postfix, procmail and SELinux - No Go

Paul Howarth paul at city-fan.org
Wed Jun 7 07:04:32 UTC 2006 

On Tue, 2006-06-06 at 21:34 -0500, Marc Schwartz wrote:
> Paul,
> 
> OK...seemingly back up and running.  Here are the present avc messages
> since re-loading everything and confirming that the file contexts are
> back to the changes that we made.
> 
> I note that the /proc/meminfo messages are back, but now for
> clamassassin. I am sure that I have reloaded the new modules that we
> created, so not sure what is up here, unless there was some conflict
> when the two versions of the policies we seemingly loaded earlier today.
> 
> Let me know on these and if perhaps I missed something:

You forgot that we reverted the clamassassin context change yesterday.

# restorecon -v /usr/local/bin/clamassassin

> type=AVC msg=audit(1149646922.456:801): avc:  denied  { read } for  pid=23273 comm="clamassassin" name="meminfo" dev=proc ino=-268435454 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
> type=SYSCALL msg=audit(1149646922.456:801): arch=40000003 syscall=5 success=yes exit=3 a0=489093ef a1=0 a2=1b6 a3=a021240 items=1 pid=23273 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamassassin" exe="/bin/bash"
> type=CWD msg=audit(1149646922.456:801):  cwd="/home/marcs"
> type=PATH msg=audit(1149646922.456:801): item=0 name="/proc/meminfo" flags=101  inode=4026531842 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1149646922.456:802): avc:  denied  { getattr } for  pid=23273 comm="clamassassin" name="meminfo" dev=proc ino=-268435454 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
> type=SYSCALL msg=audit(1149646922.456:802): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bf8d7f28 a2=4891eff4 a3=3 items=0 pid=23273 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamassassin" exe="/bin/bash"type=AVC_PATH msg=audit(1149646922.456:802):  path="/proc/meminfo"
> type=AVC msg=audit(1149646922.456:803): avc:  denied  { search } for  pid=23273 comm="clamassassin" name="bin" dev=hdc7 ino=3112982 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir
> type=SYSCALL msg=audit(1149646922.456:803): arch=40000003 syscall=5 success=yes exit=3 a0=a023018 a1=8000 a2=0 a3=8000 items=1 pid=23273 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamassassin" exe="/bin/bash"
> type=CWD msg=audit(1149646922.456:803):  cwd="/home/marcs"
> type=PATH msg=audit(1149646922.456:803): item=0 name="/usr/local/bin/clamassassin" flags=101  inode=3115337 dev=16:07 mode=0100555 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1149646922.460:804): avc:  denied  { execute } for  pid=23274 comm="clamassassin" name="mktemp" dev=hdc7 ino=1966111 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
> type=AVC msg=audit(1149646922.460:804): avc:  denied  { execute_no_trans } for  pid=23274 comm="clamassassin" name="mktemp" dev=hdc7 ino=1966111 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
> type=AVC msg=audit(1149646922.460:804): avc:  denied  { read } for  pid=23274 comm="clamassassin" name="mktemp" dev=hdc7 ino=1966111 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
> type=SYSCALL msg=audit(1149646922.460:804): arch=40000003 syscall=11 success=yes exit=0 a0=a0232c0 a1=a023500 a2=a026dd0 a3=a023228 items=2 pid=23274 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="mktemp" exe="/bin/mktemp"
> type=AVC_PATH msg=audit(1149646922.460:804):  path="/bin/mktemp"
> type=AVC_PATH msg=audit(1149646922.460:804):  path="/bin/mktemp"
> type=CWD msg=audit(1149646922.460:804):  cwd="/home/marcs"
> type=PATH msg=audit(1149646922.460:804): item=0 name="/bin/mktemp" flags=101  inode=1966111 dev=16:07 mode=0100555 ouid=0 ogid=0 rdev=00:00
> type=PATH msg=audit(1149646922.460:804): item=1 flags=101  inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1149646922.460:805): avc:  denied  { read } for  pid=23274 comm="mktemp" name="urandom" dev=tmpfs ino=1719 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
> type=SYSCALL msg=audit(1149646922.460:805): arch=40000003 syscall=5 success=yes exit=3 a0=80494d8 a1=0 a2=48920120 a3=8f5f008 items=1 pid=23274 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="mktemp" exe="/bin/mktemp"
> type=CWD msg=audit(1149646922.460:805):  cwd="/home/marcs"
> type=PATH msg=audit(1149646922.460:805): item=0 name="/dev/urandom" flags=101  inode=1719 dev=00:0f mode=020444 ouid=0 ogid=0 rdev=01:09
> type=AVC msg=audit(1149646922.468:806): avc:  denied  { execute_no_trans } for  pid=23277 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file
> type=SYSCALL msg=audit(1149646922.468:806): arch=40000003 syscall=11 success=yes exit=0 a0=a026c00 a1=a026210 a2=a026dd0 a3=a026d90 items=2 pid=23277 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamscan" exe="/usr/bin/clamscan"
> type=AVC_PATH msg=audit(1149646922.468:806):  path="/usr/bin/clamscan"
> type=CWD msg=audit(1149646922.468:806):  cwd="/home/marcs"
> type=PATH msg=audit(1149646922.468:806): item=0 name="/usr/bin/clamscan" flags=101  inode=3123838 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
> type=PATH msg=audit(1149646922.468:806): item=1 flags=101  inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00

The context change should fix all of the above.

> type=AVC msg=audit(1149646926.516:807): avc:  denied  { recv_msg } for  saddr=66.250.40.33 src=24441 daddr=192.168.1.2 dest=32875 netif=eth0 scontext=user_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:pyzor_port_t:s0 tclass=udp_socket

Hmm, pyzor needs to receive messages as well as send them...

> type=AVC msg=audit(1149646926.528:808): avc:  denied  { create } for  pid=23325 comm="dccproc" scontext=user_u:system_r:spamd_t:s0 tcontext=user_u:system_r:spamd_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1149646926.528:808): arch=40000003 syscall=102 success=yes exit=3 a0=1 a1=bfb89868 a2=4891eff4 a3=8069fbf items=0 pid=23325 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
> type=SOCKETCALL msg=audit(1149646926.528:808): nargs=3 a0=10 a1=3 a2=0
> type=AVC msg=audit(1149646926.528:809): avc:  denied  { bind } for  pid=23325 comm="dccproc" scontext=user_u:system_r:spamd_t:s0 tcontext=user_u:system_r:spamd_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1149646926.528:809): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bfb89868 a2=4891eff4 a3=3 items=0 pid=23325 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
> type=SOCKADDR msg=audit(1149646926.528:809): saddr=100000000000000000000000
> type=SOCKETCALL msg=audit(1149646926.528:809): nargs=3 a0=3 a1=bfb89874 a2=c
> type=AVC msg=audit(1149646926.528:810): avc:  denied  { getattr } for  pid=23325 comm="dccproc" scontext=user_u:system_r:spamd_t:s0 tcontext=user_u:system_r:spamd_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1149646926.528:810): arch=40000003 syscall=102 success=yes exit=0 a0=6 a1=bfb89868 a2=4891eff4 a3=3 items=0 pid=23325 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
> type=SOCKETCALL msg=audit(1149646926.528:810): nargs=3 a0=3 a1=bfb89874 a2=bfb89880
> type=AVC msg=audit(1149646926.528:811): avc:  denied  { write } for  pid=23325 comm="dccproc" scontext=user_u:system_r:spamd_t:s0 tcontext=user_u:system_r:spamd_t:s0 tclass=netlink_route_socket
> type=AVC msg=audit(1149646926.528:811): avc:  denied  { nlmsg_read } for  pid=23325 comm="dccproc" scontext=user_u:system_r:spamd_t:s0 tcontext=user_u:system_r:spamd_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1149646926.528:811): arch=40000003 syscall=102 success=yes exit=20 a0=b a1=bfb887b4 a2=4891eff4 a3=ffffffcc items=0 pid=23325 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
> type=SOCKADDR msg=audit(1149646926.528:811): saddr=100000000000000000000000
> type=SOCKETCALL msg=audit(1149646926.528:811): nargs=6 a0=3 a1=bfb8982c a2=14 a3=0 a4=bfb89840 a5=c
> type=AVC msg=audit(1149646926.528:812): avc:  denied  { read } for  pid=23325 comm="dccproc" scontext=user_u:system_r:spamd_t:s0 tcontext=user_u:system_r:spamd_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1149646926.528:812): arch=40000003 syscall=102 success=yes exit=128 a0=11 a1=bfb887b4 a2=4891eff4 a3=ffffffcc items=0 pid=23325 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
> type=SOCKETCALL msg=audit(1149646926.528:812): nargs=3 a0=3 a1=bfb89810 a2=0

I've seen a lot of these recently. I think dcc is trying to read the
routing table. We'll allow that.

(snip)

The rest seem to be duplicates.

Updated policy modules:

####### mydcc.te #######
policy_module(mydcc, 0.1.3)

require {
        type spamd_t;
}

type dcc_var_t;
files_type(dcc_var_t)

type dcc_client_map_t;
files_type(dcc_client_map_t)

# Allow spamd to behave as a dcc client
allow spamd_t dcc_client_map_t:file rw_file_perms;
allow spamd_t dcc_var_t:dir search;

# Allow spamd to read the routing table (needed by dcc)
allow spamd_t self:netlink_route_socket { r_netlink_socket_perms };

####### mypyzor.te #######
policy_module(mypyzor, 0.1.3)

require {
        type pyzor_t;
        type pyzor_port_t;
        type spamd_t;
};

# temp files
type pyzor_tmp_t;
files_tmp_file(pyzor_tmp_t)

# Allow pyzor to create and use temp files and dirs
allow pyzor_t pyzor_tmp_t:dir create_dir_perms;
allow pyzor_t pyzor_tmp_t:file create_file_perms;
files_type(pyzor_tmp_t)
files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir })

# Allow pyzor to read config (and any other file...)
# from user home directories
userdom_read_unpriv_users_home_content_files(pyzor_t)

# Allow pyzor to read /dev/urandom
dev_read_urand(pyzor_t)

# Allow pyzor to send and receive pyzor messages!
allow pyzor_t pyzor_port_t:udp_socket send_msg;
allow pyzor_t pyzor_port_t:udp_socket recv_msg;

# Allow spamd to signal pyzor (kill/hup ?)
allow spamd_t pyzor_t:process signal;

# Allow pyzor to ...?
corecmd_search_bin(pyzor_t)
kernel_read_kernel_sysctls(pyzor_t)
# It does a getattr on /usr/bin/time for reasons unknown...
allow pyzor_t bin_t:dir getattr;
allow pyzor_t bin_t:file getattr;

# Pyzor/python probably doesn't need to be able to read /proc/meminfo
kernel_dontaudit_list_proc(pyzor_t)
kernel_dontaudit_read_system_state(pyzor_t)


Paul.

More information about the fedora-selinux-list mailing list