postfix_pipe_t ... execute_no_trans
Daniel J Walsh
dwalsh at redhat.com
Fri Jun 16 11:14:56 UTC 2006
QingLong wrote:
> Hello!
>
> Would you be so kind as to give me a hint why postfix's pipe command
> tries to execute a custom script with execute_no_trans? Details follow.
>
> Here we have a combination of Spamassassin and DrWeb virus scaner.
> Due to lame DrWeb programs stupidity one has to create a shell script
> that first passes a mail through spamassassin and then throws it to DrWeb.
> I have created a custom selinux module of my own named ql_spamassassin
> to (try to) put this combination under selinux control.
> So I have defined my own type `ql_spamassassin_client_exec_t' for the script
> and ql_spamassassin_client_t domain type. And I have
>
Run the AVC's through audit2why? You might be missing a role command.
> |
> | domain_entry_file(ql_spamassassin_client_t,ql_spamassassin_client_exec_t)
> | domain_auto_trans(postfix_pipe_t,ql_spamassassin_client_exec_t,ql_spamassassin_client_t)
> |
> to allow postfix_pipe_t execute the script and perform the type transition.
> The module has been compiled and loaded into the kernel quite successfully,
> but I still get the execution denials:
> |
> | type=AVC msg=audit(1150125191.592:740): avc: denied { execute_no_trans } for pid=2793 comm="pipe" name="PostFix.mail.SpamAssassin.spamfilter.sh" dev=md9 ino=56842 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:ql_spamassassin_client_exec_t:s0 tclass=file
> | type=SYSCALL msg=audit(1150125191.592:740): arch=40000003 syscall=11 success=no exit=-13 a0=804e410 a1=804e0a8 a2=804e550 a3=3d09 items=1 pid=2793 auid=4294967295 uid=15625 gid=15625 euid=15625 suid=15625 fsuid=15625 egid=15625 sgid=15625 fsgid=15625 comm="pipe" exe="/usr/libexec/postfix/pipe"
> | type=AVC_PATH msg=audit(1150125191.592:740): path="/usr/local/sbin/PostFix.mail.SpamAssassin.spamfilter.sh"
> | type=CWD msg=audit(1150125191.592:740): cwd="/var/spool/postfix"
> | type=PATH msg=audit(1150125191.592:740): item=0 name="/usr/local/sbin/PostFix.mail.SpamAssassin.spamfilter.sh" flags=101 inode=56842 dev=09:09 mode=0100555 ouid=0 ogid=0 rdev=00:00
> |
> The system is FC5. SElinux related packages:
> checkpolicy-1.30.3-1.fc5
> libselinux-1.30-1.fc5
> libselinux-python-1.30-1.fc5
> libsepol-1.12.6-1.fc5
> policycoreutils-1.30.10-1.fc5
> selinux-policy-2.2.40-1.fc5
> selinux-policy-targeted-2.2.40-1.fc5
> kernel-smp-2.6.16-1.2133_FC5
> Please, give me a hint, what's wrong here. Thank you.
>
> QingLong.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
More information about the fedora-selinux-list
mailing list