postfix, procmail and SELinux - No Go

Marc Schwartz (via MN) mschwartz at mn.rr.com
Tue Jun 27 17:34:25 UTC 2006 

On Tue, 2006-06-27 at 17:20 +0100, Paul Howarth wrote:

<snip>

The changes to the razor and pyzor locations have been made.

I did move .razor to /etc/mail/spamassassin/razor and I also moved pyzor
to /etc/mail/spamassassin/pyzor.

Note that in my prior reply, the paths that I listed
as /etc/spamassassin/...  should in fact be /etc/mail/spamassassin.  My
typos.

<snip of avc's and comments>

> Updated policy:

<snip of new policies>

# semodule -l
amavis  1.0.4
clamav  1.0.1
dcc     1.0.0
myclamav        0.1.3
mydcc   0.1.8
mypostfix       0.1.0
mypyzor 0.2.2
myspamassassin  0.1.1
procmail        0.5.4
pyzor   1.0.1
razor   1.0.0


type=AVC msg=audit(1151428802.918:884): avc:  denied  { use } for  pid=5062 comm="clamscan" name="[150534]" dev=pipefs ino=150534 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=fd
type=SYSCALL msg=audit(1151428802.918:884): arch=40000003 syscall=11 success=yes exit=0 a0=9181c00 a1=9181210 a2=9181dd0 a3=9181d90 items=2 pid=5062 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamscan" exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0
type=AVC_PATH msg=audit(1151428802.918:884):  path="pipe:[150534]"
type=CWD msg=audit(1151428802.918:884):  cwd="/home/marcs"
type=PATH msg=audit(1151428802.918:884): item=0 name="/usr/bin/clamscan" inode=3123838 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:clamscan_exec_t:s0
type=PATH msg=audit(1151428802.918:884): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
type=AVC msg=audit(1151428805.919:885): avc:  denied  { create } for  pid=5084 comm="pyzor" scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:system_r:pyzor_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1151428805.919:885): arch=40000003 syscall=102 success=yes exit=3 a0=1 a1=bfeffef8 a2=4891eff4 a3=95fe1b0 items=0 pid=5084 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="pyzor" exe="/usr/bin/python" subj=system_u:system_r:pyzor_t:s0
type=SOCKETCALL msg=audit(1151428805.919:885): nargs=3 a0=10 a1=3 a2=0
type=AVC msg=audit(1151428805.923:886): avc:  denied  { bind } for  pid=5084 comm="pyzor" scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:system_r:pyzor_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1151428805.923:886): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bfeffef8 a2=4891eff4 a3=3 items=0 pid=5084 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="pyzor" exe="/usr/bin/python" subj=system_u:system_r:pyzor_t:s0
type=SOCKADDR msg=audit(1151428805.923:886): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1151428805.923:886): nargs=3 a0=3 a1=bfefff04 a2=c
type=AVC msg=audit(1151428805.923:887): avc:  denied  { getattr } for  pid=5084 comm="pyzor" scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:system_r:pyzor_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1151428805.923:887): arch=40000003 syscall=102 success=yes exit=0 a0=6 a1=bfeffef8 a2=4891eff4 a3=3 items=0 pid=5084 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="pyzor" exe="/usr/bin/python" subj=system_u:system_r:pyzor_t:s0
type=SOCKADDR msg=audit(1151428805.923:887): saddr=10000000DC13000000000000
type=SOCKETCALL msg=audit(1151428805.923:887): nargs=3 a0=3 a1=bfefff04 a2=bfefff10
type=AVC msg=audit(1151428805.923:888): avc:  denied  { write } for  pid=5084 comm="pyzor" scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:system_r:pyzor_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1151428805.923:888): avc:  denied  { nlmsg_read } for  pid=5084 comm="pyzor" scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:system_r:pyzor_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1151428805.923:888): arch=40000003 syscall=102 success=yes exit=20 a0=b a1=bfefee44 a2=4891eff4 a3=ffffffcc items=0 pid=5084 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="pyzor" exe="/usr/bin/python" subj=system_u:system_r:pyzor_t:s0
type=SOCKADDR msg=audit(1151428805.923:888): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1151428805.923:888): nargs=6 a0=3 a1=bfeffebc a2=14 a3=0 a4=bfeffed0 a5=c
type=AVC msg=audit(1151428805.923:889): avc:  denied  { read } for  pid=5084 comm="pyzor" scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:system_r:pyzor_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1151428805.923:889): arch=40000003 syscall=102 success=yes exit=128 a0=11 a1=bfefee44 a2=4891eff4 a3=ffffffcc items=0 pid=5084 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="pyzor" exe="/usr/bin/python" subj=system_u:system_r:pyzor_t:s0
type=SOCKADDR msg=audit(1151428805.923:889): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1151428805.923:889): nargs=3 a0=3 a1=bfeffea0 a2=0
type=AVC msg=audit(1151428805.923:890): avc:  denied  { search } for  pid=5084 comm="pyzor" name="nscd" dev=dm-1 ino=87802 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1151428805.923:890): arch=40000003 syscall=102 success=no exit=-2 a0=3 a1=bfeffab4 a2=4891eff4 a3=48909fd4 items=0 pid=5084 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="pyzor" exe="/usr/bin/python" subj=system_u:system_r:pyzor_t:s0
type=SOCKADDR msg=audit(1151428805.923:890): saddr=01002F7661722F72756E2F6E7363642F736F636B657400D8CD0040F3CD00AC8BC9B718FBEFBF6B5AC300AC8BC9B780DBC7B71C2360094ACCC00020E0C9B7241F600900000000E4D8CD00AC8BC9B700000000F8FCEFBF7BC7C600AC8BC9B780DBC7B71C236009E4D8CD0001000000
type=SOCKETCALL msg=audit(1151428805.923:890): nargs=3 a0=3 a1=bfeffac6 a2=6e
type=AVC msg=audit(1151428805.923:891): avc:  denied  { name_connect } for  pid=5084 comm="pyzor" dest=80 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1151428805.923:891): avc:  denied  { send_msg } for  pid=5084 comm="pyzor" saddr=192.168.0.64 src=40031 daddr=66.35.250.209 dest=80 netif=eth0 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1151428806.007:892): avc:  denied  { recv_msg } for  pid=5078 comm="clamscan" saddr=66.35.250.209 src=80 daddr=192.168.0.64 dest=40031 netif=eth0 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1151428805.923:891): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfeffe10 a2=2c9118 a3=b7ef3aa0 items=0 pid=5084 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="pyzor" exe="/usr/bin/python" subj=system_u:system_r:pyzor_t:s0
type=SOCKADDR msg=audit(1151428805.923:891): saddr=020000504223FAD10000000000000000
type=SOCKETCALL msg=audit(1151428805.923:891): nargs=3 a0=3 a1=b7ef3ab8 a2=10


One thing to note here. I am on the new kernel: 2.6.17-1.2139_FC5

There have been some flaky things going on with networking as you may
have noted on the general FC list, just in case any of that is relevant
here. I have not installed the new (updates testing) initscripts as of
yet, as I am still trying to get a sense of where things stand. I have
seen some issues with network configs and device labelling issues,
including wireless instability (using the bcm43xx driver) which was
working under the former kernel with ndiswrapper. FWIW.

Thanks,

Marc

More information about the fedora-selinux-list mailing list