postfix, procmail and SELinux - No Go
Marc Schwartz
MSchwartz at mn.rr.com
Tue Jun 6 03:09:03 UTC 2006
On Mon, 2006-06-05 at 16:49 +0100, Paul Howarth wrote:
> Marc Schwartz wrote:
> > On Fri, 2006-06-02 at 17:03 +0100, Paul Howarth wrote:
> >> Marc Schwartz wrote:
> >>> On Thu, 2006-06-01 at 13:00 +0100, Paul Howarth wrote:
> >>>> Marc Schwartz wrote:
<snip>
> > This had occurred after changing SELinux from Disabled to Permissive.
> > However, I have some partitions protected by dm-crypt/LUKS which would
> > not be accessible immediately after boot. Thus I ran the system-wide
> >
> > fixfiles relabel
> >
> > and then re-booted, so that all partitions could be done.
>
> OK, let's be on the lookout for incorrectly labelled files though.
Right...
> OK. Can you keep a note of the manual context changes you've made? That
> will help to ensure that if I forget something when we pull everything
> together, you can spot it ;-)
I have collected the entries from both my history and root's. The good
news is that everything that we have done is in the list archive...I
have not done anything that is not recorded there... :-)
> >>> type=AVC msg=audit(1149203919.092:6): avc: denied { getattr } for pid=2051 comm="sh" name="mailq.postfix.1.gz" dev=hdc7 ino=3132510 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=file
> >>> type=AVC_PATH msg=audit(1149203919.092:6): path="/usr/share/man/man1/mailq.postfix.1.gz"
> >>> type=CWD msg=audit(1149203919.092:6): cwd="/var/spool/postfix"
> >>> type=PATH msg=audit(1149203919.092:6): item=0 name="/usr/share/man/man1/mailq.postfix.1.gz" flags=1 inode=3132510 dev=16:07 mode=0100644 ouid=0 ogid=0 rdev=00:00
> >> What does the postfix master program do? It appears to be having trouble
> >> here reading the attributes of a manpage?!?!?
> >
> > I am truly confuzzled by this one. I have no idea why this occurred.
> We'll not fix this one then, and wait to see if it happens again.
OK. Note that it is still happening and is below in the updated output.
<snip>
> > type=AVC msg=audit(1149352202.368:284): avc: denied { read } for pid=8283 comm="clamassassin" name="meminfo" dev=proc ino=-268435454 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
> > type=SYSCALL msg=audit(1149352202.368:284): arch=40000003 syscall=5 success=yes exit=3 a0=489093ef a1=0 a2=1b6 a3=9ced240 items=1 pid=8283 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamassassin" exe="/bin/bash"
> > type=CWD msg=audit(1149352202.368:284): cwd="/home/marcs"
> > type=PATH msg=audit(1149352202.368:284): item=0 name="/proc/meminfo" flags=101 inode=4026531842 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
> > type=AVC msg=audit(1149352202.476:287): avc: denied { getattr } for pid=8283 comm="clamassassin" name="meminfo" dev=proc ino=-268435454 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
> > type=SYSCALL msg=audit(1149352202.476:287): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfc0bae8 a2=4891eff4 a3=3 items=0 pid=8283 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamassassin" exe="/bin/bash"
> > type=AVC_PATH msg=audit(1149352202.476:287): path="/proc/meminfo"
>
> clamassassin trying to read /proc/meminfo
>
> Any idea why?
Not at all. A search of the script does not show any calls to read
there, so perhaps it is clamscan, unless the audit trail would
differentiate it...
> > type=AVC msg=audit(1149352202.476:288): avc: denied { search } for pid=8283 comm="clamassassin" name="bin" dev=hdc7 ino=3112982 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir
> > type=SYSCALL msg=audit(1149352202.476:288): arch=40000003 syscall=5 success=yes exit=3 a0=9cef018 a1=8000 a2=0 a3=8000 items=1 pid=8283 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamassassin" exe="/bin/bash"
> > type=CWD msg=audit(1149352202.476:288): cwd="/home/marcs"
> > type=PATH msg=audit(1149352202.476:288): item=0 name="/usr/local/bin/clamassassin" flags=101 inode=3115337 dev=16:07 mode=0100555 ouid=0 ogid=0 rdev=00:00
> > type=AVC msg=audit(1149352202.484:289): avc: denied { execute } for pid=8284 comm="clamassassin" name="mktemp" dev=hdc7 ino=1966111 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
> > type=AVC msg=audit(1149352202.484:289): avc: denied { execute_no_trans } for pid=8284 comm="clamassassin" name="mktemp" dev=hdc7 ino=1966111 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
> > type=AVC msg=audit(1149352202.484:289): avc: denied { read } for pid=8284 comm="clamassassin" name="mktemp" dev=hdc7 ino=1966111 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
> > type=SYSCALL msg=audit(1149352202.484:289): arch=40000003 syscall=11 success=yes exit=0 a0=9cef2c0 a1=9cef500 a2=9cf2dd0 a3=9cef228 items=2 pid=8284 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="mktemp" exe="/bin/mktemp"
> > type=AVC_PATH msg=audit(1149352202.484:289): path="/bin/mktemp"
> > type=AVC_PATH msg=audit(1149352202.484:289): path="/bin/mktemp"
> > type=CWD msg=audit(1149352202.484:289): cwd="/home/marcs"
> > type=PATH msg=audit(1149352202.484:289): item=0 name="/bin/mktemp" flags=101 inode=1966111 dev=16:07 mode=0100555 ouid=0 ogid=0 rdev=00:00
> > type=PATH msg=audit(1149352202.484:289): item=1 flags=101 inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
>
> This is clamassassin running mktemp to create a temporary file.
>
> I can add this to the local policy module but I'm not convinced it's a
> great idea (it would allow clamscan to run pretty much anything). This
> will be happening because of the domain transition to clamscan_t
> happening earlier than before due to changing the context of
> /usr/local/bin/clamassassin to clamscan_exec_t. So I now think that's
> not a good idea and we should change it back again:
>
> # chcon -t bin_t /usr/local/bin/clamassassin
Done...
> Instead, we'll allow clamscan to read temp files created by procmail,
> which is a finer grained fix.
OK
<snip>
> > type=AVC msg=audit(1149352204.996:294): avc: denied { search } for pid=8297 comm="pyzor" name="bin" dev=hdc7 ino=3112970 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir
> > type=SYSCALL msg=audit(1149352204.996:294): arch=40000003 syscall=5 success=yes exit=3 a0=bfed8edb a1=8000 a2=1b6 a3=9970008 items=1 pid=8297 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
> > type=CWD msg=audit(1149352204.996:294): cwd="/"
> > type=PATH msg=audit(1149352204.996:294): item=0 name="/usr/bin/pyzor" flags=101 inode=3140757 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
>
> Pyzor trying to find something to run?
Unsure. I don't know python and reviewing the code, there are calls
below the script level that may be doing things that I would be hesitant
to say that I fully comprehend. There may be a need to contact the
author or the FE package maintainer on this one, unless you know python.
> > type=AVC msg=audit(1149352205.000:295): avc: denied { search } for pid=8297 comm="pyzor" name="/" dev=proc ino=1 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=dir
> > type=AVC msg=audit(1149352205.000:295): avc: denied { read } for pid=8297 comm="pyzor" name="meminfo" dev=proc ino=-268435454 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
> > type=SYSCALL msg=audit(1149352205.000:295): arch=40000003 syscall=5 success=yes exit=4 a0=489093ef a1=0 a2=1b6 a3=9970250 items=1 pid=8297 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
> > type=CWD msg=audit(1149352205.000:295): cwd="/"
> > type=PATH msg=audit(1149352205.000:295): item=0 name="/proc/meminfo" flags=101 inode=4026531842 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
>
> pyzor trying to read /proc/meminfo
>
> Any idea why? I suspect it doesn't need to do this and am inclined to
> dontaudit it. When we've got rid of the AVCs, we'll see if enforcing
> mode works and possibly come back this if it doesn't work.
As with clamassassin, not sure why unless it has to allocate memory for
it's scanning functions and trying check on an a priori basis before
risking failure.
> > type=AVC msg=audit(1149352205.016:298): avc: denied { read } for pid=8297 comm="pyzor" name="urandom" dev=tmpfs ino=1989 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
> > type=SYSCALL msg=audit(1149352205.016:298): arch=40000003 syscall=5 success=yes exit=6 a0=9972f68 a1=8000 a2=0 a3=8000 items=1 pid=8297 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
> > type=CWD msg=audit(1149352205.016:298): cwd="/"
> > type=PATH msg=audit(1149352205.016:298): item=0 name="/dev/urandom" flags=101 inode=1989 dev=00:0f mode=020444 ouid=0 ogid=0 rdev=01:09
>
> pyzor trying to generate random numbers for something (possibly temp
> file creation). I'll add this to the module.
OK.
> > type=AVC msg=audit(1149352205.020:299): avc: denied { getattr } for pid=8297 comm="pyzor" name="time" dev=hdc7 ino=3132233 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
> > type=SYSCALL msg=audit(1149352205.020:299): arch=40000003 syscall=195 success=yes exit=0 a0=bfed3bb7 a1=bfed3704 a2=4891eff4 a3=b7f439c0 items=1 pid=8297 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
> > type=AVC_PATH msg=audit(1149352205.020:299): path="/usr/bin/time"
> > type=CWD msg=audit(1149352205.020:299): cwd="/"
> > type=PATH msg=audit(1149352205.020:299): item=0 name="/usr/bin/time" flags=1 inode=3132233 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
>
> pyzor trying to run /usr/bin/time. Any idea why? Allowing it to run
> arbitrary binaries would be quite a concession.
Not sure.
There is code in both:
$ grep -i time /usr/lib/python2.4/site-packages/pyzor/client.py
timeout = 5
signal.signal(signal.SIGALRM, handle_timeout)
return self.time_call(self.socket.recvfrom,
def time_call(self, call, varargs=(), kwargs=None):
signal.alarm(self.timeout)
except TimeoutError:
# their own timeout error
sys.stderr.write("timeout from server\n")
raise RuntimeError, "digest not calculated yet"
stringed = time.ctime(val)
def handle_timeout(signum, frame):
raise TimeoutError
and
$ grep -i time /usr/lib/python2.4/site-packages/pyzor/server.py
import time
# We duplicate the time field merely so that
ts = int(time.time())
time.ctime(ts),
self.wl_entered = int(time.time())
self.r_entered = int(time.time())
self.r_updated = int(time.time())
self.wl_updated = int(time.time())
breakpoint = time.time() - self.max_age
timeout = 3
time_diff_allowance = 180
except TimeoutError, e:
self.handle_error(503, "Gateway timeout: %s" % e)
So I am guessing timeout errors contacting the servers perhaps...
Another query for those in the know.
> > type=AVC msg=audit(1149352205.060:300): avc: denied { send_msg } for pid=8297 comm="pyzor" saddr=192.168.1.2 src=32865 daddr=66.250.40.33 dest=24441 netif=eth0 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:pyzor_port_t:s0 tclass=udp_socket
> > type=SYSCALL msg=audit(1149352205.060:300): arch=40000003 syscall=102 success=yes exit=165 a0=b a1=bfed58a0 a2=c79114 a3=bfed58d8 items=0 pid=8297 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
> > type=SOCKADDR msg=audit(1149352205.060:300): saddr=02005F7942FA28210000000000000000
> > type=SOCKETCALL msg=audit(1149352205.060:300): nargs=6 a0=3 a1=b7f553f4 a2=a5 a3=0 a4=b7f828c0 a5=10
>
> pyzor sending a message to pyzor_port_t. Don't know why this isn't
> currently allowed.
>
> > type=AVC msg=audit(1149352209.996:304): avc: denied { signal } for pid=2335 comm="spamd" scontext=system_u:system_r:spamd_t:s0
> tcontext=system_u:system_r:pyzor_t:s0 tclass=process
> > type=SYSCALL msg=audit(1149352209.996:304): arch=40000003 syscall=37 success=yes exit=0 a0=2069 a1=f a2=481f45c8 a3=a2053ac items=0 pid=2335 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl"
>
> spamd signalling pyzor. Not sure why. KILL/HUP?
Perhaps. I just don't know the internals.
> > type=AVC msg=audit(1149352210.004:305): avc: denied { read write } for pid=8511 comm="dccproc" name="map" dev=hdc5 ino=87811 scontext=system_u:system_r:spamd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
> > type=SYSCALL msg=audit(1149352210.004:305): arch=40000003 syscall=5 success=yes exit=3 a0=80ba6e0 a1=2 a2=180 a3=11 items=1 pid=8511 auid=4294967295 uid=500 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
> > type=CWD msg=audit(1149352210.004:305): cwd="/var/dcc"
> > type=PATH msg=audit(1149352210.004:305): item=0 name="/var/dcc/map" flags=101 inode=87811 dev=16:05 mode=0100600 ouid=0 ogid=0 rdev=00:00
> > type=AVC msg=audit(1149352210.008:306): avc: denied { getattr } for pid=8511 comm="dccproc" name="map" dev=hdc5 ino=87811 scontext=system_u:system_r:spamd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
> > type=SYSCALL msg=audit(1149352210.008:306): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfeb0a78 a2=4891eff4 a3=3 items=0 pid=8511 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
> > type=AVC_PATH msg=audit(1149352210.008:306): path="/var/dcc/map"
> > type=AVC msg=audit(1149352210.008:307): avc: denied { lock } for pid=8511 comm="dccproc" name="map" dev=hdc5 ino=87811 scontext=system_u:system_r:spamd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
> > type=SYSCALL msg=audit(1149352210.008:307): arch=40000003 syscall=221 success=yes exit=0 a0=3 a1=7 a2=bfeb1bf4 a3=bfeb1bf4 items=0 pid=8511 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
> > type=AVC_PATH msg=audit(1149352210.008:307): path="/var/dcc/map"
>
> This is dcc manipulating /var/dcc/map whilst running in the spamd_t
> domain, since there is no separate dcc policy. We probably need a new
> type for this, and policy rules to allow this.
>
> After installing the updated mydcc.pp, do:
>
> # restorecon -rv /var/dcc
Done..
<snip of modules>
All updated modules installed.
I also cleaned out the audit.log file. Just to get rid of all of the old stuff. Then re-booted.
I re-ran avclist after the updates and the first e-mails came through. The output is below.
> That should fix quite a few, but not all issues (particularly not the
> ones I've queried).
Thanks Paul!
Regards,
Marc
type=AVC msg=audit(1149561389.767:5): avc: denied { getattr } for pid=2141 comm="sh" name="mailq.postfix.1.gz" dev=hdc7 ino=3132510 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=file
type=SYSCALL msg=audit(1149561389.767:5): arch=40000003 syscall=195 success=yes exit=0 a0=913bd10 a1=bffc8438 a2=4891eff4 a3=913c3c8 items=1 pid=2141 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sh" exe="/bin/bash"
type=AVC_PATH msg=audit(1149561389.767:5): path="/usr/share/man/man1/mailq.postfix.1.gz"
type=CWD msg=audit(1149561389.767:5): cwd="/var/spool/postfix"
type=PATH msg=audit(1149561389.767:5): item=0 name="/usr/share/man/man1/mailq.postfix.1.gz" flags=1 inode=3132510 dev=16:07 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149561396.952:6): avc: denied { append } for pid=2196 comm="spamd" name="razor-agent.log" dev=hdc7 ino=829594 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
type=SYSCALL msg=audit(1149561396.952:6): arch=40000003 syscall=5 success=yes exit=6 a0=aa50688 a1=8441 a2=1b6 a3=8441 items=1 pid=2196 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="spamd" exe="/usr/bin/perl"
type=CWD msg=audit(1149561396.952:6): cwd="/"
type=PATH msg=audit(1149561396.952:6): item=0 name="/root/.razor/razor-agent.log" flags=310 inode=829589 dev=16:07 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149561396.952:7): avc: denied { ioctl } for pid=2196 comm="spamd" name="razor-agent.log" dev=hdc7 ino=829594 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
type=SYSCALL msg=audit(1149561396.952:7): arch=40000003 syscall=54 success=no exit=-25 a0=6 a1=5401 a2=bfcc99b8 a3=bfcc99f8 items=0 pid=2196 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="spamd" exe="/usr/bin/perl"
type=AVC_PATH msg=audit(1149561396.952:7): path="/root/.razor/razor-agent.log"
type=AVC msg=audit(1149561396.952:8): avc: denied { getattr } for pid=2196 comm="spamd" name="razor-agent.log" dev=hdc7 ino=829594 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
type=SYSCALL msg=audit(1149561396.952:8): arch=40000003 syscall=197 success=yes exit=0 a0=6 a1=9381068 a2=4891eff4 a3=9397f64 items=0 pid=2196 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="spamd" exe="/usr/bin/perl"
type=AVC_PATH msg=audit(1149561396.952:8): path="/root/.razor/razor-agent.log"
type=AVC msg=audit(1149561396.960:9): avc: denied { read } for pid=2196 comm="spamd" name="servers.discovery.lst" dev=hdc7 ino=829591 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
type=SYSCALL msg=audit(1149561396.960:9): arch=40000003 syscall=5 success=yes exit=7 a0=aa589e8 a1=8000 a2=0 a3=8000 items=1 pid=2196 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="spamd" exe="/usr/bin/perl"
type=CWD msg=audit(1149561396.960:9): cwd="/"
type=PATH msg=audit(1149561396.960:9): item=0 name="/root/.razor/servers.discovery.lst" flags=101 inode=829591 dev=16:07 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149561396.968:10): avc: denied { read } for pid=2196 comm="spamd" name=".razor" dev=hdc7 ino=829589 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1149561396.968:10): arch=40000003 syscall=5 success=yes exit=7 a0=aa50028 a1=18800 a2=0 a3=a49d968 items=1 pid=2196 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="spamd" exe="/usr/bin/perl"
type=CWD msg=audit(1149561396.968:10): cwd="/"
type=PATH msg=audit(1149561396.968:10): item=0 name="/root/.razor" flags=103 inode=829589 dev=16:07 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149561397.424:11): avc: denied { getattr } for pid=2289 comm="pyzor" name="bin" dev=hdc7 ino=3112970 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir
type=SYSCALL msg=audit(1149561397.424:11): arch=40000003 syscall=196 success=yes exit=0 a0=86c6128 a1=bf9d1598 a2=4891eff4 a3=bf9d2ee1 items=1 pid=2289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="pyzor" exe="/usr/bin/python"
type=AVC_PATH msg=audit(1149561397.424:11): path="/usr/bin"
type=CWD msg=audit(1149561397.424:11): cwd="/"
type=PATH msg=audit(1149561397.424:11): item=0 name="/usr/bin" flags=0 inode=3112970 dev=16:07 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149561397.884:12): avc: denied { getattr } for pid=2289 comm="pyzor" name="time" dev=hdc7 ino=3132233 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1149561397.884:12): arch=40000003 syscall=195 success=yes exit=0 a0=bf9ce3d7 a1=bf9cdf24 a2=4891eff4 a3=b7f3d9e0 items=1 pid=2289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="pyzor" exe="/usr/bin/python"
type=AVC_PATH msg=audit(1149561397.884:12): path="/usr/bin/time"
type=CWD msg=audit(1149561397.884:12): cwd="/"
type=PATH msg=audit(1149561397.884:12): item=0 name="/usr/bin/time" flags=1 inode=3132233 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149561399.108:13): avc: denied { search } for pid=2295 comm="dccproc" name="dcc" dev=hdc5 ino=87778 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir
type=SYSCALL msg=audit(1149561399.108:13): arch=40000003 syscall=12 success=yes exit=0 a0=bf9dad62 a1=0 a2=4891eff4 a3=11 items=1 pid=2295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=CWD msg=audit(1149561399.108:13): cwd="/"
type=PATH msg=audit(1149561399.108:13): item=0 name="/var/dcc" flags=3 inode=87778 dev=16:05 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149561408.789:14): avc: denied { read write } for pid=2419 comm="mingetty" name="utmp" dev=hdc5 ino=146250 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1149561408.789:14): arch=40000003 syscall=5 success=yes exit=3 a0=48909fd4 a1=2 a2=804a000 a3=48909fda items=1 pid=2419 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="mingetty" exe="/sbin/mingetty"
type=CWD msg=audit(1149561408.789:14): cwd="/"
type=PATH msg=audit(1149561408.789:14): item=0 name="/var/run/utmp" flags=101 inode=146250 dev=16:05 mode=0100664 ouid=0 ogid=22 rdev=00:00
type=AVC msg=audit(1149561408.789:15): avc: denied { lock } for pid=2419 comm="mingetty" name="utmp" dev=hdc5 ino=146250 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1149561408.789:15): arch=40000003 syscall=221 success=yes exit=0 a0=3 a1=7 a2=bfc8fe3c a3=bfc8fdb0 items=0 pid=2419 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="mingetty" exe="/sbin/mingetty"
type=AVC_PATH msg=audit(1149561408.789:15): path="/var/run/utmp"
type=AVC msg=audit(1149561602.879:55): avc: denied { use } for pid=5247 comm="clamscan" name="[14742]" dev=pipefs ino=14742 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fd
type=AVC msg=audit(1149561602.879:55): avc: denied { write } for pid=5247 comm="clamscan" name="[14742]" dev=pipefs ino=14742 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1149561602.879:55): arch=40000003 syscall=11 success=yes exit=0 a0=8889c00 a1=8889210 a2=8889dd0 a3=8889d90 items=2 pid=5247 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamscan" exe="/usr/bin/clamscan"
type=AVC_PATH msg=audit(1149561602.879:55): path="pipe:[14742]"
type=AVC_PATH msg=audit(1149561602.879:55): path="pipe:[14742]"
type=CWD msg=audit(1149561602.879:55): cwd="/home/marcs"
type=PATH msg=audit(1149561602.879:55): item=0 name="/usr/bin/clamscan" flags=101 inode=3123838 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1149561602.879:55): item=1 flags=101 inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149561607.120:56): avc: denied { getattr } for pid=5258 comm="pyzor" name="bin" dev=hdc7 ino=3112970 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir
type=SYSCALL msg=audit(1149561607.120:56): arch=40000003 syscall=196 success=yes exit=0 a0=97a0128 a1=bf8f6d38 a2=4891eff4 a3=bf8f8edb items=1 pid=5258 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=AVC_PATH msg=audit(1149561607.120:56): path="/usr/bin"
type=CWD msg=audit(1149561607.120:56): cwd="/"
type=PATH msg=audit(1149561607.120:56): item=0 name="/usr/bin" flags=0 inode=3112970 dev=16:07 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149561607.140:57): avc: denied { getattr } for pid=5258 comm="pyzor" name="time" dev=hdc7 ino=3132233 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1149561607.140:57): arch=40000003 syscall=195 success=yes exit=0 a0=bf8f3b77 a1=bf8f36c4 a2=4891eff4 a3=b7f639c0 items=1 pid=5258 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=AVC_PATH msg=audit(1149561607.140:57): path="/usr/bin/time"
type=CWD msg=audit(1149561607.140:57): cwd="/"
type=PATH msg=audit(1149561607.140:57): item=0 name="/usr/bin/time" flags=1 inode=3132233 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149561612.104:58): avc: denied { search } for pid=5286 comm="dccproc" name="dcc" dev=hdc5 ino=87778 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir
type=SYSCALL msg=audit(1149561612.104:58): arch=40000003 syscall=12 success=yes exit=0 a0=bfc060f2 a1=0 a2=4891eff4 a3=11 items=1 pid=5286 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=CWD msg=audit(1149561612.104:58): cwd="/"
type=PATH msg=audit(1149561612.104:58): item=0 name="/var/dcc" flags=3 inode=87778 dev=16:05 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149561842.326:82): avc: denied { use } for pid=5676 comm="clamscan" name="[16612]" dev=pipefs ino=16612 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fd
type=AVC msg=audit(1149561842.326:82): avc: denied { write } for pid=5676 comm="clamscan" name="[16612]" dev=pipefs ino=16612 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1149561842.326:82): arch=40000003 syscall=11 success=yes exit=0 a0=887cc00 a1=887c210 a2=887cdd0 a3=887cd90 items=2 pid=5676 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamscan" exe="/usr/bin/clamscan"
type=AVC_PATH msg=audit(1149561842.326:82): path="pipe:[16612]"
type=AVC_PATH msg=audit(1149561842.326:82): path="pipe:[16612]"
type=CWD msg=audit(1149561842.326:82): cwd="/home/marcs"
type=PATH msg=audit(1149561842.326:82): item=0 name="/usr/bin/clamscan" flags=101 inode=3123838 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1149561842.326:82): item=1 flags=101 inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149561845.734:83): avc: denied { getattr } for pid=5686 comm="pyzor" name="bin" dev=hdc7 ino=3112970 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir
type=SYSCALL msg=audit(1149561845.734:83): arch=40000003 syscall=196 success=yes exit=0 a0=9077128 a1=bf821e38 a2=4891eff4 a3=bf822edb items=1 pid=5686 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=AVC_PATH msg=audit(1149561845.734:83): path="/usr/bin"
type=CWD msg=audit(1149561845.734:83): cwd="/"
type=PATH msg=audit(1149561845.734:83): item=0 name="/usr/bin" flags=0 inode=3112970 dev=16:07 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149561845.746:84): avc: denied { getattr } for pid=5686 comm="pyzor" name="time" dev=hdc7 ino=3132233 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1149561845.746:84): arch=40000003 syscall=195 success=yes exit=0 a0=bf81ec77 a1=bf81e7c4 a2=4891eff4 a3=b7e8c9c0 items=1 pid=5686 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=AVC_PATH msg=audit(1149561845.746:84): path="/usr/bin/time"
type=CWD msg=audit(1149561845.746:84): cwd="/"
type=PATH msg=audit(1149561845.746:84): item=0 name="/usr/bin/time" flags=1 inode=3132233 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149561850.730:85): avc: denied { search } for pid=5689 comm="dccproc" name="dcc" dev=hdc5 ino=87778 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir
type=SYSCALL msg=audit(1149561850.730:85): arch=40000003 syscall=12 success=yes exit=0 a0=bfbcf012 a1=0 a2=4891eff4 a3=11 items=1 pid=5689 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=CWD msg=audit(1149561850.730:85): cwd="/"
type=PATH msg=audit(1149561850.730:85): item=0 name="/var/dcc" flags=3 inode=87778 dev=16:05 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149562442.187:127): avc: denied { use } for pid=6937 comm="clamscan" name="[19771]" dev=pipefs ino=19771 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fd
type=AVC msg=audit(1149562442.187:127): avc: denied { write } for pid=6937 comm="clamscan" name="[19771]" dev=pipefs ino=19771 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1149562442.187:127): arch=40000003 syscall=11 success=yes exit=0 a0=8a49c00 a1=8a49210 a2=8a49dd0 a3=8a49d90 items=2 pid=6937 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamscan" exe="/usr/bin/clamscan"
type=AVC_PATH msg=audit(1149562442.187:127): path="pipe:[19771]"
type=AVC_PATH msg=audit(1149562442.187:127): path="pipe:[19771]"
type=CWD msg=audit(1149562442.187:127): cwd="/home/marcs"
type=PATH msg=audit(1149562442.187:127): item=0 name="/usr/bin/clamscan" flags=101 inode=3123838 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1149562442.187:127): item=1 flags=101 inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149562444.895:128): avc: denied { getattr } for pid=6946 comm="pyzor" name="bin" dev=hdc7 ino=3112970 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir
type=SYSCALL msg=audit(1149562444.895:128): arch=40000003 syscall=196 success=yes exit=0 a0=8ee1128 a1=bf9b8528 a2=4891eff4 a3=bf9b8edb items=1 pid=6946 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=AVC_PATH msg=audit(1149562444.895:128): path="/usr/bin"
type=CWD msg=audit(1149562444.895:128): cwd="/"
type=PATH msg=audit(1149562444.895:128): item=0 name="/usr/bin" flags=0 inode=3112970 dev=16:07 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149562444.907:129): avc: denied { getattr } for pid=6946 comm="pyzor" name="time" dev=hdc7 ino=3132233 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1149562444.907:129): arch=40000003 syscall=195 success=yes exit=0 a0=bf9b5367 a1=bf9b4eb4 a2=4891eff4 a3=b7f229c0 items=1 pid=6946 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=AVC_PATH msg=audit(1149562444.907:129): path="/usr/bin/time"
type=CWD msg=audit(1149562444.907:129): cwd="/"
type=PATH msg=audit(1149562444.907:129): item=0 name="/usr/bin/time" flags=1 inode=3132233 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149562449.892:130): avc: denied { search } for pid=6949 comm="dccproc" name="dcc" dev=hdc5 ino=87778 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir
type=SYSCALL msg=audit(1149562449.892:130): arch=40000003 syscall=12 success=yes exit=0 a0=bf927842 a1=0 a2=4891eff4 a3=11 items=1 pid=6949 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=CWD msg=audit(1149562449.892:130): cwd="/"
type=PATH msg=audit(1149562449.892:130): item=0 name="/var/dcc" flags=3 inode=87778 dev=16:05 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149563162.552:205): avc: denied { use } for pid=8105 comm="clamscan" name="[22826]" dev=pipefs ino=22826 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fd
type=AVC msg=audit(1149563162.552:205): avc: denied { write } for pid=8105 comm="clamscan" name="[22826]" dev=pipefs ino=22826 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1149563162.552:205): arch=40000003 syscall=11 success=yes exit=0 a0=8b9bc00 a1=8b9b210 a2=8b9bdd0 a3=8b9bd90 items=2 pid=8105 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamscan" exe="/usr/bin/clamscan"
type=AVC_PATH msg=audit(1149563162.552:205): path="pipe:[22826]"
type=AVC_PATH msg=audit(1149563162.552:205): path="pipe:[22826]"
type=CWD msg=audit(1149563162.552:205): cwd="/home/marcs"
type=PATH msg=audit(1149563162.552:205): item=0 name="/usr/bin/clamscan" flags=101 inode=3123838 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1149563162.552:205): item=1 flags=101 inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149563166.228:206): avc: denied { getattr } for pid=8143 comm="pyzor" name="bin" dev=hdc7 ino=3112970 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir
type=SYSCALL msg=audit(1149563166.228:206): arch=40000003 syscall=196 success=yes exit=0 a0=9e82128 a1=bfa15458 a2=4891eff4 a3=bfa16edb items=1 pid=8143 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=AVC_PATH msg=audit(1149563166.228:206): path="/usr/bin"
type=CWD msg=audit(1149563166.228:206): cwd="/"
type=PATH msg=audit(1149563166.228:206): item=0 name="/usr/bin" flags=0 inode=3112970 dev=16:07 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149563166.240:207): avc: denied { getattr } for pid=8143 comm="pyzor" name="time" dev=hdc7 ino=3132233 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1149563166.240:207): arch=40000003 syscall=195 success=yes exit=0 a0=bfa12297 a1=bfa11de4 a2=4891eff4 a3=b7e819c0 items=1 pid=8143 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=AVC_PATH msg=audit(1149563166.240:207): path="/usr/bin/time"
type=CWD msg=audit(1149563166.240:207): cwd="/"
type=PATH msg=audit(1149563166.240:207): item=0 name="/usr/bin/time" flags=1 inode=3132233 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149563166.580:208): avc: denied { getattr } for pid=8145 comm="pyzor" name="time" dev=hdc7 ino=3132233 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1149563166.580:208): arch=40000003 syscall=195 success=yes exit=0 a0=bfce9177 a1=bfce8cc4 a2=4891eff4 a3=b7f569c0 items=1 pid=8145 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=AVC_PATH msg=audit(1149563166.580:208): path="/usr/bin/time"
type=CWD msg=audit(1149563166.580:208): cwd="/"
type=PATH msg=audit(1149563166.580:208): item=0 name="/usr/bin/time" flags=1 inode=3132233 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149563171.221:209): avc: denied { search } for pid=8197 comm="dccproc" name="dcc" dev=hdc5 ino=87778 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir
type=SYSCALL msg=audit(1149563171.221:209): arch=40000003 syscall=12 success=yes exit=0 a0=bf8f9ee2 a1=0 a2=4891eff4 a3=11 items=1 pid=8197 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=CWD msg=audit(1149563171.221:209): cwd="/"
type=PATH msg=audit(1149563171.221:209): item=0 name="/var/dcc" flags=3 inode=87778 dev=16:05 mode=040755 ouid=0 ogid=0 rdev=00:00
More information about the fedora-selinux-list
mailing list