postfix, procmail and SELinux - No Go
Paul Howarth
paul at city-fan.org
Mon Jun 26 23:05:35 UTC 2006
On Mon, 2006-06-26 at 15:22 -0500, Marc Schwartz (via MN) wrote:
> Not sure about why /.razor and /.pyzor get created. The files in them
> are stamped with the same date/time as the cron jobs, however do not get
> updated when I run the same update programs from the CLI as with root's
> below. Something with ENV variables or UID I suspect, but not sure.
Probably, yes.
> The root dirs (/root/.pyzor and /root/.razor, as well as the razor log
> file in /root) seem to get created during the cron jobs and I could
> replicate this from the CLI.
>
> However, see more below.
>
> > > It occurs to me that one potential confounding variable here is that I
> > > am running these processes as a local user on a single user system,
> > > rather than a system-wide approach as one might do with a central server
> > > processing incoming e-mail for multiple user accounts. That includes my
> > > use of ~/.procmailrc as the primary means to process both virus (via
> > > clamassassin/clamav) and spam (via SA + these additional tools).
> > >
> > > Presumably a SysAdmin on a multi-user system would take a different
> > > approach and perhaps would use other means to integrate the processing
> > > of viri and spam (such as Amavis as Nicolas has mentioned). This would
> > > afford other approaches to the default configuration of these other tools.
> >
> > The spamassassin wiki has a page on this:
> >
> > http://wiki.apache.org/spamassassin/UsingPyzor
>
> Thanks for this. In addition, I read through:
>
> http://wiki.apache.org/spamassassin/RazorSiteWide
> http://wiki.apache.org/spamassassin/UsingRazor
> http://wiki.apache.org/spamassassin/InstallingDCC
> http://wiki.apache.org/spamassassin/UsingDcc
>
> The result of which is the following:
>
> 1. I made the following adds in /etc/mail/spamassassin/local.cf:
>
> pyzor_options --homedir /etc/mail/spamassassin
> razor_config /etc/mail/spamassassin/.razor/razor-agent.conf
>
>
> 2. I created /etc/mail/spamassassin/.razor/razor-agent.conf, which
> contains:
>
> razorhome = /etc/mail/spamassassin/.razor/
I share Nicolas' feelings about having hidden directories in /etc; this
could be mitigated perhaps by having something like the ".pyzor"
directory being replaced by a symlink to a "pyzor" directory.
> 3. I modified the /etc/crontab commands that execute the pyzor and razor
> updates to:
>
> # Run pyzor update at 1:10 am
> 10 01 * * * root /usr/bin/pyzor --homedir /etc/mail/spamassassin discover > /dev/null
>
> # Run razor update at 1:20 am
> 20 01 * * * root /usr/bin/razor-admin -home=/etc/mail/spamassassin/.razor -discover > /dev/null
>
>
> The above now force the use of the system-wide SA settings in 1 and 2
> above.
Good.
> Note also that there is /etc/sysconfig/spamassassin, which contains:
>
> SPAMDOPTIONS="-d -c -m2 -H"
>
> I only modified the '-m2' option to reduce the number of concurrent
> sessions from 5 (-m5) to 2. The '-H' options enables the specification
> of a different HOME directory, which then enables the use of the above
> config files for razor and pyzor when spamc/d are called. The other
> options are FC installed defaults.
>
>
> The result of all of this is that the pyzor and razor updates are now
> limited to the system-wide file(s) in:
>
> # For pyzor, the single file
> /etc/mail/spamassassin/servers
>
> # For razor, the dir tree
> /etc/mail/spamassassin/.razor/*
>
> Thus, no more user specific files are created. Yeah! :-)
Yeah!
> Note also, that I _did not_ create new user groups to run these apps, as
> is suggested on some of the above pages. The current configuration seems
> to solve the problem without those additional steps.
OK.
> > > The dcc update process would need to stay in /etc/crontab since it
> > > downloads, compiles and installs the system-wide dcc client.
> >
> > Compiles as root? Ugh!
>
> Yep. If there are any options on the DCC install page that I noted in
> my other reply that make sense here, let me know. I am willing to try
> alternatives.
Maybe later...
> Of course, let me know on the dccproc context change and what you might
> want to do about that.
Doing restorecon in the cron job will do for now. We might come back to
this later to try to get it created with the correct context.
> > > Another option, perhaps, would be for the FE razor and pyzor maintainers
> > > to adjust the respective app defaults for FE with an eye towards SELinux
> > > policy issues in future updates. In that way, perhaps the default
> > > locations could be in /etc or /var as Nicolas notes above. That might
> > > provide for a means to handle both single user and multi user
> > > configurations, though the impact on other tools would need to be
> > > considered as may be appropriate.
> >
> > If we can figure how how to make them work sanely, I'm confident that
> > the maintainers would be open to suggestions (preferably with patches).
>
> Well, hopefully we are on the right track with the above.
Yes. I trust you're making notes :-)
> OK...so now with all of that going on, here are the latest avc's:
>
> # semodule -l
> amavis 1.0.4
> clamav 1.0.1
> dcc 1.0.0
> myclamav 0.1.1
> mydcc 0.1.6
> mypostfix 0.1.0
> mypyzor 0.2.1
> myspamassassin 0.1.1
> procmail 0.5.4
> pyzor 1.0.1
> razor 1.0.0
>
>
> type=AVC msg=audit(1151351642.927:3274): avc: denied { use } for pid=26956 comm="clamassassin" name="[251491]" dev=pipefs ino=251491 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fd
> type=AVC msg=audit(1151351642.927:3274): avc: denied { write } for pid=26956 comm="clamassassin" name="[251491]" dev=pipefs ino=251491 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
> type=SYSCALL msg=audit(1151351642.927:3274): arch=40000003 syscall=11 success=yes exit=0 a0=9502d60 a1=9502008 a2=95058f0 a3=0 items=3 pid=26956 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamassassin" exe="/bin/bash" subj=system_u:system_r:clamassassin_t:s0
> type=AVC_PATH msg=audit(1151351642.927:3274): path="pipe:[251491]"
> type=AVC_PATH msg=audit(1151351642.927:3274): path="pipe:[251491]"
> type=CWD msg=audit(1151351642.927:3274): cwd="/home/marcs"
> type=PATH msg=audit(1151351642.927:3274): item=0 name="/usr/local/bin/clamassassin" inode=3115337 dev=16:07 mode=0100555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:clamassassin_exec_t:s0
> type=PATH msg=audit(1151351642.927:3274): item=1 name=(null) inode=1966191 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_t:s0
> type=PATH msg=audit(1151351642.927:3274): item=2 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
I'll come back to this.
> type=AVC msg=audit(1151351642.927:3275): avc: denied { search } for pid=26956 comm="clamassassin" name="etc" dev=hdc7 ino=1048577 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir
> type=SYSCALL msg=audit(1151351642.927:3275): arch=40000003 syscall=33 success=no exit=-2 a0=47fcc4df a1=4 a2=47fcffd8 a3=47fd06b8 items=1 pid=26956 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamassassin" exe="/bin/bash" subj=system_u:system_r:clamassassin_t:s0
> type=CWD msg=audit(1151351642.927:3275): cwd="/home/marcs"
> type=PATH msg=audit(1151351642.927:3275): item=0 name="/etc/ld.so.preload" obj=system_u:object_r:clamassassin_exec_t:s0
> type=AVC msg=audit(1151351642.931:3276): avc: denied { read } for pid=26956 comm="clamassassin" name="ld.so.cache" dev=hdc7 ino=1049124 scontext=system_u:system_r:clamassassin_t:s0 tcontext=user_u:object_r:ld_so_cache_t:s0 tclass=file
> type=SYSCALL msg=audit(1151351642.931:3276): arch=40000003 syscall=5 success=yes exit=3 a0=47fcc6c7 a1=0 a2=0 a3=47fd0890 items=1 pid=26956 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamassassin" exe="/bin/bash" subj=system_u:system_r:clamassassin_t:s0
> type=CWD msg=audit(1151351642.931:3276): cwd="/home/marcs"
> type=PATH msg=audit(1151351642.931:3276): item=0 name="/etc/ld.so.cache" inode=1049124 dev=16:07 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:ld_so_cache_t:s0
> type=AVC msg=audit(1151351642.931:3277): avc: denied { getattr } for pid=26956 comm="clamassassin" name="ld.so.cache" dev=hdc7 ino=1049124 scontext=system_u:system_r:clamassassin_t:s0 tcontext=user_u:object_r:ld_so_cache_t:s0 tclass=file
> type=SYSCALL msg=audit(1151351642.931:3277): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfee7a5c a2=47fcffd8 a3=ffffffff items=0 pid=26956 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamassassin" exe="/bin/bash" subj=system_u:system_r:clamassassin_t:s0
> type=AVC_PATH msg=audit(1151351642.931:3277): path="/etc/ld.so.cache"
> type=AVC msg=audit(1151351642.931:3278): avc: denied { search } for pid=26956 comm="clamassassin" name="lib" dev=hdc7 ino=753665 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir
> type=AVC msg=audit(1151351642.931:3278): avc: denied { read } for pid=26956 comm="clamassassin" name="libtermcap.so.2" dev=hdc7 ino=753723 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=lnk_file
> type=AVC msg=audit(1151351642.931:3278): avc: denied { read } for pid=26956 comm="clamassassin" name="libtermcap.so.2.0.8" dev=hdc7 ino=754516 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
> type=SYSCALL msg=audit(1151351642.931:3278): arch=40000003 syscall=5 success=yes exit=3 a0=b7f95e11 a1=0 a2=1f3a0 a3=8 items=1 pid=26956 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamassassin" exe="/bin/bash" subj=system_u:system_r:clamassassin_t:s0
> type=CWD msg=audit(1151351642.931:3278): cwd="/home/marcs"
> type=PATH msg=audit(1151351642.931:3278): item=0 name="/lib/libtermcap.so.2" inode=754516 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:lib_t:s0
> type=AVC msg=audit(1151351642.931:3279): avc: denied { getattr } for pid=26956 comm="clamassassin" name="libtermcap.so.2.0.8" dev=hdc7 ino=754516 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
> type=SYSCALL msg=audit(1151351642.931:3279): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfee7ae0 a2=47fcffd8 a3=3 items=0 pid=26956 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamassassin" exe="/bin/bash" subj=system_u:system_r:clamassassin_t:s0
> type=AVC_PATH msg=audit(1151351642.931:3279): path="/lib/libtermcap.so.2.0.8"
> type=AVC msg=audit(1151351642.931:3280): avc: denied { execute } for pid=26956 comm="clamassassin" name="libtermcap.so.2.0.8" dev=hdc7 ino=754516 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
> type=SYSCALL msg=audit(1151351642.931:3280): arch=40000003 syscall=192 success=yes exit=1208868864 a0=480de000 a1=3a88 a2=5 a3=802 items=0 pid=26956 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamassassin" exe="/bin/bash" subj=system_u:system_r:clamassassin_t:s0
> type=AVC_PATH msg=audit(1151351642.931:3280): path="/lib/libtermcap.so.2.0.8"
> type=AVC msg=audit(1151351642.931:3281): avc: denied { read } for pid=26956 comm="clamassassin" name="ld-2.4.so" dev=hdc7 ino=754491 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file
> type=SYSCALL msg=audit(1151351642.931:3281): arch=40000003 syscall=125 success=yes exit=0 a0=47fcf000 a1=1000 a2=1 a3=47fd0300 items=0 pid=26956 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamassassin" exe="/bin/bash" subj=system_u:system_r:clamassassin_t:s0
> type=AVC_PATH msg=audit(1151351642.931:3281): path="/lib/ld-2.4.so"
That's all about using shared libraries. Fixed.
> type=AVC msg=audit(1151351642.931:3282): avc: denied { search } for pid=26956 comm="clamassassin" name="/" dev=proc ino=1 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=dir
> type=AVC msg=audit(1151351642.931:3282): avc: denied { read } for pid=26956 comm="clamassassin" name="meminfo" dev=proc ino=-268435454 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
> type=SYSCALL msg=audit(1151351642.931:3282): arch=40000003 syscall=5 success=yes exit=3 a0=489093ef a1=0 a2=1b6 a3=9555240 items=1 pid=26956 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamassassin" exe="/bin/bash" subj=system_u:system_r:clamassassin_t:s0
> type=CWD msg=audit(1151351642.931:3282): cwd="/home/marcs"
> type=PATH msg=audit(1151351642.931:3282): item=0 name="/proc/meminfo" inode=4026531842 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_t:s0
> type=AVC msg=audit(1151351642.931:3283): avc: denied { getattr } for pid=26956 comm="clamassassin" name="meminfo" dev=proc ino=-268435454 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
> type=SYSCALL msg=audit(1151351642.931:3283): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfee6038 a2=4891eff4 a3=3 items=0 pid=26956 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamassassin" exe="/bin/bash" subj=system_u:system_r:clamassassin_t:s0
> type=AVC_PATH msg=audit(1151351642.931:3283): path="/proc/meminfo"
We'll try dontaudit-ing this as it may be generic script startup stuff
that's not needed.
> type=AVC msg=audit(1151351642.935:3284): avc: denied { search } for pid=26956 comm="clamassassin" name="usr" dev=hdc7 ino=3112961 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=AVC msg=audit(1151351642.935:3284): avc: denied { search } for pid=26956 comm="clamassassin" name="bin" dev=hdc7 ino=3112982 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir
> type=SYSCALL msg=audit(1151351642.935:3284): arch=40000003 syscall=5 success=yes exit=3 a0=9557018 a1=8000 a2=0 a3=8000 items=1 pid=26956 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamassassin" exe="/bin/bash" subj=system_u:system_r:clamassassin_t:s0
> type=CWD msg=audit(1151351642.935:3284): cwd="/home/marcs"
> type=PATH msg=audit(1151351642.935:3284): item=0 name="/usr/local/bin/clamassassin" inode=3115337 dev=16:07 mode=0100555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:clamassassin_exec_t:s0
> type=AVC msg=audit(1151351642.943:3285): avc: denied { execute } for pid=26957 comm="clamassassin" name="mktemp" dev=hdc7 ino=1966111 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
> type=AVC msg=audit(1151351642.943:3285): avc: denied { execute_no_trans } for pid=26957 comm="clamassassin" name="mktemp" dev=hdc7 ino=1966111 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
> type=AVC msg=audit(1151351642.943:3285): avc: denied { read } for pid=26957 comm="clamassassin" name="mktemp" dev=hdc7 ino=1966111 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
> type=AVC msg=audit(1151351642.943:3285): avc: denied { execute } for pid=26957 comm="clamassassin" name="ld-2.4.so" dev=hdc7 ino=754491 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file
> type=SYSCALL msg=audit(1151351642.943:3285): arch=40000003 syscall=11 success=yes exit=0 a0=95572c0 a1=9557500 a2=955add0 a3=9557228 items=2 pid=26957 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="mktemp" exe="/bin/mktemp" subj=system_u:system_r:clamassassin_t:s0
> type=AVC_PATH msg=audit(1151351642.943:3285): path="/bin/mktemp"
> type=AVC_PATH msg=audit(1151351642.943:3285): path="/bin/mktemp"
> type=CWD msg=audit(1151351642.943:3285): cwd="/home/marcs"
> type=PATH msg=audit(1151351642.943:3285): item=0 name="/bin/mktemp" inode=1966111 dev=16:07 mode=0100555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0
> type=PATH msg=audit(1151351642.943:3285): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
Trying to run /bin/mktemp to make a temp file. Fixed.
> type=AVC msg=audit(1151351642.943:3286): avc: denied { read } for pid=26957 comm="mktemp" name="urandom" dev=tmpfs ino=2006 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
> type=SYSCALL msg=audit(1151351642.943:3286): arch=40000003 syscall=5 success=yes exit=3 a0=80494d8 a1=0 a2=48920120 a3=85af008 items=1 pid=26957 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="mktemp" exe="/bin/mktemp" subj=system_u:system_r:clamassassin_t:s0
> type=CWD msg=audit(1151351642.943:3286): cwd="/home/marcs"
> type=PATH msg=audit(1151351642.943:3286): item=0 name="/dev/urandom" inode=2006 dev=00:0f mode=020444 ouid=0 ogid=0 rdev=01:09 obj=system_u:object_r:urandom_device_t:s0
mktemp using a random number. Fixed.
> type=AVC msg=audit(1151351642.947:3287): avc: denied { getattr } for pid=26957 comm="mktemp" name="[251497]" dev=pipefs ino=251497 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:system_r:clamassassin_t:s0 tclass=fifo_file
> type=SYSCALL msg=audit(1151351642.947:3287): arch=40000003 syscall=197 success=yes exit=0 a0=1 a1=bf8893d0 a2=4891eff4 a3=1 items=0 pid=26957 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="mktemp" exe="/bin/mktemp" subj=system_u:system_r:clamassassin_t:s0
> type=AVC_PATH msg=audit(1151351642.947:3287): path="pipe:[251497]"
> type=AVC msg=audit(1151351642.947:3288): avc: denied { write } for pid=26957 comm="mktemp" name="[251497]" dev=pipefs ino=251497 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:system_r:clamassassin_t:s0 tclass=fifo_file
> type=SYSCALL msg=audit(1151351642.947:3288): arch=40000003 syscall=4 success=yes exit=32 a0=1 a1=b7f9b000 a2=20 a3=20 items=0 pid=26957 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="mktemp" exe="/bin/mktemp" subj=system_u:system_r:clamassassin_t:s0
> type=AVC_PATH msg=audit(1151351642.947:3288): path="pipe:[251497]"
> type=AVC msg=audit(1151351642.947:3289): avc: denied { read } for pid=26956 comm="clamassassin" name="[251497]" dev=pipefs ino=251497 scontext=system_u:system_r:clamassassin_t:s0 tcontext=system_u:system_r:clamassassin_t:s0 tclass=fifo_file
> type=SYSCALL msg=audit(1151351642.947:3289): arch=40000003 syscall=3 success=yes exit=32 a0=3 a1=bfee7a18 a2=80 a3=80 items=0 pid=26956 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamassassin" exe="/bin/bash" subj=system_u:system_r:clamassassin_t:s0
> type=AVC_PATH msg=audit(1151351642.947:3289): path="pipe:[251497]"
> type=AVC msg=audit(1151351642.955:3290): avc: denied { use } for pid=26960 comm="clamscan" name="[251496]" dev=pipefs ino=251496 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=fd
> type=AVC msg=audit(1151351642.955:3290): avc: denied { read } for pid=26960 comm="clamscan" name="[251496]" dev=pipefs ino=251496 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=fifo_file
> type=AVC msg=audit(1151351642.955:3290): avc: denied { use } for pid=26960 comm="clamscan" name="[251491]" dev=pipefs ino=251491 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fd
> type=AVC msg=audit(1151351642.955:3290): avc: denied { write } for pid=26960 comm="clamscan" name="[251491]" dev=pipefs ino=251491 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
> type=SYSCALL msg=audit(1151351642.955:3290): arch=40000003 syscall=11 success=yes exit=0 a0=955ac00 a1=955a210 a2=955add0 a3=955ad90 items=2 pid=26960 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamscan" exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0
> type=AVC_PATH msg=audit(1151351642.955:3290): path="pipe:[251491]"
> type=AVC_PATH msg=audit(1151351642.955:3290): path="pipe:[251491]"
> type=AVC_PATH msg=audit(1151351642.955:3290): path="pipe:[251496]"
> type=AVC_PATH msg=audit(1151351642.955:3290): path="pipe:[251496]"
> type=CWD msg=audit(1151351642.955:3290): cwd="/home/marcs"
> type=PATH msg=audit(1151351642.955:3290): item=0 name="/usr/bin/clamscan" inode=3123838 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:clamscan_exec_t:s0
> type=PATH msg=audit(1151351642.955:3290): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
I'm not sure about this. audit2allow -R tells me that this may fix it:
#allow clamscan_t postfix_local_t:fd use;
#allow clamscan_t postfix_local_t:fifo_file write;
#allow clamscan_t procmail_t:fifo_file read;
clamav_domtrans_clamscan(clamscan_t)
> type=AVC msg=audit(1151351646.796:3291): avc: denied { search } for pid=26970 comm="pyzor" name="mail" dev=hdc7 ino=1049593 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir
> type=SYSCALL msg=audit(1151351646.796:3291): arch=40000003 syscall=5 success=no exit=-2 a0=99817f8 a1=8000 a2=1b6 a3=99337c8 items=1 pid=26970 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="pyzor" exe="/usr/bin/python" subj=system_u:system_r:pyzor_t:s0
> type=CWD msg=audit(1151351646.796:3291): cwd="/"
> type=PATH msg=audit(1151351646.796:3291): item=0 name="/etc/mail/spamassassin/config" obj=system_u:object_r:lib_t:s0
> type=AVC msg=audit(1151351646.796:3292): avc: denied { getattr } for pid=26970 comm="pyzor" name="spamassassin" dev=hdc7 ino=1049810 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir
> type=SYSCALL msg=audit(1151351646.796:3292): arch=40000003 syscall=195 success=yes exit=0 a0=9982a78 a1=bfae9548 a2=4891eff4 a3=98f91b0 items=1 pid=26970 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="pyzor" exe="/usr/bin/python" subj=system_u:system_r:pyzor_t:s0
> type=AVC_PATH msg=audit(1151351646.796:3292): path="/etc/mail/spamassassin"
> type=CWD msg=audit(1151351646.796:3292): cwd="/"
> type=PATH msg=audit(1151351646.796:3292): item=0 name="/etc/mail/spamassassin" inode=1049810 dev=16:07 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_mail_t:s0
> type=AVC msg=audit(1151351646.796:3293): avc: denied { getattr } for pid=26970 comm="pyzor" name="servers" dev=hdc7 ino=1051662 scontext=system_u:system_r:pyzor_t:s0 tcontext=user_u:object_r:etc_mail_t:s0 tclass=file
> type=SYSCALL msg=audit(1151351646.796:3293): arch=40000003 syscall=195 success=yes exit=0 a0=9982a78 a1=bfae9548 a2=4891eff4 a3=98f91b0 items=1 pid=26970 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="pyzor" exe="/usr/bin/python" subj=system_u:system_r:pyzor_t:s0
> type=AVC_PATH msg=audit(1151351646.796:3293): path="/etc/mail/spamassassin/servers"
> type=CWD msg=audit(1151351646.796:3293): cwd="/"
> type=PATH msg=audit(1151351646.796:3293): item=0 name="/etc/mail/spamassassin/servers" inode=1051662 dev=16:07 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:etc_mail_t:s0
> type=AVC msg=audit(1151351646.796:3294): avc: denied { read } for pid=26970 comm="pyzor" name="servers" dev=hdc7 ino=1051662 scontext=system_u:system_r:pyzor_t:s0 tcontext=user_u:object_r:etc_mail_t:s0 tclass=file
> type=SYSCALL msg=audit(1151351646.796:3294): arch=40000003 syscall=5 success=yes exit=3 a0=9982a78 a1=8000 a2=1b6 a3=99337c8 items=1 pid=26970 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="pyzor" exe="/usr/bin/python" subj=system_u:system_r:pyzor_t:s0
> type=CWD msg=audit(1151351646.796:3294): cwd="/"
> type=PATH msg=audit(1151351646.796:3294): item=0 name="/etc/mail/spamassassin/servers" inode=1051662 dev=16:07 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:etc_mail_t:s0
pyzor reading new site-wide config.
> type=AVC msg=audit(1151351651.760:3295): avc: denied { create } for pid=26973 comm="dccproc" scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:system_r:dcc_client_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1151351651.760:3295): arch=40000003 syscall=102 success=yes exit=3 a0=1 a1=bfaecda8 a2=4891eff4 a3=806a0ff items=0 pid=26973 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
> type=SOCKETCALL msg=audit(1151351651.760:3295): nargs=3 a0=10 a1=3 a2=0
> type=AVC msg=audit(1151351651.760:3296): avc: denied { bind } for pid=26973 comm="dccproc" scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:system_r:dcc_client_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1151351651.760:3296): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bfaecda8 a2=4891eff4 a3=3 items=0 pid=26973 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
> type=SOCKADDR msg=audit(1151351651.760:3296): saddr=100000000000000000000000
> type=SOCKETCALL msg=audit(1151351651.760:3296): nargs=3 a0=3 a1=bfaecdb4 a2=c
> type=AVC msg=audit(1151351651.760:3297): avc: denied { getattr } for pid=26973 comm="dccproc" scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:system_r:dcc_client_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1151351651.760:3297): arch=40000003 syscall=102 success=yes exit=0 a0=6 a1=bfaecda8 a2=4891eff4 a3=3 items=0 pid=26973 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
> type=SOCKADDR msg=audit(1151351651.760:3297): saddr=100000005D69000000000000
> type=SOCKETCALL msg=audit(1151351651.760:3297): nargs=3 a0=3 a1=bfaecdb4 a2=bfaecdc0
> type=AVC msg=audit(1151351651.760:3298): avc: denied { write } for pid=26973 comm="dccproc" scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:system_r:dcc_client_t:s0 tclass=netlink_route_socket
> type=AVC msg=audit(1151351651.760:3298): avc: denied { nlmsg_read } for pid=26973 comm="dccproc" scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:system_r:dcc_client_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1151351651.760:3298): arch=40000003 syscall=102 success=yes exit=20 a0=b a1=bfaebcf4 a2=4891eff4 a3=ffffffcc items=0 pid=26973 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
> type=SOCKADDR msg=audit(1151351651.760:3298): saddr=100000000000000000000000
> type=SOCKETCALL msg=audit(1151351651.760:3298): nargs=6 a0=3 a1=bfaecd6c a2=14 a3=0 a4=bfaecd80 a5=c
> type=AVC msg=audit(1151351651.760:3299): avc: denied { read } for pid=26973 comm="dccproc" scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:system_r:dcc_client_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1151351651.760:3299): arch=40000003 syscall=102 success=yes exit=128 a0=11 a1=bfaebcf4 a2=4891eff4 a3=ffffffcc items=0 pid=26973 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
> type=SOCKADDR msg=audit(1151351651.760:3299): saddr=100000000000000000000000
> type=SOCKETCALL msg=audit(1151351651.760:3299): nargs=3 a0=3 a1=bfaecd50 a2=0
> type=AVC msg=audit(1151351651.764:3300): avc: denied { node_bind } for pid=26973 comm="dccproc" scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=udp_socket
> type=SYSCALL msg=audit(1151351651.764:3300): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bfaecde0 a2=4891eff4 a3=806a0ff items=0 pid=26973 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
> type=SOCKADDR msg=audit(1151351651.764:3300): saddr=02000000000000000000000000000000
> type=SOCKETCALL msg=audit(1151351651.764:3300): nargs=3 a0=4 a1=bfaece84 a2=10
Lots of network stuff. Added.
(snip)
The rest looked like repeats to me.
> If the above approach makes sense, then I think that this could become a
> defacto install approach when running under SELinux, which is not a
> general consideration for the more general installation instructions for
> these various filtering apps.
>
> This approach, I think, also has the attraction of not differentiating
> between a single user install and a system-wide install, as I had
> initially considered above.
Should be worth a page on the Fedora wiki eventually.
Updated policy:
::::::::::::::
myclamav.te
::::::::::::::
policy_module(myclamav, 0.1.2)
require {
type clamd_t;
type clamscan_t;
type clamscan_tmp_t;
type freshclam_t;
type postfix_local_t;
type procmail_t;
};
type clamassassin_t;
domain_type(clamassassin_t)
type clamassassin_exec_t;
domain_entry_file(clamassassin_t,clamassassin_exec_t)
# ========================================
# clamassassin local policy
# ========================================
# Transition from unconfined for command-line usage
ifdef(`targeted_policy',`
clamav_domtrans_clamassassin(unconfined_t)
')
# clamassassin uses pipes
allow clamassassin_t self:fifo_file rw_file_perms;
# When clamassassin writes temp files, they're for clamscan to process
# so make them clamscan_tmp_t
allow clamassassin_t clamscan_tmp_t:dir create_dir_perms;
allow clamassassin_t clamscan_tmp_t:file create_file_perms;
files_tmp_filetrans(clamassassin_t, clamscan_tmp_t, { file dir })
# Use shared libraries
libs_use_ld_so(clamassassin_t)
libs_use_shared_libs(clamassassin_t)
# Run binaries such as /bin/mktemp
corecmd_exec_bin(clamassassin_t)
files_search_usr(clamassassin_t)
# Allow clamassassin (mktemp) to read /dev/urandom
dev_read_urand(clamassassin_t)
# clamassassin probably doesn't need to be able to read /proc/meminfo
kernel_dontaudit_list_proc(clamassassin_t)
kernel_dontaudit_read_system_state(clamassassin_t)
# clamassassin needs to be able to call clamscan
clamav_domtrans_clamscan(clamassassin_t)
# ========================================
# clamd local policy
# ========================================
kernel_read_kernel_sysctls(clamd_t)
# ========================================
# clamscan local policy
# ========================================
# ---------------------------------------------------
# These are suggestions from audit2allow -R
# ---------------------------------------------------
#allow clamscan_t postfix_local_t:fd use;
#allow clamscan_t postfix_local_t:fifo_file write;
#allow clamscan_t procmail_t:fifo_file read;
clamav_domtrans_clamscan(clamscan_t)
#allow clamscan_t procmail_t:fd use;
procmail_domtrans(clamscan_t)
# ========================================
# freshclam local policy
# ========================================
# Allow freshclam to send syslog messages
logging_send_syslog_msg(freshclam_t)
# Allow freshclam to read generic kernel sysctls
kernel_read_kernel_sysctls(freshclam_t)
::::::::::::::
mydcc.te
::::::::::::::
policy_module(mydcc, 0.1.7)
# ==================================================
# Declarations
# ==================================================
require {
type dcc_client_t;
}
# ==================================================
# DCC client local policy
# ==================================================
allow dcc_client_t self:netlink_route_socket r_netlink_socket_perms;
corenet_udp_bind_inaddr_any_node(dcc_client_t)
spamassassin_read_spamd_tmp_files(dcc_client_t)
::::::::::::::
mypyzor.te
::::::::::::::
policy_module(mypyzor, 0.2.2)
require {
type etc_mail_t;
type pyzor_t;
type pyzor_exec_t;
type pyzor_port_t;
type spamd_t;
};
# temp files
type pyzor_tmp_t;
files_tmp_file(pyzor_tmp_t)
# Allow pyzor to create and use temp files and dirs
allow pyzor_t pyzor_tmp_t:dir create_dir_perms;
allow pyzor_t pyzor_tmp_t:file create_file_perms;
files_type(pyzor_tmp_t)
files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir })
# Allow pyzor to read config (and any other file...)
# from user home directories
userdom_read_unpriv_users_home_content_files(pyzor_t)
# Allow pyzor to read /dev/urandom
dev_read_urand(pyzor_t)
# Allow pyzor to send and receive pyzor messages!
allow pyzor_t pyzor_port_t:udp_socket send_msg;
allow pyzor_t pyzor_port_t:udp_socket recv_msg;
# Allow spamd to signal pyzor (kill/hup ?)
allow spamd_t pyzor_t:process signal;
# This doesn't seem to break anything
dontaudit spamd_t pyzor_exec_t:file getattr;
# Read sitewide config
allow pyzor_t etc_mail_t:dir { getattr search };
allow pyzor_t etc_mail_t:file { getattr read };
# Allow pyzor to ...?
corecmd_search_bin(pyzor_t)
kernel_read_kernel_sysctls(pyzor_t)
# It does a getattr on /usr/bin/time for reasons unknown...
dontaudit pyzor_t bin_t:dir getattr;
dontaudit pyzor_t bin_t:file getattr;
# Pyzor/python probably doesn't need to be able to read /proc/meminfo
kernel_dontaudit_list_proc(pyzor_t)
kernel_dontaudit_read_system_state(pyzor_t)
Paul.
More information about the fedora-selinux-list
mailing list