postfix, procmail and SELinux - No Go

Paul Howarth paul at city-fan.org
Wed May 31 14:15:13 UTC 2006 

Paul Howarth wrote:
> On Tue, 2006-05-30 at 14:47 -0500, Marc Schwartz (via MN) wrote:
>> For reference, here is my ~/.procmailrc:
>>
>> # Scan for viruses using ClamAV + clamassassin
>> :0 fw
>> | /usr/local/bin/clamassassin
>>
>> # Scan with SpamAssasin (+ razor, pyzor and dcc)
>> :0 fw
>> | /usr/bin/spamc -s 256000

Could you also try adding a recipe for forwarding mail somewhere off 
your system? I suspect that may also fail with postfix as your MTA, and 
we might as well fix that whilst we're here.

Something like this ought to do:

# Test forwarding
:0
* Subject: forwarding test
! myaccount at hotmail.com

>> I'm not sure how much you might need/want, but here is a sampling. I
>> tried to catch what appear to be complete "cycles" in each case.
>>
>> Here are some using grep 'procmail':
>>
>> type=AVC_PATH msg=audit(1149015973.940:563):  path="/home/marcs/.procmailrc"
>> type=PATH msg=audit(1149015973.940:563): item=0 name="/home/marcs/.procmailrc" flags=1  inode=426353 dev=fd:00 mode=0100664 ouid=500 ogid=500 rdev=00:00
>> type=AVC msg=audit(1149015973.940:564): avc:  denied  { read } for  pid=11095 comm="procmail" name=".procmailrc" dev=dm-0 ino=426353 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
>> type=SYSCALL msg=audit(1149015973.940:564): arch=40000003 syscall=5 success=yes exit=4 a0=9337d60 a1=8000 a2=0 a3=8000 items=1 pid=11095 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="procmail" exe="/usr/bin/procmail"
>> type=PATH msg=audit(1149015973.940:564): item=0 name="/home/marcs/.procmailrc" flags=101  inode=426353 dev=fd:00 mode=0100664 ouid=500 ogid=500 rdev=00:00
> 
> This one's a labelling prpblem. I don;t think you should have anything
> labelled file_t on the system. Try changing the context of ~/.procmailrc
> to user_home_t.

In fact you should relabel your entire home directory:
$ restorecon -Rv /home/marcs

That should do until such time as you can do a full relabel of the system.

>> type=AVC msg=audit(1149015973.956:565): avc:  denied  { execute } for  pid=11101 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file
>> type=AVC msg=audit(1149015973.956:565): avc:  denied  { execute_no_trans } for  pid=11101 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file
> 
> This needs a policy change. There needs to be a domain transition from
> procmail_t to (I think) clamscan_exec_t. This could be done with a
> policy module in the short term, and when it's working properly, publish
> the fix one fedora-selinux-list and it should get included in the main
> policy.

I shall address this in a policy module (see below).

>> Here are some using grep 'postfix':
>>
>> type=SYSCALL msg=audit(1149014661.600:328): arch=40000003 syscall=196 success=no exit=-2 a0=9769930 a1=bf8a4b80 a2=580ff4 a3=3 items=1 pid=8367 auid=500 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="local" exe="/usr/libexec/postfix/local"
>> type=CWD msg=audit(1149014661.600:328):  cwd="/var/spool/postfix"
>> type=CWD msg=audit(1149014661.604:329):  cwd="/var/spool/postfix"
>> type=CWD msg=audit(1149014661.604:330):  cwd="/var/spool/postfix"
>> type=AVC msg=audit(1149014770.075:378): avc:  denied  { search } for  pid=8646 comm="local" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
> 
> That looks like a mis-labelled directory.

You'll need to figure out which directory this refers to (grep for 
1149014770.075:378 in the log file) and use restorecon to fix the label.

>> Some using grep 'pyzor'. Note that neither 'razor' nor 'dcc' are showing
>> up curiously:
>>
>> type=AVC_PATH msg=audit(1149015851.011:541):  path="/home/marcs/.pyzor"
>> type=PATH msg=audit(1149015851.011:541): item=0 name="/home/marcs/.pyzor" flags=1  inode=427255 dev=fd:00 mode=040755 ouid=500 ogid=5 00 rdev=00:00
>> type=AVC msg=audit(1149015851.015:542): avc:  denied  { getattr } for  pid=10802 comm="pyzor" name="servers" dev=dm-0 ino=427256 scon text=system_u:system_r:pyzor_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
>> type=SYSCALL msg=audit(1149015851.015:542): arch=40000003 syscall=195 success=yes exit=0 a0=86c1fb0 a1=bf9b8da8 a2=4891eff4 a3=868e1b 0 items=1 pid=10802 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/ python"
>> type=AVC_PATH msg=audit(1149015851.015:542):  path="/home/marcs/.pyzor/servers"
>> type=PATH msg=audit(1149015851.015:542): item=0 name="/home/marcs/.pyzor/servers" flags=1  inode=427256 dev=fd:00 mode=0100664 ouid=5 00 ogid=500 rdev=00:00
>> type=AVC msg=audit(1149015851.015:543): avc:  denied  { search } for  pid=10802 comm="pyzor" name="marcs" dev=dm-0 ino=425153 scontex t=system_u:system_r:pyzor_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
>> type=AVC msg=audit(1149015851.015:543): avc:  denied  { read } for  pid=10802 comm="pyzor" name="servers" dev=dm-0 ino=427256 scontex t=system_u:system_r:pyzor_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
>> type=SYSCALL msg=audit(1149015851.015:543): arch=40000003 syscall=5 success=yes exit=3 a0=87273d0 a1=8000 a2=1b6 a3=86e0b90 items=1 p id=10802 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
>> type=PATH msg=audit(1149015851.015:543): item=0 name="/home/marcs/.pyzor/servers" flags=101  inode=427256 dev=fd:00 mode=0100664 ouid =500 ogid=500 rdev=00:00
>> type=AVC msg=audit(1149015851.027:544): avc:  denied  { search } for  pid=10802 comm="pyzor" name="/" dev=hdc6 ino=2 scontext=system_ u:system_r:pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
>> type=AVC msg=audit(1149015851.027:544): avc:  denied  { write } for  pid=10802 comm="pyzor" name="/" dev=hdc6 ino=2 scontext=system_u :system_r:pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
>> type=AVC msg=audit(1149015851.027:544): avc:  denied  { add_name } for  pid=10802 comm="pyzor" name="bBOXo3" scontext=system_u:system _r:pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
>> type=AVC msg=audit(1149015851.027:544): avc:  denied  { create } for  pid=10802 comm="pyzor" name="bBOXo3" scontext=system_u:system_r :pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
> 
> Those look to me like things that should be allowed but I don't know
> anything about pyzor so maybe it can be used differently?

This appears to be doing two things that it's not currently allowed to do:
1. Read configs from the user's home directory
2. Create and use temp files.

These can probably be addressed by a separate policy module for pyzor 
but I'd rather fix the other issues first as there's a small chance that 
these might go away after doing that.

>> More with grep 'spamd':
>>
>> type=AVC msg=audit(1149017045.372:768): avc:  denied  { search } for  pid=1949 comm="spamd" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
>> type=SYSCALL msg=audit(1149017045.372:768): arch=40000003 syscall=195 success=yes exit=0 a0=a3a19c0 a1=9ffa0c8 a2=4891eff4 a3=a3a19c0 items=1 pid=1949 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl"
>> type=PATH msg=audit(1149017045.372:768): item=0 name="/home/marcs/.spamassassin/user_prefs" flags=1  inode=1193881 dev=fd:00 mode=0100664 ouid=500 ogid=500 rdev=00:00
>> type=AVC msg=audit(1149017045.380:769): avc:  denied  { getattr } for  pid=1949 comm="spamd" name="bayes_toks" dev=dm-0 ino=1193882 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
>> type=SYSCALL msg=audit(1149017045.380:769): arch=40000003 syscall=195 success=yes exit=0 a0=a3a19c0 a1=9ffa0c8 a2=4891eff4 a3=a3a19c0 items=1 pid=1949 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl"
>> type=AVC_PATH msg=audit(1149017045.380:769):  path="/home/marcs/.spamassassin/bayes_toks"
>> type=PATH msg=audit(1149017045.380:769): item=0 name="/home/marcs/.spamassassin/bayes_toks" flags=1  inode=1193882 dev=fd:00 mode=0100600 ouid=500 ogid=500 rdev=00:00
>> type=AVC msg=audit(1149017045.380:770): avc:  denied  { read } for  pid=1949 comm="spamd" name="bayes_toks" dev=dm-0 ino=1193882 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
>> type=SYSCALL msg=audit(1149017045.380:770): arch=40000003 syscall=5 success=yes exit=8 a0=b1db3b8 a1=8000 a2=0 a3=8000 items=1 pid=1949 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl"
>> type=PATH msg=audit(1149017045.380:770): item=0 name="/home/marcs/.spamassassin/bayes_toks" flags=101  inode=1193882 dev=fd:00 mode=0100600 ouid=500 ogid=500 rdev=00:00
>> type=AVC msg=audit(1149017047.188:771): avc:  denied  { append } for  pid=1949 comm="spamd" name="bayes_journal" dev=dm-0 ino=2338489 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
>> type=SYSCALL msg=audit(1149017047.188:771): arch=40000003 syscall=5 success=yes exit=10 a0=b8211d8 a1=8441 a2=1b6 a3=8441 items=1 pid=1949 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl"
>> type=PATH msg=audit(1149017047.188:771): item=0 name="/home/marcs/.spamassassin/bayes_journal" flags=310  inode=1193874 dev=fd:00 mode=040755 ouid=500 ogid=500 rdev=00:00
>> type=AVC msg=audit(1149017047.188:772): avc:  denied  { ioctl } for  pid=1949 comm="spamd" name="bayes_journal" dev=dm-0 ino=2338489 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
>> type=SYSCALL msg=audit(1149017047.188:772): arch=40000003 syscall=54 success=no exit=-25 a0=a a1=5401 a2=bf84f5d8 a3=bf84f618 items=0 pid=1949 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl"
>> type=AVC_PATH msg=audit(1149017047.188:772):  path="/home/marcs/.spamassassin/bayes_journal"
>> type=AVC msg=audit(1149017047.828:791): avc:  denied  { write } for  pid=1949 comm="spamd" name="bayes_toks" dev=dm-0 ino=1193882 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
> 
> More mislabelled files. I think you need to relabel the system.

These should all be fixed if you've run restorecon on your home directory.

Right now, time for the local policy module.

Set yourself up for making local policy modules:

# yum install checkpolicy
# cd /root
# mkdir selinux.local
# cd selinux.local
# chcon -R -t usr_t .
# ln -s /usr/share/selinux/devel/Makefile .

Make a local policy module for this issue, in this directory:

1. Create a file procmail.te with this content:

policy_module(procmail, 0.5.0)

require {
         type procmail_t;
};

# temp files
type procmail_tmp_t;
files_tmp_file(procmail_tmp_t)

# log files
type procmail_var_log_t;
logging_log_file(procmail_var_log_t)

# Write log to /var/log/procmail.log
allow procmail_t procmail_var_log_t:file create_file_perms;
allow procmail_t procmail_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(procmail_t,procmail_var_log_t, { file dir })

# Allow programs called from procmail to read/write temp files and dirs
allow procmail_t procmail_tmp_t:dir create_dir_perms;
allow procmail_t procmail_tmp_t:file create_file_perms;
files_type(procmail_tmp_t)
files_tmp_filetrans(procmail_t, procmail_tmp_t, { file dir })

# ==============================================
# Procmail needs to call sendmail for forwarding
# ==============================================

# Read alternatives link (still not in policy)
corecmd_read_sbin_symlinks(procmail_t)

# Allow transition to sendmail
# This is in selinux-policy-2.2.34-2 onwards
# (may need similar code for other MTAs that can replace sendmail)
# sendmail_domtrans(procmail_t)

# ==============================================
# Procmail needs to be able to call clamassassin
# ==============================================
clamscan_domtrans(procmail_t)

2. Create a file procmail.fc with this content:

/var/log/procmail\.log  -- 
gen_context(system_u:object_r:procmail_var_log_t,s0)

(that's one long line)

3. Create an empty procmail.if file:

# touch procmail.if

4. Build the policy module

# make

Finally, install your new policy module:

# semodule -i procmail.pp

Keep running in permissive mode and test out a few things. You should 
get significantly fewer denials. Please report back whatever you get.

Paul.

More information about the fedora-selinux-list mailing list