Mail problems...
Daniel J Walsh
dwalsh at redhat.com
Tue Feb 13 21:21:19 UTC 2007
melaina at libero.it wrote:
> Hello,
>
> a follow-up to my last e-mail. I fear part of the problem may be caused by the policy shipping with Plesk, contained in the file plesk.te. Could this transition be causing the issue?
>
> # qmail permissions
> # always enabled
> allow system_mail_t system_mail_t:fifo_file rw_file_perms;
> can_exec(system_mail_t, sendmail_exec_t)
> r_dir_file(system_mail_t, sendmail_exec_t)
> ifdef(`mta.te', `
> domain_auto_trans(httpd_sys_script_t, sendmail_exec_t, system_mail_t)
> ')
>
>
THis says that if a cgi script comes upon a sendmail_exec_t it will
transition to a system_mail_t, And it adds the ability for system_mail_t
to exec sendmail_t files, AS well as talk to itself via a fifo_file.
>
> ---------- Initial Header -----------
>
> From : "Daniel J Walsh" dwalsh at redhat.com
> To : "melaina at libero.it" melaina at libero.it
> Cc : "fedora-selinux-list" fedora-selinux-list at redhat.com
> Date : Tue, 06 Feb 2007 12:15:05 -0500
> Subject : Re: Mail problems...
>
>
>
>
>
>
>
>
>> melaina at libero.it wrote:
>>
>>> Hello!
>>>
>>> I have just started playing a bit with SELinux in permissive mode on my system. I have qmail with spamassassin installed; the only AVC denied messages I get (after I relabeled the system and fixed domains on a couple of log files), is the following:
>>>
>>> Jan 30 20:23:13 drake kernel: audit(1170210193.998:8): avc: denied { read } for pid=11862 comm="sendmail" name="RsmVLSTr" dev=loop0 ino=20 scontext=user_u: system_r:system_mail_t tcontext=user_u:object_r:httpd_sys_script_rw_t tclass=fil e
>>> Jan 30 20:23:13 drake kernel: audit(1170210193.998:9): avc: denied { read wr ite } for pid=11862 comm="sendmail" name="jk-runtime-status" dev=hda5 ino=49827 49 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:httpd_log_t tclass=file
>>> Jan 30 20:23:14 drake kernel: audit(1170210194.019:10): avc: denied { ioctl } for pid=11863 comm="qmail-scanner-q" name="error_log" dev=hda5 ino=4984894 sc ontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:httpd_log_t tcla ss=file
>>> Jan 30 20:23:14 drake kernel: audit(1170210194.026:11): avc: denied { read } for pid=11863 comm="sperl5.8.5" name="mounts" dev=proc ino=777453584 scontext= user_u:system_r:system_mail_t tcontext=user_u:system_r:system_mail_t tclass=file
>>> Jan 30 20:23:14 drake kernel: audit(1170210194.026:12): avc: denied { getatt r } for pid=11863 comm="sperl5.8.5" name="mounts" dev=proc ino=777453584 sconte xt=user_u:system_r:system_mail_t tcontext=user_u:system_r:system_mail_t tclass=f ile
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.204:13): avc: denied { append } for pid=11863 comm="perl5.8.5" name="qmail-queue.log" dev=hda5 ino=5130271 s context=user_u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tcl ass=file
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.204:14): avc: denied { ioctl } for pid=11863 comm="perl5.8.5" name="qmail-queue.log" dev=hda5 ino=5130271 sc ontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tcla ss=file
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.205:15): avc: denied { getatt r } for pid=11863 comm="perl5.8.5" name="qmail-queue.log" dev=hda5 ino=5130271 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tc lass=file
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.206:16): avc: denied { read } for pid=11863 comm="perl5.8.5" name="qmail-scanner-queue-version.txt" dev=hda5 ino=5130273 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:v ar_spool_t tclass=file
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.208:17): avc: denied { write } for pid=11863 comm="perl5.8.5" name="tmp" dev=hda5 ino=5195094 scontext=user_ u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tclass=dir
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.208:18): avc: denied { add_na me } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com1170210195772118 63" scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_ t tclass=dir
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.208:19): avc: denied { create } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863 " scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:var_spool_t tc lass=dir
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.409:20): avc: denied { create } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863 " scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:var_spool_t tc lass=file
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.410:21): avc: denied { ioctl } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:obj ect_r:var_spool_t tclass=file
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.410:22): avc: denied { getatt r } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com11702101957721186 3" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:o bject_r:var_spool_t tclass=file
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.414:23): avc: denied { write } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:obj ect_r:var_spool_t tclass=file
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.418:24): avc: denied { link } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:obje ct_r:var_spool_t tclass=file
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.419:25): avc: denied { remove _name } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com1170210195772 11863" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=syst em_u:object_r:var_spool_t tclass=dir
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.419:26): avc: denied { unlink } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863 " dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:ob ject_r:var_spool_t tclass=file
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.424:27): avc: denied { read w rite } for pid=11864 comm="sh" name="tty" dev=tmpfs ino=1804 scontext=user_u:sy stem_r:system_mail_t tcontext=system_u:object_r:devtty_t tclass=chr_file
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.431:28): avc: denied { read } for pid=11865 comm="sh" name="drake.mydomain.com117021019577211863" dev=hda 5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:va r_spool_t tclass=file
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.434:29): avc: denied { write } for pid=11865 comm="reformime" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5408221 scontext=user_u:system_r:system_mail_t tcontext=user_u:obj ect_r:var_spool_t tclass=dir
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.434:30): avc: denied { add_na me } for pid=11865 comm="reformime" name="1170210195.11865-0.drake.mydomain. com" scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:var_spool_t tclass=dir
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.739:31): avc: denied { read } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5408221 scontext=user_u:system_r:system_mail_t tcontext=user_u:obje ct_r:var_spool_t tclass=dir
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.755:32): avc: denied { read } for pid=11863 comm="perl5.8.5" name="tmp" dev=hda5 ino=4980740 scontext=user_u :system_r:system_mail_t tcontext=system_u:object_r:var_t tclass=lnk_file
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.795:33): avc: denied { execut e } for pid=11867 comm="perl5.8.5" name="find" dev=hda5 ino=5297451 scontext=us er_u:system_r:system_mail_t tcontext=system_u:object_r:file_t tclass=file
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.796:34): avc: denied { execut e_no_trans } for pid=11867 comm="perl5.8.5" name="find" dev=hda5 ino=5297451 sc ontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:file_t tclass=fi le
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.796:35): avc: denied { read } for pid=11867 comm="perl5.8.5" name="find" dev=hda5 ino=5297451 scontext=user_ u:system_r:system_mail_t tcontext=system_u:object_r:file_t tclass=file
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.798:36): avc: denied { search } for pid=11867 comm="find" name="selinux" dev=hda5 ino=557257 scontext=user_u :system_r:system_mail_t tcontext=system_u:object_r:selinux_config_t tclass=dir
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.798:37): avc: denied { read } for pid=11867 comm="find" name="config" dev=hda5 ino=557274 scontext=user_u:sy stem_r:system_mail_t tcontext=user_u:object_r:selinux_config_t tclass=file
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.798:38): avc: denied { getatt r } for pid=11867 comm="find" name="config" dev=hda5 ino=557274 scontext=user_u :system_r:system_mail_t tcontext=user_u:object_r:selinux_config_t tclass=file
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.860:39): avc: denied { read } for pid=11871 comm="rm" name="qscan" dev=hda5 ino=5130256 scontext=user_u:syst em_r:system_mail_t tcontext=system_u:object_r:var_spool_t tclass=dir
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.860:40): avc: denied { remove _name } for pid=11871 comm="rm" name="1170210195.11865-0.drake.mydomain.com" dev=hda5 ino=5408222 scontext=user_u:system_r:system_mail_t tcontext=user_u:obj ect_r:var_spool_t tclass=dir
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.861:41): avc: denied { rmdir } for pid=11871 comm="rm" name="drake.mydomain.com117021019577211863" dev=hd a5 ino=5408221 scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:v ar_spool_t tclass=dir
>>> Jan 30 20:23:15 drake kernel: audit(1170210195.873:42): avc: denied { sigchl d } for pid=1 comm="init" scontext=user_u:system_r:system_mail_t tcontext=user_ u:system_r:unconfined_t tclass=process
>>>
>>> Any directions to fix this?
>>>
>>> Thanks!
>>>
>>>
>> This looks like qmail is doing a lot more stuff then a normal sendmail
>> would do.
>>
>> Running this log file under audit2allow gives the following rules
>>
>> allow system_mail_t devtty_t:chr_file { read write };
>> > This probably can be ignored.
>> allow system_mail_t file_t:file { execute execute_no_trans read };
>> > Indicates something is still mislabeled.
>> allow system_mail_t httpd_log_t:file { ioctl read write };
>> > Why would mail be updating httpd_log_t
>> allow system_mail_t httpd_sys_script_rw_t:file read;
>> >Reading a script file?
>> allow system_mail_t selinux_config_t:dir search;
>> allow system_mail_t selinux_config_t:file { getattr read };
>> > These disappear in enforcing mode.
>> allow system_mail_t self:file { getattr read };
>> > Qmail specific
>> allow system_mail_t unconfined_t:process sigchld;
>> > qmail is somehow execing init to send a sigchld to an unconfined
>> process???
>> allow system_mail_t var_spool_t:dir { add_name create read remove_name
>> rmdir write };
>> allow system_mail_t var_spool_t:file { append create getattr ioctl link
>> read unlink write };
>> allow system_mail_t var_t:lnk_file read;
>> > qmail is updating files in /var/spool?
>>
>>
>>
>>> ------------------------------------------------------
>>> Mutuo da 200.000 €? Tassi ridotti da 4.25%. Solo per richieste online. Mutuionline.it
>>> http://click.libero.it/mutuionline31ge07
>>>
>>>
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>
>>>
>>
>>
>
>
> ------------------------------------------------------
> Passa a Infostrada. ADSL e Telefono senza limiti e senza canone Telecom
> http://click.libero.it/infostrada11feb07
>
>
>
More information about the fedora-selinux-list
mailing list