[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: postfix, procmail and SELinux - No Go



On Tue, 2006-05-30 at 14:47 -0500, Marc Schwartz (via MN) wrote:
> <snipped some content for space>
> 
> On Tue, 2006-05-30 at 20:05 +0100, Paul Howarth wrote:
> > On Tue, 2006-05-30 at 13:41 -0500, Marc Schwartz (via MN) wrote:
> > > On Tue, 2006-05-30 at 16:32 +0100, Paul Howarth wrote:
> > > > If you run SELinux in permissive mode and post the AVCs that get logged 
> > > > when procmail is running, it should be possible to get this fixed.
> > > 
> > > Paul,
> > > 
> > > Thanks for the reply.
> > > 
> > > I have re-booted with SELinux in Permissive Mode.
> > > 
> > > However, while procmail is working still, I see no avc messages at all
> > > in /var/log/messages that would seemingly be related here. There are
> > > other avc's there, most of which appear to be related to the boot
> > > process and the relabelling of files subsequent to having disabled
> > > SELinux earlier.
> > > 
> > > Is this something more subtle or is there someplace else that I should
> > > be looking?
> > 
> > Perhaps you have auditd running, and have AVCs logged
> > to /var/log/audit/audit.log instead?
> 
> Yep.  That's it.
> 
> Thanks to Tom also for pointing this out.
> 
> 
> For reference, here is my ~/.procmailrc:
> 
> # Scan for viruses using ClamAV + clamassassin
> :0 fw
> | /usr/local/bin/clamassassin
> 
> # Scan with SpamAssasin (+ razor, pyzor and dcc)
> :0 fw
> | /usr/bin/spamc -s 256000
> 
> 
> 
> I'm not sure how much you might need/want, but here is a sampling. I
> tried to catch what appear to be complete "cycles" in each case.
> 
> Here are some using grep 'procmail':
> 
> type=AVC_PATH msg=audit(1149015973.940:563):  path="/home/marcs/.procmailrc"
> type=PATH msg=audit(1149015973.940:563): item=0 name="/home/marcs/.procmailrc" flags=1  inode=426353 dev=fd:00 mode=0100664 ouid=500 ogid=500 rdev=00:00
> type=AVC msg=audit(1149015973.940:564): avc:  denied  { read } for  pid=11095 comm="procmail" name=".procmailrc" dev=dm-0 ino=426353 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
> type=SYSCALL msg=audit(1149015973.940:564): arch=40000003 syscall=5 success=yes exit=4 a0=9337d60 a1=8000 a2=0 a3=8000 items=1 pid=11095 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="procmail" exe="/usr/bin/procmail"
> type=PATH msg=audit(1149015973.940:564): item=0 name="/home/marcs/.procmailrc" flags=101  inode=426353 dev=fd:00 mode=0100664 ouid=500 ogid=500 rdev=00:00

This one's a labelling prpblem. I don;t think you should have anything
labelled file_t on the system. Try changing the context of ~/.procmailrc
to user_home_t.

> type=AVC msg=audit(1149015973.956:565): avc:  denied  { execute } for  pid=11101 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file
> type=AVC msg=audit(1149015973.956:565): avc:  denied  { execute_no_trans } for  pid=11101 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file

This needs a policy change. There needs to be a domain transition from
procmail_t to (I think) clamscan_exec_t. This could be done with a
policy module in the short term, and when it's working properly, publish
the fix one fedora-selinux-list and it should get included in the main
policy.

> type=AVC msg=audit(1149015973.956:565): avc:  denied  { read } for  pid=11101 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file
> type=AVC msg=audit(1149015973.960:566): avc:  denied  { search } for  pid=11101 comm="clamscan" name="clamav" dev=hdc5 ino=30881 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir
> type=AVC msg=audit(1149015973.960:566): avc:  denied  { read } for  pid=11101 comm="clamscan" name="daily.cvd" dev=hdc5 ino=29403 scontext=system_u:system_r:procmail_t:s0 tcontext=user_u:object_r:clamd_var_lib_t:s0 tclass=file
> type=AVC msg=audit(1149015973.960:567): avc:  denied  { getattr } for  pid=11101 comm="clamscan" name="daily.cvd" dev=hdc5 ino=29403 scontext=system_u:system_r:procmail_t:s0 tcontext=user_u:object_r:clamd_var_lib_t:s0 tclass=file
> type=AVC msg=audit(1149015973.972:568): avc:  denied  { read } for  pid=11105 comm="clamscan" name="clamav" dev=hdc5 ino=30881 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir
> type=AVC msg=audit(1149015973.972:569): avc:  denied  { getattr } for  pid=11105 comm="clamscan" name="clamav" dev=hdc5 ino=30881 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir
> type=AVC msg=audit(1149015973.972:570): avc:  denied  { read } for  pid=11105 comm="clamscan" name="main.cvd" dev=hdc5 ino=30890 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=file
> type=AVC msg=audit(1149015973.972:571): avc:  denied  { getattr } for  pid=11105 comm="clamscan" name="main.cvd" dev=hdc5 ino=30890 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=file
> type=AVC msg=audit(1149015974.368:572): avc:  denied  { write } for  pid=11105 comm="clamscan" name="main.ndb" dev=hdc6 ino=146248 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1149015974.368:573): avc:  denied  { read } for  pid=11105 comm="clamscan" name="clamav-5f6ea15f5332ca86" dev=hdc6 ino=30 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1149015974.532:574): avc:  denied  { create } for  pid=11105 comm="clamscan" name="main.zmd" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1149015974.532:575): avc:  denied  { getattr } for  pid=11105 comm="clamscan" name="main.zmd" dev=hdc6 ino=146249 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1149015974.532:576): avc:  denied  { unlink } for  pid=11105 comm="clamscan" name="clamav-5f6ea15f5332ca86" dev=hdc6 ino=30 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC msg=audit(1149015974.992:577): avc:  denied  { search } for  pid=11105 comm="clamscan" name="/" dev=hdc6 ino=2 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1149015975.444:578): avc:  denied  { read } for  pid=11105 comm="clamscan" name="clamav-a0ba2088c392494c" dev=hdc6 ino=146243 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1149015975.444:579): avc:  denied  { setattr } for  pid=11105 comm="clamscan" name="clamav-a0ba2088c392494c" dev=hdc6 ino=146243 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1149015975.444:580): avc:  denied  { write } for  pid=11105 comm="clamscan" name="/" dev=hdc6 ino=2 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1149015975.444:580): avc:  denied  { remove_name } for  pid=11105 comm="clamscan" name="clamav-a0ba2088c392494c" dev=hdc6 ino=146243 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1149015975.444:580): avc:  denied  { rmdir } for  pid=11105 comm="clamscan" name="clamav-a0ba2088c392494c" dev=hdc6 ino=146243 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1149015975.452:581): avc:  denied  { add_name } for  pid=11105 comm="clamscan" name="clamav-c8c20a1e39aef1bc" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1149015975.452:581): avc:  denied  { create } for  pid=11105 comm="clamscan" name="clamav-c8c20a1e39aef1bc" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

I bet the domain transition would fix all of these.

> Here are some using grep 'postfix':
> 
> type=SYSCALL msg=audit(1149014661.600:328): arch=40000003 syscall=196 success=no exit=-2 a0=9769930 a1=bf8a4b80 a2=580ff4 a3=3 items=1 pid=8367 auid=500 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="local" exe="/usr/libexec/postfix/local"
> type=CWD msg=audit(1149014661.600:328):  cwd="/var/spool/postfix"
> type=CWD msg=audit(1149014661.604:329):  cwd="/var/spool/postfix"
> type=CWD msg=audit(1149014661.604:330):  cwd="/var/spool/postfix"
> type=AVC msg=audit(1149014770.075:378): avc:  denied  { search } for  pid=8646 comm="local" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir

That looks like a mis-labelled directory.

> Some using grep 'pyzor'. Note that neither 'razor' nor 'dcc' are showing
> up curiously:
> 
> type=AVC_PATH msg=audit(1149015851.011:541):  path="/home/marcs/.pyzor"
> type=PATH msg=audit(1149015851.011:541): item=0 name="/home/marcs/.pyzor" flags=1  inode=427255 dev=fd:00 mode=040755 ouid=500 ogid=5 00 rdev=00:00
> type=AVC msg=audit(1149015851.015:542): avc:  denied  { getattr } for  pid=10802 comm="pyzor" name="servers" dev=dm-0 ino=427256 scon text=system_u:system_r:pyzor_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
> type=SYSCALL msg=audit(1149015851.015:542): arch=40000003 syscall=195 success=yes exit=0 a0=86c1fb0 a1=bf9b8da8 a2=4891eff4 a3=868e1b 0 items=1 pid=10802 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/ python"
> type=AVC_PATH msg=audit(1149015851.015:542):  path="/home/marcs/.pyzor/servers"
> type=PATH msg=audit(1149015851.015:542): item=0 name="/home/marcs/.pyzor/servers" flags=1  inode=427256 dev=fd:00 mode=0100664 ouid=5 00 ogid=500 rdev=00:00
> type=AVC msg=audit(1149015851.015:543): avc:  denied  { search } for  pid=10802 comm="pyzor" name="marcs" dev=dm-0 ino=425153 scontex t=system_u:system_r:pyzor_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
> type=AVC msg=audit(1149015851.015:543): avc:  denied  { read } for  pid=10802 comm="pyzor" name="servers" dev=dm-0 ino=427256 scontex t=system_u:system_r:pyzor_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
> type=SYSCALL msg=audit(1149015851.015:543): arch=40000003 syscall=5 success=yes exit=3 a0=87273d0 a1=8000 a2=1b6 a3=86e0b90 items=1 p id=10802 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
> type=PATH msg=audit(1149015851.015:543): item=0 name="/home/marcs/.pyzor/servers" flags=101  inode=427256 dev=fd:00 mode=0100664 ouid =500 ogid=500 rdev=00:00
> type=AVC msg=audit(1149015851.027:544): avc:  denied  { search } for  pid=10802 comm="pyzor" name="/" dev=hdc6 ino=2 scontext=system_ u:system_r:pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1149015851.027:544): avc:  denied  { write } for  pid=10802 comm="pyzor" name="/" dev=hdc6 ino=2 scontext=system_u :system_r:pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1149015851.027:544): avc:  denied  { add_name } for  pid=10802 comm="pyzor" name="bBOXo3" scontext=system_u:system _r:pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1149015851.027:544): avc:  denied  { create } for  pid=10802 comm="pyzor" name="bBOXo3" scontext=system_u:system_r :pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

Those look to me like things that should be allowed but I don't know
anything about pyzor so maybe it can be used differently?

> More with grep 'spamd':
> 
> type=AVC msg=audit(1149017045.372:768): avc:  denied  { search } for  pid=1949 comm="spamd" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
> type=SYSCALL msg=audit(1149017045.372:768): arch=40000003 syscall=195 success=yes exit=0 a0=a3a19c0 a1=9ffa0c8 a2=4891eff4 a3=a3a19c0 items=1 pid=1949 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl"
> type=PATH msg=audit(1149017045.372:768): item=0 name="/home/marcs/.spamassassin/user_prefs" flags=1  inode=1193881 dev=fd:00 mode=0100664 ouid=500 ogid=500 rdev=00:00
> type=AVC msg=audit(1149017045.380:769): avc:  denied  { getattr } for  pid=1949 comm="spamd" name="bayes_toks" dev=dm-0 ino=1193882 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
> type=SYSCALL msg=audit(1149017045.380:769): arch=40000003 syscall=195 success=yes exit=0 a0=a3a19c0 a1=9ffa0c8 a2=4891eff4 a3=a3a19c0 items=1 pid=1949 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl"
> type=AVC_PATH msg=audit(1149017045.380:769):  path="/home/marcs/.spamassassin/bayes_toks"
> type=PATH msg=audit(1149017045.380:769): item=0 name="/home/marcs/.spamassassin/bayes_toks" flags=1  inode=1193882 dev=fd:00 mode=0100600 ouid=500 ogid=500 rdev=00:00
> type=AVC msg=audit(1149017045.380:770): avc:  denied  { read } for  pid=1949 comm="spamd" name="bayes_toks" dev=dm-0 ino=1193882 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
> type=SYSCALL msg=audit(1149017045.380:770): arch=40000003 syscall=5 success=yes exit=8 a0=b1db3b8 a1=8000 a2=0 a3=8000 items=1 pid=1949 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl"
> type=PATH msg=audit(1149017045.380:770): item=0 name="/home/marcs/.spamassassin/bayes_toks" flags=101  inode=1193882 dev=fd:00 mode=0100600 ouid=500 ogid=500 rdev=00:00
> type=AVC msg=audit(1149017047.188:771): avc:  denied  { append } for  pid=1949 comm="spamd" name="bayes_journal" dev=dm-0 ino=2338489 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
> type=SYSCALL msg=audit(1149017047.188:771): arch=40000003 syscall=5 success=yes exit=10 a0=b8211d8 a1=8441 a2=1b6 a3=8441 items=1 pid=1949 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl"
> type=PATH msg=audit(1149017047.188:771): item=0 name="/home/marcs/.spamassassin/bayes_journal" flags=310  inode=1193874 dev=fd:00 mode=040755 ouid=500 ogid=500 rdev=00:00
> type=AVC msg=audit(1149017047.188:772): avc:  denied  { ioctl } for  pid=1949 comm="spamd" name="bayes_journal" dev=dm-0 ino=2338489 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
> type=SYSCALL msg=audit(1149017047.188:772): arch=40000003 syscall=54 success=no exit=-25 a0=a a1=5401 a2=bf84f5d8 a3=bf84f618 items=0 pid=1949 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl"
> type=AVC_PATH msg=audit(1149017047.188:772):  path="/home/marcs/.spamassassin/bayes_journal"
> type=AVC msg=audit(1149017047.828:791): avc:  denied  { write } for  pid=1949 comm="spamd" name="bayes_toks" dev=dm-0 ino=1193882 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file

More mislabelled files. I think you need to relabel the system.

> Finally with grep "clamassassin":
> 
> type=SYSCALL msg=audit(1149016209.330:652): arch=40000003 syscall=5 success=yes exit=3 a0=99e48c0 a1=8241 a2=1b6 a3=8241 items=1 pid=11646 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamassassin" exe="/bin/bash"
> type=PATH msg=audit(1149016209.330:652): item=0 name="/tmp/clamassassinmsg.jSBOI11644" flags=310  inode=2 dev=16:06 mode=041777 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1149016209.330:653): avc:  denied  { getattr } for  pid=11646 comm="cat" name="clamassassinmsg.jSBOI11644" dev=hdc6 ino=28 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=AVC_PATH msg=audit(1149016209.330:653):  path="/tmp/clamassassinmsg.jSBOI11644"
> type=AVC msg=audit(1149016209.334:654): avc:  denied  { execute } for  pid=11647 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file
> type=AVC msg=audit(1149016209.334:654): avc:  denied  { execute_no_trans } for  pid=11647 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file
> type=AVC msg=audit(1149016209.334:654): avc:  denied  { read } for  pid=11647 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file
> type=AVC msg=audit(1149016209.346:657): avc:  denied  { read } for  pid=11651 comm="clamassassin" name="clamassassinmsg.jSBOI11644" dev=hdc6 ino=28 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=SYSCALL msg=audit(1149016209.346:657): arch=40000003 syscall=5 success=yes exit=3 a0=99e1190 a1=8000 a2=0 a3=8000 items=1 pid=11651 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamassassin" exe="/bin/bash"
> type=PATH msg=audit(1149016209.346:657): item=0 name="/tmp/clamassassinmsg.jSBOI11644" flags=101  inode=28 dev=16:06 mode=0100600 ouid=500 ogid=500 rdev=00:00
> type=AVC msg=audit(1149017043.144:752): avc:  denied  { add_name } for  pid=13192 comm="mktemp" name="clamassassinmsg.QRJvd13192" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(1149017043.144:752): avc:  denied  { create } for  pid=13192 comm="mktemp" name="clamassassinmsg.QRJvd13192" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
> type=PATH msg=audit(1149017043.144:752): item=0 name="/tmp/clamassassinmsg.QRJvd13192" flags=310  inode=2 dev=16:06 mode=041777 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1149017043.152:753): avc:  denied  { write } for  pid=13194 comm="clamassassin" name="clamassassinmsg.QRJvd13192" dev=hdc6 ino=28 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

These are clamassassin running in the procmail domain. I think the
domain transition mentioned above would probably fix these.

Paul.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]