postfix, procmail and SELinux - No Go
Marc Schwartz
MSchwartz at mn.rr.com
Sat Jun 3 17:04:49 UTC 2006
On Fri, 2006-06-02 at 17:03 +0100, Paul Howarth wrote:
> Marc Schwartz wrote:
> > On Thu, 2006-06-01 at 13:00 +0100, Paul Howarth wrote:
> >> Marc Schwartz wrote:
> >
> > <snip>
> >
> >>> Now for grep "dcc":
> >
> > <snip of audit.log entries for 'dcc'>
> >
> > As an FYI, I ran:
> >
> > sudo /sbin/fixfiles check
> >
> > and it came back with no errors.
>
> That is curious because you still seem to have some incorrectly-labelled
> files (e.g. a razor-agent.log that's default_t). You definitely haven't
> disabled SELinux (as opposed to just putting it in permissive mode) at
> any time since ralabelling, have you?
No, I had not made any changes to SELinux after last going to Permissive
mode.
> I think the normal relabel procedure is to configure SELinux for
> permissive mode, then:
>
> # touch /.autorelabel
>
> and then reboot.
This had occurred after changing SELinux from Disabled to Permissive.
However, I have some partitions protected by dm-crypt/LUKS which would
not be accessible immediately after boot. Thus I ran the system-wide
fixfiles relabel
and then re-booted, so that all partitions could be done.
> >> These all appear to be dccproc doing read/write/lock operations on
> >> /var/dcc/map. This is happening in the spamd_t domain, which seems wrong
> >> to me since spamd_t should transition to dcc_client_t. Check what the
> >> context of /usr/local/bin/dccproc is; I think it should be
> >> dcc_client_exec_t (and it would be if it was in /usr/bin).
> >
> > user_u:object_r:bin_t /usr/local/bin/dccproc
> >
> > So:
> >
> > sudo chcon -u system_u -t dcc_client_exec_t /usr/local/bin/dccproc
> >
> > ?
>
> Yes, though a shorthand format for this would be:
>
> # chcon system_u:object_r:dcc_client_exec_t /usr/local/bin/dccproc
FWIW:
user_u:object_r:bin_t /usr/local/bin/dccproc
> However, you'll find it won't work.
Yep:
chcon: failed to change context of /usr/local/bin/dccproc to
system_u:object_r:dcc_client_exec_t: Invalid argument
> Although there is a policy module
> for dcc in the upstream reference policy, it doesn't appear to be
> included in Fedora's targeted policy, so none of these types are
> defined. The only dcc-related policy items are:
>
> /usr/libexec/dcc/stop-.* -- system_u:object_r:initrc_exec_t:s0
> /usr/libexec/dcc/start-.* -- system_u:object_r:initrc_exec_t:s0
>
> So perhaps dcc is supposed to run unconfined on FC5? Maybe Dan can
> answer that one. Anyway, try this:
>
> # chcon system_u:object_r:initrc_exec_t /var/dcc/libexec/start-*
> # chcon system_u:object_r:initrc_exec_t /var/dcc/libexec/stop-*
Done.
> >> You might check out the file contexts from the dcc policy module (listed
> >> below) and check that everything else is labelled correctly in the
> >> places you have installed them:
> >
> >> /etc/dcc(/.*)?
> >> gen_context(system_u:object_r:dcc_var_t,s0)
> >> /etc/dcc/dccifd -s
> >> gen_context(system_u:object_r:dccifd_var_run_t,s0)
> >> /etc/dcc/map --
> >> gen_context(system_u:object_r:dcc_client_map_t,s0)
> >
> > There is no /etc/dcc tree.
>
> There's a comment in the dcc policy file about this being the wrong
> place for the files anyway, so perhaps it's there for backwards
> compatibility with older versions.
>
> > I am getting the feeling that the default policy tree structure does not
> > fully agree with the default dcc installation tree structure using the
> > tarball from Rhyolite.
>
> That does seem to be the case.
>
> > Is some of this due to my using postfix and not sendmail?
>
> I don't think so. In fact, I don't think we've come across any postfix
> issues yet.
OK.
> >>> For grep "razor":
> >>>
> >>> type=AVC msg=audit(1149102177.498:8243): avc: denied { append } for
> >>> pid=20136 comm="spamd" name="razor-agent.log" dev=hdc7 ino=98923
> >>> scontext=system_u:system_r:spamd_t:s0
> >>> tcontext=system_u:object_r:default_t:s0 tclass=file
> >> default_t file should have been relabelled by now.
> >
> > Curiously, there are three razor-agent.log files:
> >
> > system_u:object_r:default_t /razor-agent.log
> >
> > user_u:object_r:default_t /.razor/razor-agent.log
> >
> > user_u:object_r:user_home_t /home/marcs/.razor/razor-agent.log
> >
> > The first one above is dated yesterday, the second one from today and
> > the third one from today. My local user copy being dated this evening.
>
> You've configured this setup, so you should really know which, if any,
> of these should be being used. None of them should be default_t though.
Yep. Turns out two of the files (the second two) are OK. Not sure how
the first was created unless by accident when I had su'd to root. I have
deleted it.
The second two are:
1. /.razor/razor-agent.log: the log file that gets created after the
nightly cron job runs to update razor
2. /home/marcs/.razor/razor-agent.log: the normal log file when my
e-mail is scanned.
> >> Again, check out the default contexts for razor and make sure that the
> >> files in the locations you have installed it to have the right contexts:
> >>
> >> ifdef(`strict_policy',`
> >> HOME_DIR/\.razor(/.*)?
> >> gen_context(system_u:object_r:ROLE_razor_home_t,s0)
> >> ')
> >
> > If I read this correctly, my local user tree files in:
> >
> > /home/marcs/.razor
> >
> > are all:
> >
> > user_u:object_r:user_home_t
>
> I think that would be user_razor_home_t, but only in strict policy. As
> with dcc, the upstream razor policy does not seem to be included in
> targeted policy, so this is all moot. Sorry about that, we'll have to
> come back to these issues later.
OK. No other changes made to this point.
> > Finally, here are some updated entries in audit.log since the updated
> > policy last night:
> >
> > For grep "procmail":
> >
> > type=AVC msg=audit(1149210123.848:615): avc: denied { getattr } for pid=14642 comm="clamscan" name="clamassassinmsg.UFZVw14635" dev=hdc6 ino=18 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
> > type=AVC msg=audit(1149211441.847:718): avc: denied { read } for pid=16548 comm="clamscan" name="clamassassinmsg.InjWm16541" dev=hdc6 ino=18 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
> > type=AVC msg=audit(1149211441.847:718): avc: denied { write } for pid=16548 comm="clamscan" name="clamassassinlog.ieiqW16542" dev=hdc6 ino=19 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
> >
> >
> > This is a repeating loop of entries all for 'clamscan' it seems.
>
> This appears to be due to messages being written to temporary files
> whilst still in the procmail_t domain and then being scanned after the
> transition to clamscan_t. Is /usr/local/bin/clamassassin a script that
> writes its input to a temp file and then calls clamscan to do the scan?
My reading of the script suggests that your assumptions are correct.
If you would like to review more information, the web site is here:
http://jameslick.com/clamassassin/
It essentially enables the piping to ClamAV within procmail in a fashion
similar to SA.
> I wonder if it's worth trying changing /usr/local/bin/clamassassin to
> clamscan_exec_t?
Done:
chcon system_u:object_r:clamscan_exec_t /usr/local/bin/clamassassin
> > For grep 'postfix':
> >
> > type=AVC msg=audit(1149200642.921:4794): avc: denied { use } for pid=19149 comm="clamscan" name="[425692]" dev=pipefs ino=425692 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fd
> > type=AVC msg=audit(1149200642.921:4794): avc: denied { write } for pid=19149 comm="clamscan" name="[425692]" dev=pipefs ino=425692 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
>
> Looks like postfix local delivery (which I know nothing about) piping
> something into clamscan. Is your postfix configured to talk to clamav by
> any means other than procmail?
Not to my knowledge.
> > type=AVC msg=audit(1149203919.092:6): avc: denied { getattr } for pid=2051 comm="sh" name="mailq.postfix.1.gz" dev=hdc7 ino=3132510 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=file
> > type=AVC_PATH msg=audit(1149203919.092:6): path="/usr/share/man/man1/mailq.postfix.1.gz"
> > type=CWD msg=audit(1149203919.092:6): cwd="/var/spool/postfix"
> > type=PATH msg=audit(1149203919.092:6): item=0 name="/usr/share/man/man1/mailq.postfix.1.gz" flags=1 inode=3132510 dev=16:07 mode=0100644 ouid=0 ogid=0 rdev=00:00
>
> What does the postfix master program do? It appears to be having trouble
> here reading the attributes of a manpage?!?!?
I am truly confuzzled by this one. I have no idea why this occurred.
<Snip of pyzor and clam greps from log>
> Here's a script I've just written called "avclist", which should output
> all of the audit logs for SELinux issues since the last change of
> enforcement mode or policy reload. It's probably better for looking at
> recent AVC messages, as it includes some useful related information that
> would be missed by just a simple grep:
>
> #!/bin/sh
>
> # avclist: pull AVC audit messages from audit.log since last setenforce
>
> awk ' {
> # Record all lines read from input
> line[++lines] = $0
> auditref[lines] = $2
> }
> /^type=AVC / {
> # Mark this audit message as being of interest
> avc[$2] = 1
> }
> /^type=AVC msg=audit[(][0-9.:]*[)]: avc: *granted *{
> (load_policy|setenforce) }/ {
> # Discard all lines read before a
> # setenforce or policy reload
> lines = 0
> avc[$2] = 0
> }
> END {
> # Output all recorded lines of interest
> for (i = 1; i <= lines; i++) {
> if (avc[auditref[i]]) {
> print line[i]
> }
> }
> }' /var/log/audit/audit.log
>
>
>
> (the long line starting "/^type=AVC msg=audit" should have a single
> space either side of "(load_policy|setenforce)")
OK. Installed and ran this. See output below after changes made and
first e-mail came through.
> For now, try changing the context of /usr/local/bin/clamassassin as
> described above, and try these policy modules for pyzor and clamav:
>
> ####### mypyzor.te ############
> policy_module(mypyzor, 0.1.0)
>
> require {
> type pyzor_t;
> };
>
> # temp files
> type pyzor_tmp_t;
> files_tmp_file(pyzor_tmp_t)
>
> # Allow pyzor to create and use temp files and dirs
> allow pyzor_t pyzor_tmp_t:dir create_dir_perms;
> allow pyzor_t pyzor_tmp_t:file create_file_perms;
> files_type(pyzor_tmp_t)
> files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir })
>
> # Allow pyzor to read config (and any other file...)
> # from user home directories
> userdom_read_unpriv_users_home_content_files(pyzor_t)
>
> ######### myclam.te ###############
> policy_module(myclam, 0.1.0)
>
> require {
> type clamscan_t;
> };
>
> # temp files
> type clamscan_tmp_t;
> files_tmp_file(clamscan_tmp_t)
>
> # Allow clamscan to create and use temp files and dirs
> allow clamscan_t clamscan_tmp_t:dir create_dir_perms;
> allow clamscan_t clamscan_tmp_t:file create_file_perms;
> files_type(clamscan_tmp_t)
> files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
>
> Build and install these in the same way as the procmail module from earlier.
Done.
See avclist output below.
Let me know what else you need here.
Thanks Paul!
Marc
$ sudo ./avclist
type=AVC msg=audit(1149352202.364:283): avc: denied { use } for pid=8283 comm="clamassassin" name="[24074]" dev=pipefs ino=24074 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fd
type=AVC msg=audit(1149352202.364:283): avc: denied { write } for pid=8283 comm="clamassassin" name="[24074]" dev=pipefs ino=24074 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1149352202.364:283): arch=40000003 syscall=11 success=yes exit=0 a0=84cbd60 a1=84cb008 a2=84ceb38 a3=0 items=3 pid=8283 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamassassin" exe="/bin/bash"
type=AVC_PATH msg=audit(1149352202.364:283): path="pipe:[24074]"
type=AVC_PATH msg=audit(1149352202.364:283): path="pipe:[24074]"
type=CWD msg=audit(1149352202.364:283): cwd="/home/marcs"
type=PATH msg=audit(1149352202.364:283): item=0 name="/usr/local/bin/clamassassin" flags=101 inode=3115337 dev=16:07 mode=0100555 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1149352202.364:283): item=1 flags=101 inode=1966191 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1149352202.364:283): item=2 flags=101 inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149352202.368:284): avc: denied { read } for pid=8283 comm="clamassassin" name="meminfo" dev=proc ino=-268435454 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=SYSCALL msg=audit(1149352202.368:284): arch=40000003 syscall=5 success=yes exit=3 a0=489093ef a1=0 a2=1b6 a3=9ced240 items=1 pid=8283 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamassassin" exe="/bin/bash"
type=CWD msg=audit(1149352202.368:284): cwd="/home/marcs"
type=PATH msg=audit(1149352202.368:284): item=0 name="/proc/meminfo" flags=101 inode=4026531842 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149352202.476:287): avc: denied { getattr } for pid=8283 comm="clamassassin" name="meminfo" dev=proc ino=-268435454 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=SYSCALL msg=audit(1149352202.476:287): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfc0bae8 a2=4891eff4 a3=3 items=0 pid=8283 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamassassin" exe="/bin/bash"
type=AVC_PATH msg=audit(1149352202.476:287): path="/proc/meminfo"
type=AVC msg=audit(1149352202.476:288): avc: denied { search } for pid=8283 comm="clamassassin" name="bin" dev=hdc7 ino=3112982 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir
type=SYSCALL msg=audit(1149352202.476:288): arch=40000003 syscall=5 success=yes exit=3 a0=9cef018 a1=8000 a2=0 a3=8000 items=1 pid=8283 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamassassin" exe="/bin/bash"
type=CWD msg=audit(1149352202.476:288): cwd="/home/marcs"
type=PATH msg=audit(1149352202.476:288): item=0 name="/usr/local/bin/clamassassin" flags=101 inode=3115337 dev=16:07 mode=0100555 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149352202.484:289): avc: denied { execute } for pid=8284 comm="clamassassin" name="mktemp" dev=hdc7 ino=1966111 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1149352202.484:289): avc: denied { execute_no_trans } for pid=8284 comm="clamassassin" name="mktemp" dev=hdc7 ino=1966111 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1149352202.484:289): avc: denied { read } for pid=8284 comm="clamassassin" name="mktemp" dev=hdc7 ino=1966111 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1149352202.484:289): arch=40000003 syscall=11 success=yes exit=0 a0=9cef2c0 a1=9cef500 a2=9cf2dd0 a3=9cef228 items=2 pid=8284 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="mktemp" exe="/bin/mktemp"
type=AVC_PATH msg=audit(1149352202.484:289): path="/bin/mktemp"
type=AVC_PATH msg=audit(1149352202.484:289): path="/bin/mktemp"
type=CWD msg=audit(1149352202.484:289): cwd="/home/marcs"
type=PATH msg=audit(1149352202.484:289): item=0 name="/bin/mktemp" flags=101 inode=1966111 dev=16:07 mode=0100555 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1149352202.484:289): item=1 flags=101 inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149352202.484:290): avc: denied { read } for pid=8284 comm="mktemp" name="urandom" dev=tmpfs ino=1989 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1149352202.484:290): arch=40000003 syscall=5 success=yes exit=3 a0=80494d8 a1=0 a2=48920120 a3=9aa2008 items=1 pid=8284 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="mktemp" exe="/bin/mktemp"
type=CWD msg=audit(1149352202.484:290): cwd="/home/marcs"
type=PATH msg=audit(1149352202.484:290): item=0 name="/dev/urandom" flags=101 inode=1989 dev=00:0f mode=020444 ouid=0 ogid=0 rdev=01:09
type=AVC msg=audit(1149352202.496:291): avc: denied { execute_no_trans } for pid=8287 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1149352202.496:291): arch=40000003 syscall=11 success=yes exit=0 a0=9cf2c00 a1=9cf2210 a2=9cf2dd0 a3=9cf2d90 items=2 pid=8287 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamscan" exe="/usr/bin/clamscan"
type=AVC_PATH msg=audit(1149352202.496:291): path="/usr/bin/clamscan"
type=CWD msg=audit(1149352202.496:291): cwd="/home/marcs"
type=PATH msg=audit(1149352202.496:291): item=0 name="/usr/bin/clamscan" flags=101 inode=3123838 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1149352202.496:291): item=1 flags=101 inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149352204.428:292): avc: denied { search } for pid=8293 comm="clamassassin" name="bin" dev=hdc7 ino=3112970 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir
type=SYSCALL msg=audit(1149352204.428:292): arch=40000003 syscall=11 success=yes exit=0 a0=9cf0e00 a1=9cf3fc8 a2=9cf2dd0 a3=9cf3320 items=2 pid=8293 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="formail" exe="/usr/bin/formail"
type=CWD msg=audit(1149352204.428:292): cwd="/home/marcs"
type=PATH msg=audit(1149352204.428:292): item=0 name="/usr/bin/formail" flags=101 inode=3133721 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1149352204.428:292): item=1 flags=101 inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149352204.996:293): avc: denied { search } for pid=8297 comm="pyzor" scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
type=AVC msg=audit(1149352204.996:293): avc: denied { read } for pid=8297 comm="pyzor" scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
type=SYSCALL msg=audit(1149352204.996:293): arch=40000003 syscall=149 success=yes exit=0 a0=bfed6bd0 a1=4891eff4 a2=48a95e00 a3=bfed6bc8 items=0 pid=8297 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=AVC msg=audit(1149352204.996:294): avc: denied { search } for pid=8297 comm="pyzor" name="bin" dev=hdc7 ino=3112970 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir
type=SYSCALL msg=audit(1149352204.996:294): arch=40000003 syscall=5 success=yes exit=3 a0=bfed8edb a1=8000 a2=1b6 a3=9970008 items=1 pid=8297 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=CWD msg=audit(1149352204.996:294): cwd="/"
type=PATH msg=audit(1149352204.996:294): item=0 name="/usr/bin/pyzor" flags=101 inode=3140757 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149352205.000:295): avc: denied { search } for pid=8297 comm="pyzor" name="/" dev=proc ino=1 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=dir
type=AVC msg=audit(1149352205.000:295): avc: denied { read } for pid=8297 comm="pyzor" name="meminfo" dev=proc ino=-268435454 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=SYSCALL msg=audit(1149352205.000:295): arch=40000003 syscall=5 success=yes exit=4 a0=489093ef a1=0 a2=1b6 a3=9970250 items=1 pid=8297 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=CWD msg=audit(1149352205.000:295): cwd="/"
type=PATH msg=audit(1149352205.000:295): item=0 name="/proc/meminfo" flags=101 inode=4026531842 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149352205.000:296): avc: denied { getattr } for pid=8297 comm="pyzor" name="meminfo" dev=proc ino=-268435454 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=SYSCALL msg=audit(1149352205.000:296): arch=40000003 syscall=197 success=yes exit=0 a0=4 a1=bfed4b08 a2=4891eff4 a3=4 items=0 pid=8297 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=AVC_PATH msg=audit(1149352205.000:296): path="/proc/meminfo"
type=AVC msg=audit(1149352205.012:297): avc: denied { getattr } for pid=8297 comm="pyzor" name="bin" dev=hdc7 ino=3112970 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir
type=SYSCALL msg=audit(1149352205.012:297): arch=40000003 syscall=196 success=yes exit=0 a0=99c0128 a1=bfed6d78 a2=4891eff4 a3=bfed8edb items=1 pid=8297 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=AVC_PATH msg=audit(1149352205.012:297): path="/usr/bin"
type=CWD msg=audit(1149352205.012:297): cwd="/"
type=PATH msg=audit(1149352205.012:297): item=0 name="/usr/bin" flags=0 inode=3112970 dev=16:07 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149352205.016:298): avc: denied { read } for pid=8297 comm="pyzor" name="urandom" dev=tmpfs ino=1989 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1149352205.016:298): arch=40000003 syscall=5 success=yes exit=6 a0=9972f68 a1=8000 a2=0 a3=8000 items=1 pid=8297 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=CWD msg=audit(1149352205.016:298): cwd="/"
type=PATH msg=audit(1149352205.016:298): item=0 name="/dev/urandom" flags=101 inode=1989 dev=00:0f mode=020444 ouid=0 ogid=0 rdev=01:09
type=AVC msg=audit(1149352205.020:299): avc: denied { getattr } for pid=8297 comm="pyzor" name="time" dev=hdc7 ino=3132233 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1149352205.020:299): arch=40000003 syscall=195 success=yes exit=0 a0=bfed3bb7 a1=bfed3704 a2=4891eff4 a3=b7f439c0 items=1 pid=8297 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=AVC_PATH msg=audit(1149352205.020:299): path="/usr/bin/time"
type=CWD msg=audit(1149352205.020:299): cwd="/"
type=PATH msg=audit(1149352205.020:299): item=0 name="/usr/bin/time" flags=1 inode=3132233 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149352205.060:300): avc: denied { send_msg } for pid=8297 comm="pyzor" saddr=192.168.1.2 src=32865 daddr=66.250.40.33 dest=24441 netif=eth0 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:pyzor_port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1149352205.060:300): arch=40000003 syscall=102 success=yes exit=165 a0=b a1=bfed58a0 a2=c79114 a3=bfed58d8 items=0 pid=8297 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=SOCKADDR msg=audit(1149352205.060:300): saddr=02005F7942FA28210000000000000000
type=SOCKETCALL msg=audit(1149352205.060:300): nargs=6 a0=3 a1=b7f553f4 a2=a5 a3=0 a4=b7f828c0 a5=10
type=AVC msg=audit(1149352209.996:304): avc: denied { signal } for pid=2335 comm="spamd" scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:system_r:pyzor_t:s0 tclass=process
type=SYSCALL msg=audit(1149352209.996:304): arch=40000003 syscall=37 success=yes exit=0 a0=2069 a1=f a2=481f45c8 a3=a2053ac items=0 pid=2335 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl"
type=AVC msg=audit(1149352210.004:305): avc: denied { read write } for pid=8511 comm="dccproc" name="map" dev=hdc5 ino=87811 scontext=system_u:system_r:spamd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1149352210.004:305): arch=40000003 syscall=5 success=yes exit=3 a0=80ba6e0 a1=2 a2=180 a3=11 items=1 pid=8511 auid=4294967295 uid=500 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=CWD msg=audit(1149352210.004:305): cwd="/var/dcc"
type=PATH msg=audit(1149352210.004:305): item=0 name="/var/dcc/map" flags=101 inode=87811 dev=16:05 mode=0100600 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149352210.008:306): avc: denied { getattr } for pid=8511 comm="dccproc" name="map" dev=hdc5 ino=87811 scontext=system_u:system_r:spamd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1149352210.008:306): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfeb0a78 a2=4891eff4 a3=3 items=0 pid=8511 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=AVC_PATH msg=audit(1149352210.008:306): path="/var/dcc/map"
type=AVC msg=audit(1149352210.008:307): avc: denied { lock } for pid=8511 comm="dccproc" name="map" dev=hdc5 ino=87811 scontext=system_u:system_r:spamd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1149352210.008:307): arch=40000003 syscall=221 success=yes exit=0 a0=3 a1=7 a2=bfeb1bf4 a3=bfeb1bf4 items=0 pid=8511 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
type=AVC_PATH msg=audit(1149352210.008:307): path="/var/dcc/map"
More information about the fedora-selinux-list
mailing list