postfix, procmail and SELinux - No Go

Marc Schwartz (via MN) mschwartz at mn.rr.com
Wed Jun 21 20:12:37 UTC 2006 

On Wed, 2006-06-21 at 14:56 -0500, Marc Schwartz (via MN) wrote:
> Just a quick note that so far, all seems to be well. 
> 
> No avclist msgs since the change in policies to the above.
> 
> Want me back in Enforcing mode?

Hold the presses.  Now getting avc's:

type=AVC msg=audit(1150920365.865:1776): avc:  denied  { execute } for  pid=4583 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
type=AVC msg=audit(1150920365.865:1776): avc:  denied  { execute_no_trans } for  pid=4583 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
type=AVC msg=audit(1150920365.865:1776): avc:  denied  { read } for  pid=4583 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1150920365.865:1776): arch=40000003 syscall=11 success=yes exit=0 a0=a890768 a1=a83ff88 a2=a864c60 a3=bfa440ac items=3 pid=4583 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=AVC_PATH msg=audit(1150920365.865:1776):  path="/usr/bin/pyzor"
type=AVC_PATH msg=audit(1150920365.865:1776):  path="/usr/bin/pyzor"
type=CWD msg=audit(1150920365.865:1776):  cwd="/"
type=PATH msg=audit(1150920365.865:1776): item=0 name="/usr/bin/pyzor" flags=101  inode=3140757 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1150920365.865:1776): item=1 flags=101  inode=3140290 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1150920365.865:1776): item=2 flags=101  inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1150920365.877:1777): avc:  denied  { ioctl } for  pid=4583 comm="pyzor" name="pyzor" dev=hdc7 ino=3140757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1150920365.877:1777): arch=40000003 syscall=54 success=no exit=-25 a0=3 a1=5401 a2=bfd14638 a3=bfd14678 items=0 pid=4583 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=AVC_PATH msg=audit(1150920365.877:1777):  path="/usr/bin/pyzor"
type=AVC msg=audit(1150920370.874:1778): avc:  denied  { create } for  pid=4787 comm="dccproc" scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1150920370.874:1778): arch=40000003 syscall=102 success=yes exit=3 a0=1 a1=bfea63f8 a2=4891eff4 a3=8069fbf items=0 pid=4787 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=SOCKETCALL msg=audit(1150920370.874:1778): nargs=3 a0=10 a1=3 a2=0
type=AVC msg=audit(1150920370.874:1779): avc:  denied  { bind } for  pid=4787 comm="dccproc" scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1150920370.874:1779): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bfea63f8 a2=4891eff4 a3=3 items=0 pid=4787 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=SOCKADDR msg=audit(1150920370.874:1779): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1150920370.874:1779): nargs=3 a0=3 a1=bfea6404 a2=c
type=AVC msg=audit(1150920370.874:1780): avc:  denied  { getattr } for  pid=4787 comm="dccproc" scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1150920370.874:1780): arch=40000003 syscall=102 success=yes exit=0 a0=6 a1=bfea63f8 a2=4891eff4 a3=3 items=0 pid=4787 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=SOCKETCALL msg=audit(1150920370.874:1780): nargs=3 a0=3 a1=bfea6404 a2=bfea6410
type=AVC msg=audit(1150920370.874:1781): avc:  denied  { write } for  pid=4787 comm="dccproc" scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1150920370.874:1781): avc:  denied  { nlmsg_read } for  pid=4787 comm="dccproc" scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1150920370.874:1781): arch=40000003 syscall=102 success=yes exit=20 a0=b a1=bfea5344 a2=4891eff4 a3=ffffffcc items=0 pid=4787 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=SOCKADDR msg=audit(1150920370.874:1781): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1150920370.874:1781): nargs=6 a0=3 a1=bfea63bc a2=14 a3=0 a4=bfea63d0 a5=c
type=AVC msg=audit(1150920370.874:1782): avc:  denied  { read } for  pid=4787 comm="dccproc" scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1150920370.874:1782): arch=40000003 syscall=102 success=yes exit=128 a0=11 a1=bfea5344 a2=4891eff4 a3=ffffffcc items=0 pid=4787 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=SOCKETCALL msg=audit(1150920370.874:1782): nargs=3 a0=3 a1=bfea63a0 a2=0
type=AVC msg=audit(1150920370.874:1783): avc:  denied  { search } for  pid=4787 comm="dccproc" name="dcc" dev=dm-1 ino=58510 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir
type=SYSCALL msg=audit(1150920370.874:1783): arch=40000003 syscall=12 success=yes exit=0 a0=bfea5562 a1=0 a2=4891eff4 a3=8069fbf items=1 pid=4787 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=CWD msg=audit(1150920370.874:1783):  cwd="/"
type=PATH msg=audit(1150920370.874:1783): item=0 name="/var/dcc" flags=3  inode=58510 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1150920370.878:1784): avc:  denied  { read write } for  pid=4787 comm="dccproc" name="map" dev=dm-1 ino=59007 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_map_t:s0 tclass=file
type=SYSCALL msg=audit(1150920370.878:1784): arch=40000003 syscall=5 success=yes exit=3 a0=80ba6e0 a1=2 a2=180 a3=8069fbf items=1 pid=4787 auid=4294967295 uid=500 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=CWD msg=audit(1150920370.878:1784):  cwd="/var/dcc"
type=PATH msg=audit(1150920370.878:1784): item=0 name="/var/dcc/map" flags=101  inode=59007 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1150920370.878:1785): avc:  denied  { getattr } for  pid=4787 comm="dccproc" name="map" dev=dm-1 ino=59007 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_map_t:s0 tclass=file
type=SYSCALL msg=audit(1150920370.878:1785): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfea5378 a2=4891eff4 a3=3 items=0 pid=4787 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=AVC_PATH msg=audit(1150920370.878:1785):  path="/var/dcc/map"
type=AVC msg=audit(1150920370.878:1786): avc:  denied  { lock } for  pid=4787 comm="dccproc" name="map" dev=dm-1 ino=59007 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_map_t:s0 tclass=file
type=SYSCALL msg=audit(1150920370.878:1786): arch=40000003 syscall=221 success=yes exit=0 a0=3 a1=7 a2=bfea64f4 a3=bfea64f4 items=0 pid=4787 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=AVC_PATH msg=audit(1150920370.878:1786):  path="/var/dcc/map"



It would seem that I just noted what may be a valuable piece of
information here.

When testing the remote checks by using the test spam e-mail:

cat /usr/share/doc/spamassassin-3.1.3/sample-spam.txt | spamassassin -D

there are no avc's generated.

However, the above avc's were generated after an e-mail came through the
normal fetchmail process, where postfix/procmail are being used to fire
up spamassassin.

I just replicated both processes and indeed, no avc's were generated
with the test e-mail, but as soon as a new inbound e-mail came through,
avc's.

Curious.

Marc

More information about the fedora-selinux-list mailing list