[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: postfix, clamv, amavisd-new, spamassassin



I still notice lots of AVCs in the messages log regarding postfix, clamv, amavisd-new, spamassassin.

I am using selinux-policy-targeted-2.3.2-1.fc5 and selinux-policy-2.3.2-1.fc5.

In order to get amavisd-new and clamscan to work with these selinux versions, the booleans for clamscan_disable_trans and amavis_disable_trans have to be set to on. I have noticed a lot of traffic on the list regarding postfix, procmail, integration. Maybe the policies being developed could be expanded upon to take care of the postfix, amavis-new, clamv, spamassassin case.

I ran the AVCs through audit2allow and came up with the rules. Here are the rules followed by the causing AVC:

   allow amavis_t clamd_var_run_t:sock_file write;

       Jul 26 18:43:18 somehostname kernel: audit(1153953798.370:869):
       avc:  denied  { write } for  pid=17186 comm="amavisd"
       name="clamd.sock" dev=dm-0 ino=1333000
       scontext=root:system_r:amavis_t:s0
       tcontext=root:object_r:clamd_var_run_t:s0 tclass=sock_file

   allow amavis_t postfix_etc_t:dir search;

       Jul 25 16:26:56 somehostname kernel: audit(1153859216.437:772):
       avc:  denied  { search } for  pid=4207 comm="amavisd"
       name="postfix" dev=dm-0 ino=359267
       scontext=root:system_r:amavis_t:s0
       tcontext=system_u:object_r:postfix_etc_t:s0 tclass=dir

   allow amavis_t razor_port_t:tcp_socket name_connect;

       Jul 26 16:42:14 somehostname kernel: audit(1153946534.516:865):
       avc:  denied  { name_connect } for  pid=17183 comm="amavisd"
       dest=2703 scontext=root:system_r:amavis_t:s0
       tcontext=system_u:object_r:razor_port_t:s0 tclass=tcp_socket

   allow clamd_t amavis_var_run_t:dir search;

       Jul 27 14:31:14 somehostname kernel: audit(1154025074.534:1208):
       avc:  denied  { search } for  pid=26308 comm="clamd.amavisd"
       name="amavisd" dev=dm-0 ino=1334115
       scontext=root:system_r:clamd_t:s0
       tcontext=system_u:object_r:amavis_var_run_t:s0 tclass=dir

   allow clamd_t sysctl_kernel_t:dir search;

       Jul 27 14:31:11 somehostname kernel: audit(1154025071.062:1206):
       avc:  denied  { search } for  pid=26307 comm="clamd.amavisd"
       scontext=root:system_r:clamd_t:s0
       tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir

   allow clamd_t sysctl_t:dir search;

       Jul 27 14:31:11 somehostname kernel: audit(1154025071.062:1207):
       avc:  denied  { search } for  pid=26307 comm="clamd.amavisd"
       name="sys" dev=proc ino=-268435429
       scontext=root:system_r:clamd_t:s0
       tcontext=system_u:object_r:sysctl_t:s0 tclass=dir

   allow postfix_cleanup_t bin_t:file getattr;

       Jul 26 14:10:52 somehostname kernel: audit(1153937452.370:819):
       avc:  denied  { getattr } for  pid=15469 comm="sh" name="sleep"
       dev=dm-0 ino=1299281
       scontext=root:system_r:postfix_cleanup_t:s0-s0:c0.c255
       tcontext=system_u:object_r:bin_t:s0 tclass=file

   allow postfix_local_t clamd_var_lib_t:dir search;

       Jul 26 08:10:16 somehostname kernel: audit(1153915816.342:802):
       avc:  denied  { search } for  pid=13112 comm="local"
       name="clamav" dev=dm-0 ino=1334110
       scontext=root:system_r:postfix_local_t:s0
       tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir

   allow postfix_map_t nscd_var_run_t:dir search;

       Jul 25 11:41:37 somehostname kernel: audit(1153842097.261:264):
       avc:  denied  { search } for  pid=8233 comm="postmap"
       name="nscd" dev=dm-0 ino=1332052
       scontext=root:system_r:postfix_map_t:s0-s0:c0.c255
       tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=dir

   allow postfix_pickup_t bin_t:file getattr;

       Jul 26 14:06:34 somehostname kernel: audit(1153937194.032:816):
       avc:  denied  { getattr } for  pid=15411 comm="sh" name="sleep"
       dev=dm-0 ino=1299281
       scontext=root:system_r:postfix_pickup_t:s0-s0:c0.c255
       tcontext=system_u:object_r:bin_t:s0 tclass=file

   allow postfix_qmgr_t bin_t:file getattr;

       Jul 26 14:06:34 somehostname kernel: audit(1153937194.036:817):
       avc:  denied  { getattr } for  pid=15409 comm="sh" name="sleep"
       dev=dm-0 ino=1299281
       scontext=root:system_r:postfix_qmgr_t:s0-s0:c0.c255
       tcontext=system_u:object_r:bin_t:s0 tclass=file

   allow postfix_smtpd_t bin_t:file getattr;

       Jul 26 14:08:02 somehostname kernel: audit(1153937282.152:818):
       avc:  denied  { getattr } for  pid=15433 comm="sh" name="sleep"
       dev=dm-0 ino=1299281
       scontext=root:system_r:postfix_smtpd_t:s0-s0:c0.c255
       tcontext=system_u:object_r:bin_t:s0 tclass=file

   allow semanage_t postfix_etc_t:dir search;

       Jul 27 14:29:59 somehostname kernel: audit(1154024994.164:1204):
       avc:  denied  { search } for  pid=26252 comm="genhomedircon"
       name="postfix" dev=dm-0 ino=359267
       scontext=root:system_r:semanage_t:s0-s0:c0.c255
       tcontext=system_u:object_r:postfix_etc_t:s0 tclass=dir

   allow spamd_t postfix_etc_t:dir search;

       Jul 27 14:31:21 somehostname kernel: audit(1154025077.106:1430):
       avc:  denied  { search } for  pid=26384 comm="spamd"
       name="postfix" dev=dm-0 ino=359267
       scontext=root:system_r:spamd_t:s0
       tcontext=system_u:object_r:postfix_etc_t:s0 tclass=dir

   allow spamd_t root_t:dir write;

       Jul 27 14:31:21 somehostname kernel: audit(1154025078.575:1431):
       avc:  denied  { write } for  pid=26386 comm="spamd" name="/"
       dev=dm-0 ino=2 scontext=root:system_r:spamd_t:s0
       tcontext=system_u:object_r:root_t:s0 tclass=dir

   allow spamd_t user_home_dir_t:dir write;

       Jul 27 14:31:21 somehostname kernel: audit(1154025078.575:1432):
       avc:  denied  { write } for  pid=26386 comm="spamd" name="root"
       dev=dm-0 ino=292321 scontext=root:system_r:spamd_t:s0
       tcontext=root:object_r:user_home_dir_t:s0 tclass=dir

The configuration for postfix, anavisd-new, clamv, and spamassassin are pretty plain vanilla with the only changes to configuration files being those necessary for host and to enable the content filter in postfix using the modifications outlined in the README.fedora and README.postfix for amavisd-new.

Regards,
John


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]