postfix, procmail and SELinux - No Go
Marc Schwartz
MSchwartz at mn.rr.com
Fri Jun 2 03:28:28 UTC 2006
On Thu, 2006-06-01 at 13:00 +0100, Paul Howarth wrote:
> Marc Schwartz wrote:
<snip>
> > Now for grep "dcc":
<snip of audit.log entries for 'dcc'>
As an FYI, I ran:
sudo /sbin/fixfiles check
and it came back with no errors.
> These all appear to be dccproc doing read/write/lock operations on
> /var/dcc/map. This is happening in the spamd_t domain, which seems wrong
> to me since spamd_t should transition to dcc_client_t. Check what the
> context of /usr/local/bin/dccproc is; I think it should be
> dcc_client_exec_t (and it would be if it was in /usr/bin).
user_u:object_r:bin_t /usr/local/bin/dccproc
So:
sudo chcon -u system_u -t dcc_client_exec_t /usr/local/bin/dccproc
?
> Also, /var/dcc and everything under it apart from /var/dcc/map should be
> dcc_var_t; /var/dcc/map should be dcc_client_map_t.
Everything in that tree is:
user_u:object_r:var_t
So:
sudo chcon -u system_u -t dcc_var_t -R /var/dcc
sudo chcon -u system_u -t dcc_client_map_t /var/dcc/map
?
> You might check out the file contexts from the dcc policy module (listed
> below) and check that everything else is labelled correctly in the
> places you have installed them:
> /etc/dcc(/.*)?
> gen_context(system_u:object_r:dcc_var_t,s0)
> /etc/dcc/dccifd -s
> gen_context(system_u:object_r:dccifd_var_run_t,s0)
> /etc/dcc/map --
> gen_context(system_u:object_r:dcc_client_map_t,s0)
There is no /etc/dcc tree.
> /usr/bin/cdcc --
> gen_context(system_u:object_r:cdcc_exec_t,s0)
> /usr/bin/dccproc --
> gen_context(system_u:object_r:dcc_client_exec_t,s0)
user_u:object_r:bin_t /usr/local/bin/cdcc
user_u:object_r:bin_t /usr/local/bin/dccproc
So:
sudo chcon -u system_u -t cdcc_exec_t /usr/local/bin/cdcc
sudo chcon -u system_u -t dcc_client_exec_t /usr/local/bin/dccproc
?
> /usr/libexec/dcc/dbclean --
> gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
user_u:object_r:var_t /var/dcc/libexec/dbclean
So:
sudo chcon -u system_u -t dcc_dbclean_exec_t /var/dcc/libexec/dbclean
?
> /usr/libexec/dcc/dccd --
> gen_context(system_u:object_r:dccd_exec_t,s0)
user_u:object_r:var_t /var/dcc/libexec/dccd
So:
sudo chcon -u system_u -t dccd_exec_t /var/dcc/libexec/dccd
?
> /usr/libexec/dcc/dccifd --
> gen_context(system_u:object_r:dccifd_exec_t,s0)
user_u:object_r:var_t /var/dcc/libexec/dccifd
So:
sudo chcon -u system_u -t dccifd_exec_t /var/dcc/libexec/dccifd
?
> /usr/libexec/dcc/dccm --
> gen_context(system_u:object_r:dccm_exec_t,s0)
There is no /usr/libexec/dcc/dccm, though there is
a /var/dcc/libexec/start-dccm
?
> /var/dcc(/.*)?
> gen_context(system_u:object_r:dcc_var_t,s0)
> /var/dcc/map --
> gen_context(system_u:object_r:dcc_client_map_t,s0)
Fixed above I believe...
> /var/run/dcc(/.*)?
> gen_context(system_u:object_r:dcc_var_run_t,s0)
> /var/run/dcc/map --
> gen_context(system_u:object_r:dcc_client_map_t,s0)
> /var/run/dcc/dccifd -s
> gen_context(system_u:object_r:dccifd_var_run_t,s0)
There is no /var/run/dcc tree.
I am getting the feeling that the default policy tree structure does not
fully agree with the default dcc installation tree structure using the
tarball from Rhyolite.
Is some of this due to my using postfix and not sendmail?
> > For grep "razor":
> >
> > type=AVC msg=audit(1149102177.498:8243): avc: denied { append } for
> > pid=20136 comm="spamd" name="razor-agent.log" dev=hdc7 ino=98923
> > scontext=system_u:system_r:spamd_t:s0
> > tcontext=system_u:object_r:default_t:s0 tclass=file
>
> default_t file should have been relabelled by now.
Curiously, there are three razor-agent.log files:
system_u:object_r:default_t /razor-agent.log
user_u:object_r:default_t /.razor/razor-agent.log
user_u:object_r:user_home_t /home/marcs/.razor/razor-agent.log
The first one above is dated yesterday, the second one from today and
the third one from today. My local user copy being dated this evening.
> Again, check out the default contexts for razor and make sure that the
> files in the locations you have installed it to have the right contexts:
>
> ifdef(`strict_policy',`
> HOME_DIR/\.razor(/.*)?
> gen_context(system_u:object_r:ROLE_razor_home_t,s0)
> ')
If I read this correctly, my local user tree files in:
/home/marcs/.razor
are all:
user_u:object_r:user_home_t
The files in:
/.razor
are all:
system_u:object_r:default_t
except for the log file mentioned above which is:
user_u:object_r:default_t
> /etc/razor(/.*)?
> gen_context(system_u:object_r:razor_etc_t,s0)
There is no /etc/razor tree.
> /usr/bin/razor.* --
> gen_context(system_u:object_r:razor_exec_t,s0)
Files here are:
/usr/bin/razor-admin
/usr/bin/razor-check
/usr/bin/razor-client
/usr/bin/razor-report
/usr/bin/razor-revoke
and are:
system_u:object_r:bin_t
So:
sudo chcon -t razor_exec_t /usr/bin/razor*
?
> /var/lib/razor(/.*)?
> gen_context(system_u:object_r:razor_var_lib_t,s0)
There is no /var/lib/razor tree.
> /var/log/razor-agent.log --
> gen_context(system_u:object_r:razor_log_t,s0)
No log file here.
Finally, here are some updated entries in audit.log since the updated
policy last night:
For grep "procmail":
type=AVC msg=audit(1149210123.848:615): avc: denied { getattr } for pid=14642 comm="clamscan" name="clamassassinmsg.UFZVw14635" dev=hdc6 ino=18 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
type=AVC msg=audit(1149211441.847:718): avc: denied { read } for pid=16548 comm="clamscan" name="clamassassinmsg.InjWm16541" dev=hdc6 ino=18 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
type=AVC msg=audit(1149211441.847:718): avc: denied { write } for pid=16548 comm="clamscan" name="clamassassinlog.ieiqW16542" dev=hdc6 ino=19 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
This is a repeating loop of entries all for 'clamscan' it seems.
For grep 'postfix':
type=AVC msg=audit(1149200642.921:4794): avc: denied { use } for pid=19149 comm="clamscan" name="[425692]" dev=pipefs ino=425692 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fd
type=AVC msg=audit(1149200642.921:4794): avc: denied { write } for pid=19149 comm="clamscan" name="[425692]" dev=pipefs ino=425692 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
type=AVC msg=audit(1149203919.092:6): avc: denied { getattr } for pid=2051 comm="sh" name="mailq.postfix.1.gz" dev=hdc7 ino=3132510 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=file
type=AVC_PATH msg=audit(1149203919.092:6): path="/usr/share/man/man1/mailq.postfix.1.gz"
type=CWD msg=audit(1149203919.092:6): cwd="/var/spool/postfix"
type=PATH msg=audit(1149203919.092:6): item=0 name="/usr/share/man/man1/mailq.postfix.1.gz" flags=1 inode=3132510 dev=16:07 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149204089.649:65): avc: denied { use } for pid=3994 comm="clamscan" name="[13293]" dev=pipefs ino=13293 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fd
type=AVC msg=audit(1149204089.649:65): avc: denied { write } for pid=3994 comm="clamscan" name="[13293]" dev=pipefs ino=13293 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
Also seems to be heavily related to 'clamscan'
For grep 'pyzor':
type=AVC_PATH msg=audit(1149211924.334:836): path="/home/marcs/.pyzor"
type=PATH msg=audit(1149211924.334:836): item=0 name="/home/marcs/.pyzor" flags=1 inode=427255 dev=fd:00 mode=040755 ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1149211924.334:837): avc: denied { getattr } for pid=21149 comm="pyzor" name="servers" dev=dm-0 ino=427256 scontext=system_u:system_r:pyzor_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1149211924.334:837): arch=40000003 syscall=195 success=yes exit=0 a0=973ffb0 a1=bf93ab48 a2=4891eff4 a3=970c1b0 items=1 pid=21149 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=AVC_PATH msg=audit(1149211924.334:837): path="/home/marcs/.pyzor/servers"
type=PATH msg=audit(1149211924.334:837): item=0 name="/home/marcs/.pyzor/servers" flags=1 inode=427256 dev=fd:00 mode=0100664 ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1149211924.334:838): avc: denied { read } for pid=21149 comm="pyzor" name="servers" dev=dm-0 ino=427256 scontext=system_u:system_r:pyzor_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1149211924.334:838): arch=40000003 syscall=5 success=yes exit=3 a0=97a53d0 a1=8000 a2=1b6 a3=975eb90 items=1 pid=21149 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=PATH msg=audit(1149211924.334:838): item=0 name="/home/marcs/.pyzor/servers" flags=101 inode=427256 dev=fd:00 mode=0100664 ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1149211924.334:839): avc: denied { search } for pid=21149 comm="pyzor" name="/" dev=hdc6 ino=2 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149211924.334:839): avc: denied { write } for pid=21149 comm="pyzor" name="/" dev=hdc6 ino=2 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149211924.334:839): avc: denied { add_name } for pid=21149 comm="pyzor" name="zZU--3" scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1149211924.334:839): arch=40000003 syscall=5 success=yes exit=4 a0=97a53d0 a1=280c2 a2=180 a3=280c2 items=1 pid=21149 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=AVC msg=audit(1149211924.334:840): avc: denied { remove_name } for pid=21149 comm="pyzor" name="zZU--3" dev=hdc6 ino=19 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
For grep 'clam':
type=SYSCALL msg=audit(1149216362.498:1153): arch=40000003 syscall=3 success=yes exit=16384 a0=5 a1=8a84c28 a2=4000 a3=0 items=0 pid=29037 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamscan" exe="/usr/bin/clamscan"
type=AVC_PATH msg=audit(1149216362.498:1153): path="/tmp/clamav-0f02c0e698dc29b6"
type=AVC msg=audit(1149216362.950:1154): avc: denied { remove_name } for pid=29037 comm="clamscan" name="clamav-0f02c0e698dc29b6" dev=hdc6 ino=20 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149216362.950:1154): avc: denied { unlink } for pid=29037 comm="clamscan" name="clamav-0f02c0e698dc29b6" dev=hdc6 ino=20 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1149216362.950:1154): arch=40000003 syscall=10 success=yes exit=0 a0=8a83280 a1=1 a2=4807c938 a3=8a84c28 items=1 pid=29037 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamscan" exe="/usr/bin/clamscan"
type=PATH msg=audit(1149216362.950:1154): item=0 name="/tmp/clamav-0f02c0e698dc29b6" flags=10 inode=2 dev=16:06 mode=041777 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149216362.954:1155): avc: denied { read } for pid=29037 comm="clamscan" name="clamav-fe19cc5f77908e70" dev=hdc6 ino=29251 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1149216362.954:1155): arch=40000003 syscall=5 success=yes exit=5 a0=8a83228 a1=18800 a2=4890ac0c a3=8a84c28 items=1 pid=29037 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamscan" exe="/usr/bin/clamscan"
type=PATH msg=audit(1149216362.954:1155): item=0 name="/tmp/clamav-fe19cc5f77908e70" flags=103 inode=29251 dev=16:06 mode=040700 ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1149216362.954:1156): avc: denied { getattr } for pid=29037 comm="clamscan" name="clamav-fe19cc5f77908e70" dev=hdc6 ino=29251 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1149216362.954:1156): arch=40000003 syscall=197 success=yes exit=0 a0=5 a1=bfdcfd4c a2=4891eff4 a3=5 items=0 pid=29037 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamscan" exe="/usr/bin/clamscan"
type=AVC_PATH msg=audit(1149216362.954:1156): path="/tmp/clamav-fe19cc5f77908e70"
type=AVC msg=audit(1149216363.850:1157): avc: denied { setattr } for pid=29037 comm="clamscan" name="clamav-fe19cc5f77908e70" dev=hdc6 ino=29251 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1149216363.850:1157): arch=40000003 syscall=15 success=yes exit=0 a0=8a83228 a1=1c0 a2=4807c938 a3=8a84c28 items=1 pid=29037 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamscan" exe="/usr/bin/clamscan"
type=PATH msg=audit(1149216363.850:1157): item=0 name="/tmp/clamav-fe19cc5f77908e70" flags=1 inode=29251 dev=16:06 mode=040700 ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1149216363.850:1158): avc: denied { rmdir } for pid=29037 comm="clamscan" name="clamav-fe19cc5f77908e70" dev=hdc6 ino=29251 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
Hope that provide sufficient additional information. If you need more,
let me know.
Thanks Paul.
Marc
More information about the fedora-selinux-list
mailing list