postfix, procmail and SELinux - No Go

Tue Jun 27 04:11:03 UTC 2006

On Tue, 2006-06-27 at 00:05 +0100, Paul Howarth wrote:
> On Mon, 2006-06-26 at 15:22 -0500, Marc Schwartz (via MN) wrote:
> > Not sure about why /.razor and /.pyzor get created. The files in them
> > are stamped with the same date/time as the cron jobs, however do not get
> > updated when I run the same update programs from the CLI as with root's
> > below. Something with ENV variables or UID I suspect, but not sure.
> 
> Probably, yes.
> 
> > The root dirs (/root/.pyzor and /root/.razor, as well as the razor log
> > file in /root) seem to get created during the cron jobs and I could
> > replicate this from the CLI.
> > 
> > However, see more below.

<snip>

> > > 
> > > The spamassassin wiki has a page on this:
> > > 
> > > http://wiki.apache.org/spamassassin/UsingPyzor
> > 
> > Thanks for this.  In addition, I read through:
> > 
> > http://wiki.apache.org/spamassassin/RazorSiteWide
> > http://wiki.apache.org/spamassassin/UsingRazor
> > http://wiki.apache.org/spamassassin/InstallingDCC
> > http://wiki.apache.org/spamassassin/UsingDcc
> > 
> > The result of which is the following:
> > 
> > 1. I made the following adds in /etc/mail/spamassassin/local.cf:
> > 
> > pyzor_options --homedir /etc/mail/spamassassin
> > razor_config /etc/mail/spamassassin/.razor/razor-agent.conf
> > 
> > 
> > 2. I created /etc/mail/spamassassin/.razor/razor-agent.conf, which
> > contains:
> > 
> > razorhome = /etc/mail/spamassassin/.razor/
> 
> I share Nicolas' feelings about having hidden directories in /etc; this
> could be mitigated perhaps by having something like the ".pyzor"
> directory being replaced by a symlink to a "pyzor" directory.

No disagreement with either of you here.

The key here I believe is that we demonstrated a proof of concept, in
that we can control the locations where these files get written and do
so in a system-wide fashion. Even if this ends up being unique to FC/FE
based installations due to SELinux requirements.

I have no vested interest in the specific locations and only used the
examples from the SA wiki as the basis for the initial attempt.

We can certainly come to some appropriate consensus as to where we want
them, whether higher in /etc or perhaps in /var.

If you guys provide some feedback, I can make the requisite changes.

> > 3. I modified the /etc/crontab commands that execute the pyzor and razor
> > updates to:
> > 
> > # Run pyzor update at 1:10 am
> > 10 01 * * * root /usr/bin/pyzor --homedir /etc/mail/spamassassin discover > /dev/null
> > 
> > # Run razor update at 1:20 am
> > 20 01 * * * root /usr/bin/razor-admin -home=/etc/mail/spamassassin/.razor -discover > /dev/null
> > 
> > 
> > The above now force the use of the system-wide SA settings in 1 and 2
> > above.
> 
> Good.

Yes indeed.

> > Note also that there is /etc/sysconfig/spamassassin, which contains:
> > 
> >   SPAMDOPTIONS="-d -c -m2 -H"
> > 
> > I only modified the '-m2' option to reduce the number of concurrent
> > sessions from 5 (-m5) to 2.  The '-H' options enables the specification
> > of a different HOME directory, which then enables the use of the above
> > config files for razor and pyzor when spamc/d are called. The other
> > options are FC installed defaults.
> > 
> > 
> > The result of all of this is that the pyzor and razor updates are now
> > limited to the system-wide file(s) in:
> > 
> > # For pyzor, the single file
> > /etc/mail/spamassassin/servers
> > 
> > # For razor, the dir tree
> > /etc/mail/spamassassin/.razor/*
> > 
> > Thus, no more user specific files are created.  Yeah!  :-)
> 
> Yeah!

:-)

> > Note also, that I _did not_ create new user groups to run these apps, as
> > is suggested on some of the above pages. The current configuration seems
> > to solve the problem without those additional steps.
> 
> OK.
> 
> > > > The dcc update process would need to stay in /etc/crontab since it 
> > > > downloads, compiles and installs the system-wide dcc client.
> > > 
> > > Compiles as root? Ugh!
> > 
> > Yep.  If there are any options on the DCC install page that I noted in
> > my other reply that make sense here, let me know. I am willing to try
> > alternatives.
> 
> Maybe later...

OK.

> > Of course, let me know on the dccproc context change and what you might
> > want to do about that.
> 
> Doing restorecon in the cron job will do for now. We might come back to
> this later to try to get it created with the correct context.

OK.  As noted in my other reply, the change to /etc/crontab has been
made.

> > > > Another option, perhaps, would be for the FE razor and pyzor maintainers 
> > > > to adjust the respective app defaults for FE with an eye towards SELinux 
> > > > policy issues in future updates. In that way, perhaps the default 
> > > > locations could be in /etc or /var as Nicolas notes above. That might 
> > > > provide for a means to handle both single user and multi user 
> > > > configurations, though the impact on other tools would need to be 
> > > > considered as may be appropriate.
> > > 
> > > If we can figure how how to make them work sanely, I'm confident that 
> > > the maintainers would be open to suggestions (preferably with patches).
> > 
> > Well, hopefully we are on the right track with the above.
> 
> Yes. I trust you're making notes :-)

Well, I have some of the key posts back and forth and of course the main
reference will be the list archive of this now, rather lengthy
thread...  :-)

<snip of avc's and comments>

> (snip)
> 
> The rest looked like repeats to me.
> 
> > If the above approach makes sense, then I think that this could become a
> > defacto install approach when running under SELinux, which is not a
> > general consideration for the more general installation instructions for
> > these various filtering apps.
> > 
> > This approach, I think, also has the attraction of not differentiating
> > between a single user install and a system-wide install, as I had
> > initially considered above.
> 
> Should be worth a page on the Fedora wiki eventually.

Yes indeed.  'lonely wolf' had requested this of me before I went to
Vienna and I'll need to get back to that once we stabilize things here.

> Updated policy:

<snip>

# semodule -l
amavis  1.0.4
clamav  1.0.1
dcc     1.0.0
myclamav        0.1.2
mydcc   0.1.7
mypostfix       0.1.0
mypyzor 0.2.2
myspamassassin  0.1.1
procmail        0.5.4
pyzor   1.0.1
razor   1.0.0

New avc's:

type=AVC msg=audit(1151379242.395:1987): avc:  denied  { use } for  pid=32340 comm="clamassassin" name="[125798]" dev=pipefs ino=125 798 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fd
type=AVC msg=audit(1151379242.395:1987): avc:  denied  { write } for  pid=32340 comm="clamassassin" name="[125798]" dev=pipefs ino=1 25798 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1151379242.395:1987): arch=40000003 syscall=11 success=yes exit=0 a0=98dfd60 a1=98df008 a2=98e2bc8 a3=0 items =3 pid=32340 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamassassin" exe="/bin/bash" subj=system_u:system_r:clamassassin_t:s0
type=AVC_PATH msg=audit(1151379242.395:1987):  path="pipe:[125798]"
type=AVC_PATH msg=audit(1151379242.395:1987):  path="pipe:[125798]"
type=CWD msg=audit(1151379242.395:1987):  cwd="/home/marcs"
type=PATH msg=audit(1151379242.395:1987): item=0 name="/usr/local/bin/clamassassin" inode=3115337 dev=16:07 mode=0100555 ouid=0 ogid =0 rdev=00:00 obj=system_u:object_r:clamassassin_exec_t:s0
type=PATH msg=audit(1151379242.395:1987): item=1 name=(null) inode=1966191 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=syste m_u:object_r:shell_exec_t:s0
type=PATH msg=audit(1151379242.395:1987): item=2 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system _u:object_r:ld_so_t:s0
type=AVC msg=audit(1151379242.411:1988): avc:  denied  { read } for  pid=32344 comm="clamscan" name="[125803]" dev=pipefs ino=125803  scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=fifo_file
type=AVC msg=audit(1151379242.411:1988): avc:  denied  { use } for  pid=32344 comm="clamscan" name="[125798]" dev=pipefs ino=125798 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fd
type=AVC msg=audit(1151379242.411:1988): avc:  denied  { write } for  pid=32344 comm="clamscan" name="[125798]" dev=pipefs ino=12579 8 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1151379242.411:1988): arch=40000003 syscall=11 success=yes exit=0 a0=8477c00 a1=8477210 a2=8477dd0 a3=8477d90  items=2 pid=32344 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamscan " exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0
type=AVC_PATH msg=audit(1151379242.411:1988):  path="pipe:[125798]"
type=AVC_PATH msg=audit(1151379242.411:1988):  path="pipe:[125798]"
type=AVC_PATH msg=audit(1151379242.411:1988):  path="pipe:[125803]"
type=CWD msg=audit(1151379242.411:1988):  cwd="/home/marcs"
type=PATH msg=audit(1151379242.411:1988): item=0 name="/usr/bin/clamscan" inode=3123838 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00 :00 obj=system_u:object_r:clamscan_exec_t:s0
type=PATH msg=audit(1151379242.411:1988): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system _u:object_r:ld_so_t:s0
type=AVC msg=audit(1151379270.259:1989): avc:  denied  { search } for  pid=32363 comm="dccproc" name="/" dev=proc ino=1 scontext=sys tem_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=dir
type=AVC msg=audit(1151379270.259:1989): avc:  denied  { read } for  pid=32363 comm="dccproc" name="meminfo" dev=proc ino=-268435454  scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=SYSCALL msg=audit(1151379270.259:1989): arch=40000003 syscall=5 success=yes exit=5 a0=489093ef a1=0 a2=1b6 a3=9d26630 items=1 p id=32363 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/b in/dccproc" subj=system_u:system_r:dcc_client_t:s0
type=CWD msg=audit(1151379270.259:1989):  cwd="/var/dcc"
type=PATH msg=audit(1151379270.259:1989): item=0 name="/proc/meminfo" inode=4026531842 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00: 00 obj=system_u:object_r:proc_t:s0
type=AVC msg=audit(1151379270.259:1990): avc:  denied  { getattr } for  pid=32363 comm="dccproc" name="meminfo" dev=proc ino=-268435 454 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=SYSCALL msg=audit(1151379270.259:1990): arch=40000003 syscall=197 success=yes exit=0 a0=5 a1=bfb18dfc a2=4891eff4 a3=5 items=0 pid=32363 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/ bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
type=AVC_PATH msg=audit(1151379270.259:1990):  path="/proc/meminfo"
type=AVC msg=audit(1151380802.089:2109): avc:  denied  { use } for  pid=3200 comm="clamassassin" name="[133367]" dev=pipefs ino=1333 67 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fd
type=AVC msg=audit(1151380802.089:2109): avc:  denied  { write } for  pid=3200 comm="clamassassin" name="[133367]" dev=pipefs ino=13 3367 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1151380802.089:2109): arch=40000003 syscall=11 success=yes exit=0 a0=8c66d60 a1=8c66008 a2=8c69f20 a3=0 items =3 pid=3200 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamassassin" e xe="/bin/bash" subj=system_u:system_r:clamassassin_t:s0
type=AVC_PATH msg=audit(1151380802.089:2109):  path="pipe:[133367]"
type=AVC_PATH msg=audit(1151380802.089:2109):  path="pipe:[133367]"
type=CWD msg=audit(1151380802.089:2109):  cwd="/home/marcs"
type=PATH msg=audit(1151380802.089:2109): item=0 name="/usr/local/bin/clamassassin" inode=3115337 dev=16:07 mode=0100555 ouid=0 ogid =0 rdev=00:00 obj=system_u:object_r:clamassassin_exec_t:s0
type=PATH msg=audit(1151380802.089:2109): item=1 name=(null) inode=1966191 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=syste m_u:object_r:shell_exec_t:s0
type=PATH msg=audit(1151380802.089:2109): item=2 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system _u:object_r:ld_so_t:s0
type=AVC msg=audit(1151380802.101:2110): avc:  denied  { read } for  pid=3204 comm="clamscan" name="[133372]" dev=pipefs ino=133372 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=fifo_file
type=AVC msg=audit(1151380802.101:2110): avc:  denied  { use } for  pid=3204 comm="clamscan" name="[133367]" dev=pipefs ino=133367 s context=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fd
type=AVC msg=audit(1151380802.101:2110): avc:  denied  { write } for  pid=3204 comm="clamscan" name="[133367]" dev=pipefs ino=133367  scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1151380802.101:2110): arch=40000003 syscall=11 success=yes exit=0 a0=9d2bc00 a1=9d2b210 a2=9d2bdd0 a3=9d2bd90  items=2 pid=3204 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamscan"  exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0
type=AVC_PATH msg=audit(1151380802.101:2110):  path="pipe:[133367]"
type=AVC_PATH msg=audit(1151380802.101:2110):  path="pipe:[133367]"
type=AVC_PATH msg=audit(1151380802.101:2110):  path="pipe:[133372]"
type=CWD msg=audit(1151380802.101:2110):  cwd="/home/marcs"
type=PATH msg=audit(1151380802.101:2110): item=0 name="/usr/bin/clamscan" inode=3123838 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00 :00 obj=system_u:object_r:clamscan_exec_t:s0
type=PATH msg=audit(1151380802.101:2110): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system _u:object_r:ld_so_t:s0

Thanks Paul.

Marc