postfix, procmail and SELinux - No Go
Paul Howarth
paul at city-fan.org
Fri Jul 21 17:26:52 UTC 2006
Marc Schwartz (via MN) wrote:
> On Fri, 2006-07-21 at 18:06 +0100, Paul Howarth wrote:
>> Marc Schwartz (via MN) wrote:
>>> Well, after a couple of days and several re-boots, the following is the
>>> only avc so far:
>>>
>>> type=AVC msg=audit(1153435170.422:48): avc: denied { search } for pid=15586 comm="clamscan" name="marcs" dev=dm-0 ino=425153 scontext=system_u:system_r:clamscan_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
>>> type=SYSCALL msg=audit(1153435170.422:48): arch=40000003 syscall=10 success=no exit=-13 a0=9730020 a1=1 a2=448ce93c a3=972f7e0 items=1 pid=15586 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamscan" exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0
>>> type=CWD msg=audit(1153435170.422:48): cwd="/home/marcs"
>>> type=PATH msg=audit(1153435170.422:48): item=0 name="tnef" parent=58512 dev=fd:02 mode=0100600 ouid=500 ogid=500 rdev=00:00 obj=system_u:object_r:clamscan_tmp_t:s0
>>>
>>> I am running in Enforcing mode.
>> It appears to be trying to look in your home directory whilst scanning a
>> temporary file called "tnef".
>
> 'tnef' files (Transport Neutral Encapsulation Format) are a MIME type
> coming from Winders Outlook users. They tend to show up in Evolution as
> 'winmail.dat' attachments, which then require a tnef viewer such as tnef
> or KTnef or similar to open and view:
>
> http://sourceforge.net/projects/tnef
>
> I do occasionally get this from co-workers and others who are on
> Windows.
>
>> The program appears to be running in your home directory, probably since
>> it's running from your .procmailrc and clamassassin. I wonder if this
>> can be dontaudited? Any idea whether the scan of this file worked or not?
>
> I can confirm that I have received at least one 'tnef' type attachment
> in the past 48 hours, which came through to Evo without problem. These
> would not normally be picked up as a virus/worm, etc. via scanners.
I'd expect you to get one of these AVCs for each scanned attachment;
have you only seen the one instance?
Could you try getting it to scan something that should be detected as
"bad" and make sure it works?
Paul.
More information about the fedora-selinux-list
mailing list