postfix, procmail and SELinux - No Go
Paul Howarth
paul at city-fan.org
Wed Jun 28 21:23:47 UTC 2006
On Wed, 2006-06-28 at 15:56 -0500, Marc Schwartz (via MN) wrote:
> On Wed, 2006-06-28 at 21:13 +0100, Paul Howarth wrote:
> > On Wed, 2006-06-28 at 14:22 -0500, Marc Schwartz (via MN) wrote:
> > > New avc's:
> > >
> > > type=AVC msg=audit(1151521329.964:1158): avc: denied { search } for pid=5442 comm="local" name="clamav" dev=dm-1 ino=44957 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir
> > > type=SYSCALL msg=audit(1151521329.964:1158): arch=40000003 syscall=196 success=no exit=-2 a0=939f848 a1=bffd2e80 a2=721ff4 a3=3 items=1 pid=5442 auid=4294967295 uid=0 gid=0 euid=100 suid=0 fsuid=100 egid=101 sgid=0 fsgid=101 tty=(none) comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0
> > > type=CWD msg=audit(1151521329.964:1158): cwd="/var/spool/postfix"
> > > type=PATH msg=audit(1151521329.964:1158): item=0 name="/var/lib/clamav/.forward" obj=system_u:object_r:etc_t:s0
> >
> > postfix local looking in /var/lib/clamav
> >
> > > type=AVC msg=audit(1151521329.988:1159): avc: denied { search } for pid=5449 comm="procmail" name="clamav" dev=dm-1 ino=44957 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir
> > > type=SYSCALL msg=audit(1151521329.988:1159): arch=40000003 syscall=195 success=no exit=-2 a0=8dd0d60 a1=bfe27a6c a2=4891eff4 a3=0 items=1 pid=5449 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101 fsgid=101 tty=(none) comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0
> > > type=CWD msg=audit(1151521329.988:1159): cwd="/var/spool/postfix"
> >
> > same for procmail
> >
> > This appears to be postfix local and procmail trying to
> > read /var/lib/clamav/.forward; does that sound reasonable?
>
> There are no .forward files on my system at all, unless that is a temp
> file, which does not make sense location-wise.
>
> A Google search came up empty for that file, so I can only presume that
> there are certain configuration scenarios where the pipelining of
> e-mails would require that file.
>
> Since I am using clamassassin, I also searched through that script and
> noted nothing relevant here.
>
> Not sure what else to make of it.
That might be dontaudit-able. Is /var/lib/clamav any user's home
directory?
> > You can bump myclamav.te to version 0.1.5 and append the following:
> >
> > # ===========================================
> > # things that should be done via an interface
> > # ===========================================
> > allow postfix_local_t clamd_var_lib_t:dir r_dir_perms;
> > allow procmail_t clamd_var_lib_t:dir r_dir_perms;
> >
> > Paul.
>
> Done, including the add in your second e-mail.
>
> # semodule -l
> amavis 1.0.4
> clamav 1.0.1
> dcc 1.0.0
> myclamav 0.1.5
> mydcc 0.1.8
> mypostfix 0.1.0
> mypyzor 0.2.3
> myspamassassin 0.1.1
> procmail 0.5.4
> pyzor 1.0.1
> razor 1.0.0
>
>
> No further avc's at this time.
>
> Is it time to venture back into the Enforcing World once again?
Give it a try. Bear in mind it may fail if any of the dontaudit rules
should be allows instead.
Paul.
More information about the fedora-selinux-list
mailing list