postfix, procmail and SELinux - No Go

Paul Howarth paul at city-fan.org
Wed Jun 21 07:20:03 UTC 2006 

On Tue, 2006-06-20 at 13:10 -0500, Marc Schwartz (via MN) wrote:
> On Tue, 2006-06-20 at 11:27 -0500, Marc Schwartz (via MN) wrote:
> > On Tue, 2006-06-20 at 16:59 +0100, Paul Howarth wrote:
> 
> > > > BTW, I am now getting the following messages with avclist, since the
> > > > loading of the updated policies today:
> > > > 
> > > > type=AVC msg=audit(1150817767.142:753): avc:  denied  { getattr } for  pid=2268 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
> > > > type=SYSCALL msg=audit(1150817767.142:753): arch=40000003 syscall=195 success=no exit=-13 a0=a22fb98 a1=92360c8 a2=4891eff4 a3=a22fb98 items=1 pid=2268 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl"type=AVC_PATH msg=audit(1150817767.142:753):  path="/usr/bin/pyzor"
> > > > type=CWD msg=audit(1150817767.142:753):  cwd="/"
> > > > type=PATH msg=audit(1150817767.142:753): item=0 name="/usr/bin/pyzor" flags=1  inode=3140757 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > > type=AVC msg=audit(1150817767.142:754): avc:  denied  { getattr } for  pid=2268 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
> > > > type=SYSCALL msg=audit(1150817767.142:754): arch=40000003 syscall=195 success=no exit=-13 a0=a22fb98 a1=92360c8 a2=4891eff4 a3=a22fb98 items=1 pid=2268 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl"type=AVC_PATH msg=audit(1150817767.142:754):  path="/usr/bin/pyzor"
> > > > type=CWD msg=audit(1150817767.142:754):  cwd="/"
> > > > type=PATH msg=audit(1150817767.142:754): item=0 name="/usr/bin/pyzor" flags=1  inode=3140757 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > 
> > > Is pyzor working though?
> > > 
> > > Maybe these can be dontaudit-ed if that's the case.
> > 
> > As Murphy's Law would dictate, no spam with pyzor hits since updating
> > the policies.  The two or three that I have had so far, have no hits on
> > any of the remote tests.
> > 
> > As soon as I can confirm, I will post back.
> > 
> > Thanks,
> > 
> > Marc
> 
> Just to confirm that Pyzor, Razor2 and DCC are indeed working.
> 
> So perhaps these msgs can be dontaudit-ed.

OK, here's an updated version of mypyzor.te:

policy_module(mypyzor, 0.1.3)

require {
        type pyzor_t;
        type pyzor_exec_t;
        type pyzor_port_t;
        type spamd_t;
};

# temp files
type pyzor_tmp_t;
files_tmp_file(pyzor_tmp_t)

# Allow pyzor to create and use temp files and dirs
allow pyzor_t pyzor_tmp_t:dir create_dir_perms;
allow pyzor_t pyzor_tmp_t:file create_file_perms;
files_type(pyzor_tmp_t)
files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir })

# Allow pyzor to read config (and any other file...)
# from user home directories
userdom_read_unpriv_users_home_content_files(pyzor_t)

# Allow pyzor to read /dev/urandom
dev_read_urand(pyzor_t)

# Allow pyzor to send and receive pyzor messages!
allow pyzor_t pyzor_port_t:udp_socket send_msg;
allow pyzor_t pyzor_port_t:udp_socket recv_msg;

# Allow spamd to signal pyzor (kill/hup ?)
allow spamd_t pyzor_t:process signal;

# This doesn't seem to break anything
dontaudit spamd_t pyzor_exec_t:file getattr;

# Allow pyzor to ...?
corecmd_search_bin(pyzor_t)
kernel_read_kernel_sysctls(pyzor_t)
# It does a getattr on /usr/bin/time for reasons unknown...
# Would be nice to know if changing these from
# allow to dontaudit causes any breakage
allow pyzor_t bin_t:dir getattr;
allow pyzor_t bin_t:file getattr;

# Pyzor/python probably doesn't need to be able to read /proc/meminfo
kernel_dontaudit_list_proc(pyzor_t)
kernel_dontaudit_read_system_state(pyzor_t)

Paul.

More information about the fedora-selinux-list mailing list