postfix, procmail and SELinux - No Go

Marc Schwartz MSchwartz at mn.rr.com
Wed May 31 20:04:04 UTC 2006 

Nicolas Mailhot wrote:
> Le mardi 30 mai 2006 à 15:58 -0500, Marc Schwartz (via MN) a écrit :
>> <snip>
>>
>> Paul,
>>
>> Thanks for your assistance. 
>>
>> Give me a bit of time, with everything else (ie. work) going on, to
>> implement and test your recommendations (and to review some
>> documentation).
>>
>> I'll post back as soon as I have something definitive.
>>
>> On your query on pyzor, much like razor and dcc, it is called as part of
>> the spamassassin checks when present. These constitute the 'remote'
>> checks that one can perform when using SA. This is why I find it curious
>> that there were no avc messages for razor and dcc.
> 
> are you sure razor and dcc are used ? Last I looked the FC version of SA
> disabled the razor check because of licensing problems
> 
> As for pyzor, I've reported it in the past, you need the policy to allow
> reading its config file, then connecting to pyzor servers, etc

Nicolas,

Thanks kindly for making note of this.

In SA 3.1.x, which is new to FC5, these checks are indeed disabled. From 
some Googling, this appears to not be unique to FC, but to SA itself.

In FC4, which used SA 3.0.x, these checks worked fine without 
adjustments to config files. I was not aware of the change.

I have now edited:

   /etc/mail/spamassassin/v310pre

to enable the checks. I also did some fine tuning to 
~/.spamassassin/user.prefs to account for some setting changes as well.

Sure enough, avc messages are now being logged. I have cc'd Paul to 
reference the additional info below:


Now for grep "dcc":

type=SYSCALL msg=audit(1149104051.041:8648): arch=40000003 syscall=197 
success=yes exit=0 a0=4 a1=bfaad188 a2=4891eff4 a3=3 items=0 pi d=25104 
auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 
comm="dccproc" exe="/usr/local/bin/dccproc"
type=AVC_PATH msg=audit(1149104051.041:8648):  path="/var/dcc/map"
type=AVC msg=audit(1149104051.041:8649): avc:  denied  { lock } for 
pid=25104 comm="dccproc" name="map" dev=hdc5 ino=87811 scontext=s 
ystem_u:system_r:spamd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1149104051.041:8649): arch=40000003 syscall=221 
success=yes exit=0 a0=4 a1=7 a2=bfaae304 a3=bfaae304 items=0 pi d=25104 
auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 
comm="dccproc" exe="/usr/local/bin/dccproc"
type=AVC_PATH msg=audit(1149104051.041:8649):  path="/var/dcc/map"
type=AVC msg=audit(1149104167.275:8694): avc:  denied  { read write } 
for  pid=25544 comm="dccproc" name="map" dev=hdc5 ino=87811 scon 
text=system_u:system_r:spamd_t:s0 tcontext=user_u:object_r:var_t:s0 
tclass=file
type=SYSCALL msg=audit(1149104167.275:8694): arch=40000003 syscall=5 
success=yes exit=4 a0=80ba6e0 a1=2 a2=180 a3=11 items=1 pid=25544 
auid=500 uid=500 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=500 fsgid=0 
comm="dccproc" exe="/usr/local/bin/dccproc"
type=CWD msg=audit(1149104167.275:8694):  cwd="/var/dcc"
type=PATH msg=audit(1149104167.275:8694): item=0 name="/var/dcc/map" 
flags=101  inode=87811 dev=16:05 mode=0100600 ouid=0 ogid=0 rdev= 00:00
type=AVC msg=audit(1149104167.275:8695): avc:  denied  { getattr } for 
pid=25544 comm="dccproc" name="map" dev=hdc5 ino=87811 scontex 
t=system_u:system_r:spamd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1149104167.275:8695): arch=40000003 syscall=197 
success=yes exit=0 a0=4 a1=bfbf5cc8 a2=4891eff4 a3=3 items=0 pi d=25544 
auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 
comm="dccproc" exe="/usr/local/bin/dccproc"
type=AVC_PATH msg=audit(1149104167.275:8695):  path="/var/dcc/map"
type=AVC msg=audit(1149104167.275:8696): avc:  denied  { lock } for 
pid=25544 comm="dccproc" name="map" dev=hdc5 ino=87811 scontext=s 
ystem_u:system_r:spamd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1149104167.275:8696): arch=40000003 syscall=221 
success=yes exit=0 a0=4 a1=7 a2=bfbf6e44 a3=bfbf6e44 items=0 pi d=25544 
auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 
comm="dccproc" exe="/usr/local/bin/dccproc"
type=AVC_PATH msg=audit(1149104167.275:8696):  path="/var/dcc/map"


For grep "razor":

type=AVC msg=audit(1149102177.498:8243): avc:  denied  { append } for 
pid=20136 comm="spamd" name="razor-agent.log" dev=hdc7 ino=98923 
scontext=system_u:system_r:spamd_t:s0 
tcontext=system_u:object_r:default_t:s0 tclass=file
type=PATH msg=audit(1149102177.498:8243): item=0 name="razor-agent.log" 
flags=310  inode=2 dev=16:07 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149102177.498:8244): avc:  denied  { ioctl } for 
pid=20136 comm="spamd" name="razor-agent.log" dev=hdc7 ino=98923 
scontext=system_u:system_r:spamd_t:s0 
tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC_PATH msg=audit(1149102177.498:8244):  path="/razor-agent.log"
type=AVC msg=audit(1149102177.498:8245): avc:  denied  { getattr } for 
pid=20136 comm="spamd" name="razor-agent.log" dev=hdc7 ino=98923 
scontext=system_u:system_r:spamd_t:s0 
tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC_PATH msg=audit(1149102177.498:8245):  path="/razor-agent.log"
type=AVC msg=audit(1149102177.530:8246): avc:  denied  { add_name } for 
  pid=20136 comm="spamd" name=".razor" 
scontext=system_u:system_r:spamd_t:s0 
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1149102177.530:8246): avc:  denied  { create } for 
pid=20136 comm="spamd" name=".razor" 
scontext=system_u:system_r:spamd_t:s0 
tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir
type=PATH msg=audit(1149102177.530:8246): item=0 name="/root/.razor" 
flags=10  inode=65537 dev=16:07 mode=040750 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149102177.554:8247): avc:  denied  { read } for 
pid=20136 comm="spamd" name=".razor" dev=hdc7 ino=829589 
scontext=system_u:system_r:spamd_t:s0 
tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir
type=PATH msg=audit(1149102177.554:8247): item=0 name="/root/.razor" 
flags=103  inode=829589 dev=16:07 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149102178.058:8248): avc:  denied  { write } for 
pid=20136 comm="spamd" name=".razor" dev=hdc7 ino=829589 
scontext=system_u:system_r:spamd_t:s0 
tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir
type=PATH msg=audit(1149102178.058:8248): item=0 
name="/root/.razor/servers.discovery.lst.lock" flags=310  inode=829589 
dev=16:07 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC_PATH msg=audit(1149102178.058:8249): 
path="/root/.razor/servers.discovery.lst.lock"
type=AVC_PATH msg=audit(1149102178.058:8250): 
path="/root/.razor/servers.discovery.lst.lock"
type=AVC_PATH msg=audit(1149102178.058:8251): 
path="/root/.razor/servers.discovery.lst"
type=PATH msg=audit(1149102178.058:8252): item=0 
name="/root/.razor/servers.discovery.lst.lock" flags=10  inode=829589 
dev=16:07 mode=040755 ouid=0 ogid=0 rdev=00:00

I think that the last few messages for razor have to do with server 
configuration for 'root', not actual calls to the razor checks via SA.

I am now seeing razor check hits in incoming e-mail headers.  Have not 
seen any for DCC yet.

Paul, I will reply to your other post momentarily.

Thanks to both of you.

Marc

More information about the fedora-selinux-list mailing list