postfix, procmail and SELinux - No Go

Wed Jun 7 16:56:03 UTC 2006

On Wed, 2006-06-07 at 12:20 -0400, Daniel J Walsh wrote:
> I will be turning on dcc and razor policy in next rawhide update.  This 
> should cover some of the problems you are having.  Please send
> me all of your policy so that I can get it in the upstream pool.

We may need to do some rework then, since what we have, particularly for
dcc, is getting the dcc client to work in spamd when running in the
spamd domain. By turning on the dcc policy, this will all change.

Similarly, Mark seems to be running razor from pyzor, so the policy
tweaks have been for getting razor working as pyzor_t.

I can send you what we've got so far, but it'll be of limited
usefulness. Perhaps more useful would be if Mark could let you know
where the various files/programs are installed to in the upstream
default configuration (and his config, if different), so that the file
contexts in policy can be right first time.

Here's the clamav policy additions we ended up with for running
clamassassin from procmail with postfix:

policy_module(myclam, 0.1.2)

require {
        type clamscan_t;
        type postfix_local_t;
        type procmail_tmp_t;
};

# temp files
type clamscan_tmp_t;
files_tmp_file(clamscan_tmp_t)

# Allow clamscan to create and use temp files and dirs
allow clamscan_t clamscan_tmp_t:dir create_dir_perms;
allow clamscan_t clamscan_tmp_t:file create_file_perms;
files_type(clamscan_tmp_t)
files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })

# Allow clamscan to read and write temp files created by procmail
# (needed for clamassassin)
allow clamscan_t procmail_tmp_t:file rw_file_perms;

# Allow clamscan output to be piped back into the
# postfix local delivery process (?)
allow clamscan_t postfix_local_t:fd use;
allow clamscan_t postfix_local_t:fifo_file write;

This policy requires that procmail can create temp files as well, which
I don't think is in policy at the moment. It also needs a domain
transition from procmail_t to clamscan_t:

policy_module(procmail, 0.5.1)

require {
        type procmail_t;
};

# temp files
type procmail_tmp_t;
files_tmp_file(procmail_tmp_t)

# log files
type procmail_var_log_t;
logging_log_file(procmail_var_log_t)

# Write log to /var/log/procmail.log
allow procmail_t procmail_var_log_t:file create_file_perms;
allow procmail_t procmail_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(procmail_t,procmail_var_log_t, { file dir })

# Allow programs called from procmail to read/write temp files and dirs
allow procmail_t procmail_tmp_t:dir create_dir_perms;
allow procmail_t procmail_tmp_t:file create_file_perms;
files_type(procmail_tmp_t)
files_tmp_filetrans(procmail_t, procmail_tmp_t, { file dir })

# ==============================================
# Procmail needs to call sendmail for forwarding
# ==============================================

# Read alternatives link (still not in policy)
corecmd_read_sbin_symlinks(procmail_t)

# Allow transition to sendmail
# This is in selinux-policy-2.2.34-2 onwards
# (may need similar code for other MTAs that can replace sendmail)
# sendmail_domtrans(procmail_t)

# ==============================================
# Procmail needs to be able to call clamassassin
# ==============================================
clamscan_domtrans(procmail_t)

FWIW, here's the pyzor policy tweaks we used. Most will probably be
irrelevant after enabling razor, but some (e.g. the sending and
receiving messages) looks valid:

policy_module(mypyzor, 0.1.3)

require {
        type pyzor_t;
        type pyzor_port_t;
        type spamd_t;
};

# temp files
type pyzor_tmp_t;
files_tmp_file(pyzor_tmp_t)

# Allow pyzor to create and use temp files and dirs
allow pyzor_t pyzor_tmp_t:dir create_dir_perms;
allow pyzor_t pyzor_tmp_t:file create_file_perms;
files_type(pyzor_tmp_t)
files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir })

# Allow pyzor to read config (and any other file...)
# from user home directories
userdom_read_unpriv_users_home_content_files(pyzor_t)

# Allow pyzor to read /dev/urandom
dev_read_urand(pyzor_t)

# Allow pyzor to send and receive pyzor messages!
allow pyzor_t pyzor_port_t:udp_socket send_msg;
allow pyzor_t pyzor_port_t:udp_socket recv_msg;

# Allow spamd to signal pyzor (kill/hup ?)
allow spamd_t pyzor_t:process signal;

# Allow pyzor to ...?
corecmd_search_bin(pyzor_t)
kernel_read_kernel_sysctls(pyzor_t)
# It does a getattr on /usr/bin/time for reasons unknown...
allow pyzor_t bin_t:dir getattr;
allow pyzor_t bin_t:file getattr;

# Pyzor/python probably doesn't need to be able to read /proc/meminfo
kernel_dontaudit_list_proc(pyzor_t)
kernel_dontaudit_read_system_state(pyzor_t)

Paul.