postfix_pipe_t ... execute_no_trans

QingLong qinglong at Bolizm.ihep.su
Mon Jun 12 15:50:41 UTC 2006 

	Hello!

   Would you be so kind as to give me a hint why postfix's pipe command
 tries to execute a custom script with execute_no_trans? Details follow.

   Here we have a combination of Spamassassin and DrWeb virus scaner.
 Due to lame DrWeb programs stupidity one has to create a shell script
 that first passes a mail through spamassassin and then throws it to DrWeb.
 I have created a custom selinux module of my own named ql_spamassassin
 to (try to) put this combination under selinux control.
 So I have defined my own type `ql_spamassassin_client_exec_t' for the script
 and ql_spamassassin_client_t domain type. And I have
|
| domain_entry_file(ql_spamassassin_client_t,ql_spamassassin_client_exec_t)
| domain_auto_trans(postfix_pipe_t,ql_spamassassin_client_exec_t,ql_spamassassin_client_t)
|
 to allow postfix_pipe_t execute the script and perform the type transition.
 The module has been compiled and loaded into the kernel quite successfully,
 but I still get the execution denials:
|
| type=AVC msg=audit(1150125191.592:740): avc:  denied  { execute_no_trans } for pid=2793 comm="pipe" name="PostFix.mail.SpamAssassin.spamfilter.sh" dev=md9 ino=56842 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:ql_spamassassin_client_exec_t:s0 tclass=file
| type=SYSCALL msg=audit(1150125191.592:740): arch=40000003 syscall=11 success=no exit=-13 a0=804e410 a1=804e0a8 a2=804e550 a3=3d09 items=1 pid=2793 auid=4294967295 uid=15625 gid=15625 euid=15625 suid=15625 fsuid=15625 egid=15625 sgid=15625 fsgid=15625 comm="pipe" exe="/usr/libexec/postfix/pipe"
| type=AVC_PATH msg=audit(1150125191.592:740):  path="/usr/local/sbin/PostFix.mail.SpamAssassin.spamfilter.sh"
| type=CWD msg=audit(1150125191.592:740):  cwd="/var/spool/postfix"
| type=PATH msg=audit(1150125191.592:740): item=0 name="/usr/local/sbin/PostFix.mail.SpamAssassin.spamfilter.sh" flags=101  inode=56842 dev=09:09 mode=0100555 ouid=0 ogid=0 rdev=00:00
|
 The system is FC5. SElinux related packages:
	checkpolicy-1.30.3-1.fc5
	libselinux-1.30-1.fc5
	libselinux-python-1.30-1.fc5
	libsepol-1.12.6-1.fc5
	policycoreutils-1.30.10-1.fc5
	selinux-policy-2.2.40-1.fc5
	selinux-policy-targeted-2.2.40-1.fc5
	kernel-smp-2.6.16-1.2133_FC5
 Please, give me a hint, what's wrong here. Thank you.

      QingLong.

More information about the fedora-selinux-list mailing list