u:system_r:restorecon_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=fifo_file
type=SYSCALL msg=audit(1153030201.398:2924): arch=40000003 syscall=11 success=yes exit=0 a0=89ad188 a1=89ad320 a2=89ad258 a3=89acfc0  items=2 pid=11167 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="restorecon" exe="/sbin/restorecon " subj=user_u:system_r:restorecon_t:s0
type=AVC_PATH msg=audit(1153030201.398:2924):  path="pipe:[220112]"
type=AVC_PATH msg=audit(1153030201.398:2924):  path="pipe:[220112]"
type=AVC_PATH msg=audit(1153030201.398:2924):  path="pipe:[220111]"
type=CWD msg=audit(1153030201.398:2924):  cwd="/"
type=PATH msg=audit(1153030201.398:2924): item=0 name="/sbin/restorecon" inode=3542952 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00: 00 obj=system_u:object_r:restorecon_exec_t:s0
type=PATH msg=audit(1153030201.398:2924): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system _u:object_r:ld_so_t:s0
type=AVC msg=audit(1153030201.414:2925): avc:  denied  { sigchld } for  pid=11161 comm="crond" scontext=user_u:system_r:restorecon_t :s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=process
type=SYSCALL msg=audit(1153030201.414:2925): arch=40000003 syscall=114 success=no exit=-10 a0=ffffffff a1=bfbc27f0 a2=0 a3=0 items=0  pid=11161 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="crond" exe="/usr/sbin/crond" subj=system_ u:system_r:crond_t:s0-s0:c0.c255
type=AVC msg=audit(1153030261.495:2940): avc:  denied  { read } for  pid=11202 comm="restorecon" name="[220497]" dev=pipefs ino=2204 97 scontext=user_u:system_r:restorecon_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=fifo_file
type=AVC msg=audit(1153030261.495:2940): avc:  denied  { write } for  pid=11202 comm="restorecon" name="[220498]" dev=pipefs ino=220 498 scontext=user_u:system_r:restorecon_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=fifo_file
type=AVC msg=audit(1153030261.495:2940): avc:  denied  { write } for  pid=11202 comm="restorecon" name="[220498]" dev=pipefs ino=220 498 scontext=user_u:system_r:restorecon_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=fifo_file
type=AVC msg=audit(1153030261.515:2941): avc:  denied  { sigchld } for  pid=11201 comm="crond" scontext=user_u:system_r:restorecon_t :s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=process
type=SYSCALL msg=audit(1153030261.515:2941): arch=40000003 syscall=114 success=no exit=-10 a0=ffffffff a1=bfbc27f0 a2=0 a3=0 items=0  pid=11201 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="crond" exe="/usr/sbin/crond" subj=system_ u:system_r:crond_t:s0-s0:c0.c255
type=SYSCALL msg=audit(1153030261.495:2940): arch=40000003 syscall=11 success=yes exit=0 a0=84d91a0 a1=84d9340 a2=84d9278 a3=84d8fb8  items=2 pid=11202 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="restorecon" exe="/sbin/restorecon " subj=user_u:system_r:restorecon_t:s0
type=AVC_PATH msg=audit(1153030261.495:2940):  path="pipe:[220498]"
type=AVC_PATH msg=audit(1153030261.495:2940):  path="pipe:[220498]"
type=AVC_PATH msg=audit(1153030261.495:2940):  path="pipe:[220497]"
type=CWD msg=audit(1153030261.495:2940):  cwd="/"
type=PATH msg=audit(1153030261.495:2940): item=0 name="/sbin/restorecon" inode=3542952 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00: 00 obj=system_u:object_r:restorecon_exec_t:s0
type=PATH msg=audit(1153030261.495:2940): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system _u:object_r:ld_so_t:s0
type=AVC msg=audit(1153030444.617:2952): avc:  denied  { getattr } for  pid=11448 comm="spamd" name="dccproc" dev=hdc7 ino=3135647 s context=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1153030444.617:2952): arch=40000003 syscall=195 success=no exit=-13 a0=999da10 a1=95f30c8 a2=4891eff4 a3=999d a10 items=1 pid=11448 auid=500 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="spamd" exe="/usr/bin /perl" subj=system_u:system_r:spamd_t:s0
type=AVC_PATH msg=audit(1153030444.617:2952):  path="/usr/local/bin/dccproc"
type=CWD msg=audit(1153030444.617:2952):  cwd="/"
type=PATH msg=audit(1153052884.204:4562): item=0 name="/usr/local/bin/dccproc" inode=3135647 dev=16:07 mode=0104555 ouid=0 ogid=1 rd ev=00:00 obj=system_u:object_r:dcc_client_exec_t:s0
type=AVC msg=audit(1153053408.030:4599): avc:  denied  { execmod } for  pid=6019 comm="ld-linux.so.2" name="libGLcore.so.1.0.8762" d ev=hdc7 ino=3116816 scontext=user_u:system_r:prelink_t:s0 tcontext=root:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1153053408.030:4599): arch=40000003 syscall=125 success=no exit=-13 a0=5c8000 a1=78e000 a2=5 a3=bf84c100 item s=0 pid=6019 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ld-linux.so.2" exe="/lib/ld-2.4.so" sub j=user_u:system_r:prelink_t:s0
type=AVC_PATH msg=audit(1153053408.030:4599):  path="/usr/lib/libGLcore.so.1.0.8762"
type=AVC msg=audit(1153053408.034:4600): avc:  denied  { execmod } for  pid=6022 comm="ld-linux.so.2" name="libnvidia-tls.so.1.0.876 2" dev=hdc7 ino=3117829 scontext=user_u:system_r:prelink_t:s0 tcontext=root:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1153053408.034:4600): arch=40000003 syscall=125 success=no exit=-13 a0=a3e000 a1=1000 a2=5 a3=bfc98d40 items= 0 pid=6022 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ld-linux.so.2" exe="/lib/ld-2.4.so" subj= user_u:system_r:prelink_t:s0
type=AVC_PATH msg=audit(1153053408.034:4600):  path="/usr/lib/tls/libnvidia-tls.so.1.0.8762"
type=AVC msg=audit(1153054263.049:4661): avc:  denied  { getattr } for  pid=11448 comm="spamd" name="dccproc" dev=hdc7 ino=3135647 s context=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1153054263.049:4661): arch=40000003 syscall=195 success=no exit=-13 a0=999da10 a1=95f30c8 a2=4891eff4 a3=999d a10 items=1 pid=11448 auid=500 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="spamd" exe="/usr/bin /perl" subj=system_u:system_r:spamd_t:s0
type=AVC_PATH msg=audit(1153054263.049:4661):  path="/usr/local/bin/dccproc"
type=CWD msg=audit(1153054263.049:4661):  cwd="/"
type=PATH msg=audit(1153116601.146:9086): item=0 name="/sbin/restorecon" inode=3542952 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00: 00 obj=system_u:object_r:restorecon_exec_t:s0
type=PATH msg=audit(1153116601.146:9086): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system _u:object_r:ld_so_t:s0
type=AVC msg=audit(1153116605.562:9094): avc:  denied  { create } for  pid=25363 comm="dccproc" scontext=system_u:system_r:spamd_t:s 0 tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1153116605.562:9094): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf9fbd58 a2=4891eff4 a3=806a0ff i tems=0 pid=25363 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/ bin/dccproc" subj=system_u:system_r:spamd_t:s0
type=SOCKETCALL msg=audit(1153116605.562:9094): nargs=3 a0=10 a1=3 a2=0
type=AVC msg=audit(1153116605.562:9095): avc:  denied  { search } for  pid=25363 comm="dccproc" name="dcc" dev=dm-1 ino=58510 sconte xt=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir
type=SYSCALL msg=audit(1153116605.562:9095): arch=40000003 syscall=12 success=no exit=-13 a0=bf9faec2 a1=0 a2=4891eff4 a3=806a0ff it ems=1 pid=25363 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/b in/dccproc" subj=system_u:system_r:spamd_t:s0
type=CWD msg=audit(1153116605.562:9095):  cwd="/"
type=PATH msg=audit(1153116605.562:9095): item=0 name="/var/dcc" inode=58510 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=syst em_u:object_r:dcc_var_t:s0
type=PATH msg=audit(1153116661.743:9100): item=0 name="/sbin/restorecon" inode=3542952 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00: 00 obj=system_u:object_r:restorecon_exec_t:s0
type=PATH msg=audit(1153116661.743:9100): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system _u:object_r:ld_so_t:s0
type=AVC msg=audit(1153116661.751:9101): avc:  denied  { sigchld } for  pid=25592 comm="crond" scontext=user_u:system_r:restorecon_t :s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=process
type=SYSCALL msg=audit(1153116661.751:9101): arch=40000003 syscall=114 success=no exit=-10 a0=ffffffff a1=bfbc27f0 a2=0 a3=0 items=0  pid=25592 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="crond" exe="/usr/sbin/crond" subj=system_ u:system_r:crond_t:s0-s0:c0.c255
type=AVC msg=audit(1153116905.512:9124): avc:  denied  { getattr } for  pid=11448 comm="spamd" name="dccproc" dev=hdc7 ino=3135642 s context=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1153116905.512:9124): arch=40000003 syscall=195 success=no exit=-13 a0=999da10 a1=95f30c8 a2=4891eff4 a3=999d a10 items=1 pid=11448 auid=500 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="spamd" exe="/usr/bin /perl" subj=system_u:system_r:spamd_t:s0
type=AVC_PATH msg=audit(1153116905.512:9124):  path="/usr/local/bin/dccproc"
type=CWD msg=audit(1153116905.512:9124):  cwd="/"
type=PATH msg=audit(1153138559.711:8): item=0 name="/var/run/utmp" inode=87750 dev=fd:01 mode=0100664 ouid=0 ogid=22 rdev=00:00 obj= system_u:object_r:init_var_run_t:s0
type=AVC msg=audit(1153138559.715:9): avc:  denied  { read } for  pid=2374 comm="mingetty" name="utmp" dev=dm-1 ino=87750 scontext=s ystem_u:system_r:getty_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1153138559.715:9): arch=40000003 syscall=5 success=no exit=-13 a0=48909fd4 a1=0 a2=804a000 a3=48909fda items= 1 pid=2374 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mingetty" exe="/sbin/mingetty" s ubj=system_u:system_r:getty_t:s0
type=CWD msg=audit(1153138559.715:9):  cwd="/"
type=PATH msg=audit(1153138559.715:9): item=0 name="/var/run/utmp" inode=87750 dev=fd:01 mode=0100664 ouid=0 ogid=22 rdev=00:00 obj= system_u:object_r:init_var_run_t:s0
type=AVC msg=audit(1153138559.715:10): avc:  denied  { read write } for  pid=2374 comm="mingetty" name="utmp" dev=dm-1 ino=87750 sco ntext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1153138559.715:10): arch=40000003 syscall=5 success=no exit=-13 a0=48909fd4 a1=2 a2=0 a3=48909fda items=1 pid =2374 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mingetty" exe="/sbin/mingetty" subj=s ystem_u:system_r:getty_t:s0
type=CWD msg=audit(1153138559.715:10):  cwd="/"

More information about the fedora-selinux-list mailing list