Denials from spamc and webalizer on Centos 5.2

Murray McAllister mmcallis at redhat.com
Sat Jan 10 11:14:23 UTC 2009 

Richard Chapman wrote:
> After some trouble getting the file-system relabelled - which was 
> eventually solved by Daniel's suggestion to change to a 5.3 preview 
> release of the policy packages - I now have (only) a couple of 
> intractable denials.
> 
> One seems to be related to procmail running spamc. The other seems to be 
> webalizer being denied access to squid logs. Here is some representative 
> troubledhooter output:
> 
> Summary
> SELinux is preventing spamc (procmail_t) "execute" to ./spamc 
> (spamc_exec_t).
> Detailed Description
> [SELinux is in permissive mode, the operation would have been denied but 
> was permitted due to permissive mode.]
> 
> SELinux denied access requested by spamc. It is not expected that this 
> access is required by spamc and this access may signal an intrusion 
> attempt. It is also possible that the specific version or configuration 
> of the application is causing it to require additional access.
> 
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could try to 
> restore the default system file context for ./spamc,
> 
> restorecon -v './spamc'
> 
> If this does not work, there is currently no automatic way to allow this 
> access. Instead, you can generate a local policy module to allow this 
> access - see FAQ 
> <http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can 
> disable SELinux protection altogether. Disabling SELinux protection is 
> not recommended. Please file a bug report 
> <http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this package.
> 
> Additional Information
> 
> Source Context:   	system_u:system_r:procmail_t
> Target Context:   	system_u:object_r:spamc_exec_t
> Target Objects:   	./spamc [ file ]
> Source:   	spamc
> Source Path:   	/usr/bin/spamc
> Port:   	<Unknown>
> Host:   	C5.aardvark.com.au
> Source RPM Packages:   	spamassassin-3.2.4-1.el5
> Target RPM Packages:   	
> Policy RPM:   	selinux-policy-2.4.6-203.el5
> Selinux Enabled:   	True
> Policy Type:   	targeted
> MLS Enabled:   	True
> Enforcing Mode:   	Permissive
> Plugin Name:   	catchall_file
> Host Name:   	C5.aardvark.com.au
> Platform:   	Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec 
> 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count:   	199
> First Seen:   	Wed Jan 7 21:12:56 2009
> Last Seen:   	Sat Jan 10 13:50:07 2009
> Local ID:   	72201679-d161-4d2d-8423-44b1b65a211f
> Line Numbers:   	
Fedora 10 has a rule that looks like it would resolve this issue:

$ sesearch --allow -s procmail_t -t spamc_exec_t
WARNING: This policy contained disabled aliases; they have been removed.
Found 1 semantic av rules:
    allow procmail_t spamc_exec_t : file { ioctl read getattr execute } ;

selinux-policy-3.5.13-38.fc10.noarch
selinux-policy-targeted-3.5.13-38.fc10.noarch

Do you have this rule when running the 5.3 preview packages? I am not 
sure about your webalizer issue...
> 
> Raw Audit Messages :
> 
> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
> denied { execute } for pid=16474 comm="procmail" name="spamc" dev=dm-0 
> ino=31336954 scontext=system_u:system_r:procmail_t:s0 
> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
> denied { execute } for pid=16474 comm="procmail" name="spamc" dev=dm-0 
> ino=31336954 scontext=system_u:system_r:procmail_t:s0 
> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
> denied { execute_no_trans } for pid=16474 comm="procmail" 
> path="/usr/bin/spamc" dev=dm-0 ino=31336954 
> scontext=system_u:system_r:procmail_t:s0 
> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
> denied { execute_no_trans } for pid=16474 comm="procmail" 
> path="/usr/bin/spamc" dev=dm-0 ino=31336954 
> scontext=system_u:system_r:procmail_t:s0 
> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
> denied { read } for pid=16474 comm="procmail" path="/usr/bin/spamc" 
> dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0 
> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
> denied { read } for pid=16474 comm="procmail" path="/usr/bin/spamc" 
> dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0 
> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563007.814:8005): 
> arch=c000003e syscall=59 success=yes exit=0 a0=196772e0 a1=196792a0 
> a2=196791f0 a3=8 items=0 ppid=16473 pid=16474 auid=4294967295 uid=500 
> gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 
> tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" 
> subj=system_u:system_r:procmail_t:s0 key=(null)
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563007.814:8005): 
> arch=c000003e syscall=59 success=yes exit=0 a0=196772e0 a1=196792a0 
> a2=196791f0 a3=8 items=0 ppid=16473 pid=16474 auid=4294967295 uid=500 
> gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 
> tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" 
> subj=system_u:system_r:procmail_t:s0 key=(null)
> 
> 
> 
> 
> Summary
> SELinux is preventing webalizer (webalizer_t) "search" to ./webalizer 
> (bin_t).
> Detailed Description
> [SELinux is in permissive mode, the operation would have been denied but 
> was permitted due to permissive mode.]
> 
> SELinux denied access requested by webalizer. It is not expected that 
> this access is required by webalizer and this access may signal an 
> intrusion attempt. It is also possible that the specific version or 
> configuration of the application is causing it to require additional 
> access.
> 
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could try to 
> restore the default system file context for ./webalizer,
> 
> restorecon -v './webalizer'
> 
> If this does not work, there is currently no automatic way to allow this 
> access. Instead, you can generate a local policy module to allow this 
> access - see FAQ 
> <http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can 
> disable SELinux protection altogether. Disabling SELinux protection is 
> not recommended. Please file a bug report 
> <http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this package.
> 
> Additional Information
> 
> Source Context:   	root:system_r:webalizer_t:SystemLow-SystemHigh
> Target Context:   	system_u:object_r:bin_t
> Target Objects:   	./webalizer [ dir ]
> Source:   	webalizer
> Source Path:   	/usr/bin/webalizer
> Port:   	<Unknown>
> Host:   	C5.aardvark.com.au
> Source RPM Packages:   	webalizer-2.01_10-30.1
> Target RPM Packages:   	
> Policy RPM:   	selinux-policy-2.4.6-203.el5
> Selinux Enabled:   	True
> Policy Type:   	targeted
> MLS Enabled:   	True
> Enforcing Mode:   	Permissive
> Plugin Name:   	catchall_file
> Host Name:   	C5.aardvark.com.au
> Platform:   	Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec 
> 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count:   	119
> First Seen:   	Wed Jan 7 22:00:02 2009
> Last Seen:   	Sat Jan 10 14:00:01 2009
> Local ID:   	fd879861-abb1-4e67-a190-0a721c66dc0e
> Line Numbers:   	
> 
> Raw Audit Messages :
> 
> host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027): avc: 
> denied { search } for pid=16510 comm="webalizer" name="webalizer" 
> dev=dm-0 ino=32479105 scontext=root:system_r:webalizer_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:bin_t:s0 tclass=dir
> host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027): avc: 
> denied { search } for pid=16510 comm="webalizer" name="webalizer" 
> dev=dm-0 ino=32479105 scontext=root:system_r:webalizer_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:bin_t:s0 tclass=dir
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563601.389:8027): 
> arch=c000003e syscall=4 success=no exit=-2 a0=4171ee a1=7fff7d310db0 
> a2=7fff7d310db0 a3=21000 items=0 ppid=16509 pid=16510 auid=0 uid=0 gid=0 
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=730 
> comm="webalizer" exe="/usr/bin/webalizer" 
> subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563601.389:8027): 
> arch=c000003e syscall=4 success=no exit=-2 a0=4171ee a1=7fff7d310db0 
> a2=7fff7d310db0 a3=21000 items=0 ppid=16509 pid=16510 auid=0 uid=0 gid=0 
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=730 
> comm="webalizer" exe="/usr/bin/webalizer" 
> subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)
> 
> 
> 
> I didn't think I was doing anything unusual here - so I am surprised 
> these aren't covered by standard policy. Am I don't something strange - 
> and if so - do I need to write my own local policy. Is there a more 
> standard way to run spamc and/.or webalizer which will prevent these 
> denials?
> 
> Thanks
> 
> Richard.
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list