[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: postfix, procmail and SELinux - No Go



Nicolas Mailhot wrote:
Le mardi 30 mai 2006 à 15:58 -0500, Marc Schwartz (via MN) a écrit :
<snip>

Paul,

Thanks for your assistance.
Give me a bit of time, with everything else (ie. work) going on, to
implement and test your recommendations (and to review some
documentation).

I'll post back as soon as I have something definitive.

On your query on pyzor, much like razor and dcc, it is called as part of
the spamassassin checks when present. These constitute the 'remote'
checks that one can perform when using SA. This is why I find it curious
that there were no avc messages for razor and dcc.

are you sure razor and dcc are used ? Last I looked the FC version of SA
disabled the razor check because of licensing problems

As for pyzor, I've reported it in the past, you need the policy to allow
reading its config file, then connecting to pyzor servers, etc

Nicolas,

Thanks kindly for making note of this.

In SA 3.1.x, which is new to FC5, these checks are indeed disabled. From some Googling, this appears to not be unique to FC, but to SA itself.

In FC4, which used SA 3.0.x, these checks worked fine without adjustments to config files. I was not aware of the change.

I have now edited:

  /etc/mail/spamassassin/v310pre

to enable the checks. I also did some fine tuning to ~/.spamassassin/user.prefs to account for some setting changes as well.

Sure enough, avc messages are now being logged. I have cc'd Paul to reference the additional info below:


Now for grep "dcc":

type=SYSCALL msg=audit(1149104051.041:8648): arch=40000003 syscall=197 success=yes exit=0 a0=4 a1=bfaad188 a2=4891eff4 a3=3 items=0 pi d=25104 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=AVC_PATH msg=audit(1149104051.041:8648):  path="/var/dcc/map"
type=AVC msg=audit(1149104051.041:8649): avc: denied { lock } for pid=25104 comm="dccproc" name="map" dev=hdc5 ino=87811 scontext=s ystem_u:system_r:spamd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file type=SYSCALL msg=audit(1149104051.041:8649): arch=40000003 syscall=221 success=yes exit=0 a0=4 a1=7 a2=bfaae304 a3=bfaae304 items=0 pi d=25104 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=AVC_PATH msg=audit(1149104051.041:8649):  path="/var/dcc/map"
type=AVC msg=audit(1149104167.275:8694): avc: denied { read write } for pid=25544 comm="dccproc" name="map" dev=hdc5 ino=87811 scon text=system_u:system_r:spamd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file type=SYSCALL msg=audit(1149104167.275:8694): arch=40000003 syscall=5 success=yes exit=4 a0=80ba6e0 a1=2 a2=180 a3=11 items=1 pid=25544 auid=500 uid=500 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=CWD msg=audit(1149104167.275:8694):  cwd="/var/dcc"
type=PATH msg=audit(1149104167.275:8694): item=0 name="/var/dcc/map" flags=101 inode=87811 dev=16:05 mode=0100600 ouid=0 ogid=0 rdev= 00:00 type=AVC msg=audit(1149104167.275:8695): avc: denied { getattr } for pid=25544 comm="dccproc" name="map" dev=hdc5 ino=87811 scontex t=system_u:system_r:spamd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file type=SYSCALL msg=audit(1149104167.275:8695): arch=40000003 syscall=197 success=yes exit=0 a0=4 a1=bfbf5cc8 a2=4891eff4 a3=3 items=0 pi d=25544 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=AVC_PATH msg=audit(1149104167.275:8695):  path="/var/dcc/map"
type=AVC msg=audit(1149104167.275:8696): avc: denied { lock } for pid=25544 comm="dccproc" name="map" dev=hdc5 ino=87811 scontext=s ystem_u:system_r:spamd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file type=SYSCALL msg=audit(1149104167.275:8696): arch=40000003 syscall=221 success=yes exit=0 a0=4 a1=7 a2=bfbf6e44 a3=bfbf6e44 items=0 pi d=25544 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=AVC_PATH msg=audit(1149104167.275:8696):  path="/var/dcc/map"


For grep "razor":

type=AVC msg=audit(1149102177.498:8243): avc: denied { append } for pid=20136 comm="spamd" name="razor-agent.log" dev=hdc7 ino=98923 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file type=PATH msg=audit(1149102177.498:8243): item=0 name="razor-agent.log" flags=310 inode=2 dev=16:07 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1149102177.498:8244): avc: denied { ioctl } for pid=20136 comm="spamd" name="razor-agent.log" dev=hdc7 ino=98923 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC_PATH msg=audit(1149102177.498:8244):  path="/razor-agent.log"
type=AVC msg=audit(1149102177.498:8245): avc: denied { getattr } for pid=20136 comm="spamd" name="razor-agent.log" dev=hdc7 ino=98923 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC_PATH msg=audit(1149102177.498:8245):  path="/razor-agent.log"
type=AVC msg=audit(1149102177.530:8246): avc: denied { add_name } for pid=20136 comm="spamd" name=".razor" scontext=system_u:system_r:spamd_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1149102177.530:8246): avc: denied { create } for pid=20136 comm="spamd" name=".razor" scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir type=PATH msg=audit(1149102177.530:8246): item=0 name="/root/.razor" flags=10 inode=65537 dev=16:07 mode=040750 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1149102177.554:8247): avc: denied { read } for pid=20136 comm="spamd" name=".razor" dev=hdc7 ino=829589 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir type=PATH msg=audit(1149102177.554:8247): item=0 name="/root/.razor" flags=103 inode=829589 dev=16:07 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1149102178.058:8248): avc: denied { write } for pid=20136 comm="spamd" name=".razor" dev=hdc7 ino=829589 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir type=PATH msg=audit(1149102178.058:8248): item=0 name="/root/.razor/servers.discovery.lst.lock" flags=310 inode=829589 dev=16:07 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC_PATH msg=audit(1149102178.058:8249): path="/root/.razor/servers.discovery.lst.lock" type=AVC_PATH msg=audit(1149102178.058:8250): path="/root/.razor/servers.discovery.lst.lock" type=AVC_PATH msg=audit(1149102178.058:8251): path="/root/.razor/servers.discovery.lst" type=PATH msg=audit(1149102178.058:8252): item=0 name="/root/.razor/servers.discovery.lst.lock" flags=10 inode=829589 dev=16:07 mode=040755 ouid=0 ogid=0 rdev=00:00

I think that the last few messages for razor have to do with server configuration for 'root', not actual calls to the razor checks via SA.

I am now seeing razor check hits in incoming e-mail headers. Have not seen any for DCC yet.

Paul, I will reply to your other post momentarily.

Thanks to both of you.

Marc


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]