postfix, procmail and SELinux - No Go

Paul Howarth paul at city-fan.org
Wed Jun 28 14:08:39 UTC 2006 

On Tue, 2006-06-27 at 12:34 -0500, Marc Schwartz (via MN) wrote:
> On Tue, 2006-06-27 at 17:20 +0100, Paul Howarth wrote:
> # semodule -l
> amavis  1.0.4
> clamav  1.0.1
> dcc     1.0.0
> myclamav        0.1.3
> mydcc   0.1.8
> mypostfix       0.1.0
> mypyzor 0.2.2
> myspamassassin  0.1.1
> procmail        0.5.4
> pyzor   1.0.1
> razor   1.0.0
> 
> 
> type=AVC msg=audit(1151428802.918:884): avc:  denied  { use } for  pid=5062 comm="clamscan" name="[150534]" dev=pipefs ino=150534 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=fd
> type=SYSCALL msg=audit(1151428802.918:884): arch=40000003 syscall=11 success=yes exit=0 a0=9181c00 a1=9181210 a2=9181dd0 a3=9181d90 items=2 pid=5062 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="clamscan" exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0
> type=AVC_PATH msg=audit(1151428802.918:884):  path="pipe:[150534]"
> type=CWD msg=audit(1151428802.918:884):  cwd="/home/marcs"
> type=PATH msg=audit(1151428802.918:884): item=0 name="/usr/bin/clamscan" inode=3123838 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:clamscan_exec_t:s0
> type=PATH msg=audit(1151428802.918:884): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0

I believe this is clamscan reading data piped from procmail. Either than
or an inherited file descriptor.

> type=AVC msg=audit(1151428805.919:885): avc:  denied  { create } for  pid=5084 comm="pyzor" scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:system_r:pyzor_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1151428805.919:885): arch=40000003 syscall=102 success=yes exit=3 a0=1 a1=bfeffef8 a2=4891eff4 a3=95fe1b0 items=0 pid=5084 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="pyzor" exe="/usr/bin/python" subj=system_u:system_r:pyzor_t:s0
> type=SOCKETCALL msg=audit(1151428805.919:885): nargs=3 a0=10 a1=3 a2=0
> type=AVC msg=audit(1151428805.923:886): avc:  denied  { bind } for  pid=5084 comm="pyzor" scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:system_r:pyzor_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1151428805.923:886): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bfeffef8 a2=4891eff4 a3=3 items=0 pid=5084 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="pyzor" exe="/usr/bin/python" subj=system_u:system_r:pyzor_t:s0
> type=SOCKADDR msg=audit(1151428805.923:886): saddr=100000000000000000000000
> type=SOCKETCALL msg=audit(1151428805.923:886): nargs=3 a0=3 a1=bfefff04 a2=c
> type=AVC msg=audit(1151428805.923:887): avc:  denied  { getattr } for  pid=5084 comm="pyzor" scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:system_r:pyzor_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1151428805.923:887): arch=40000003 syscall=102 success=yes exit=0 a0=6 a1=bfeffef8 a2=4891eff4 a3=3 items=0 pid=5084 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="pyzor" exe="/usr/bin/python" subj=system_u:system_r:pyzor_t:s0
> type=SOCKADDR msg=audit(1151428805.923:887): saddr=10000000DC13000000000000
> type=SOCKETCALL msg=audit(1151428805.923:887): nargs=3 a0=3 a1=bfefff04 a2=bfefff10
> type=AVC msg=audit(1151428805.923:888): avc:  denied  { write } for  pid=5084 comm="pyzor" scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:system_r:pyzor_t:s0 tclass=netlink_route_socket
> type=AVC msg=audit(1151428805.923:888): avc:  denied  { nlmsg_read } for  pid=5084 comm="pyzor" scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:system_r:pyzor_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1151428805.923:888): arch=40000003 syscall=102 success=yes exit=20 a0=b a1=bfefee44 a2=4891eff4 a3=ffffffcc items=0 pid=5084 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="pyzor" exe="/usr/bin/python" subj=system_u:system_r:pyzor_t:s0
> type=SOCKADDR msg=audit(1151428805.923:888): saddr=100000000000000000000000
> type=SOCKETCALL msg=audit(1151428805.923:888): nargs=6 a0=3 a1=bfeffebc a2=14 a3=0 a4=bfeffed0 a5=c
> type=AVC msg=audit(1151428805.923:889): avc:  denied  { read } for  pid=5084 comm="pyzor" scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:system_r:pyzor_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1151428805.923:889): arch=40000003 syscall=102 success=yes exit=128 a0=11 a1=bfefee44 a2=4891eff4 a3=ffffffcc items=0 pid=5084 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="pyzor" exe="/usr/bin/python" subj=system_u:system_r:pyzor_t:s0
> type=SOCKADDR msg=audit(1151428805.923:889): saddr=100000000000000000000000
> type=SOCKETCALL msg=audit(1151428805.923:889): nargs=3 a0=3 a1=bfeffea0 a2=0

pyzor reading the routing table.

> type=AVC msg=audit(1151428805.923:890): avc:  denied  { search } for  pid=5084 comm="pyzor" name="nscd" dev=dm-1 ino=87802 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=dir
> type=SYSCALL msg=audit(1151428805.923:890): arch=40000003 syscall=102 success=no exit=-2 a0=3 a1=bfeffab4 a2=4891eff4 a3=48909fd4 items=0 pid=5084 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="pyzor" exe="/usr/bin/python" subj=system_u:system_r:pyzor_t:s0
> type=SOCKADDR msg=audit(1151428805.923:890): saddr=01002F7661722F72756E2F6E7363642F736F636B657400D8CD0040F3CD00AC8BC9B718FBEFBF6B5AC300AC8BC9B780DBC7B71C2360094ACCC00020E0C9B7241F600900000000E4D8CD00AC8BC9B700000000F8FCEFBF7BC7C600AC8BC9B780DBC7B71C236009E4D8CD0001000000
> type=SOCKETCALL msg=audit(1151428805.923:890): nargs=3 a0=3 a1=bfeffac6 a2=6e

Using nscd.

> type=AVC msg=audit(1151428805.923:891): avc:  denied  { name_connect } for  pid=5084 comm="pyzor" dest=80 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
> type=AVC msg=audit(1151428805.923:891): avc:  denied  { send_msg } for  pid=5084 comm="pyzor" saddr=192.168.0.64 src=40031 daddr=66.35.250.209 dest=80 netif=eth0 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
> type=AVC msg=audit(1151428806.007:892): avc:  denied  { recv_msg } for  pid=5078 comm="clamscan" saddr=66.35.250.209 src=80 daddr=192.168.0.64 dest=40031 netif=eth0 scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
> type=SYSCALL msg=audit(1151428805.923:891): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfeffe10 a2=2c9118 a3=b7ef3aa0 items=0 pid=5084 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="pyzor" exe="/usr/bin/python" subj=system_u:system_r:pyzor_t:s0
> type=SOCKADDR msg=audit(1151428805.923:891): saddr=020000504223FAD10000000000000000
> type=SOCKETCALL msg=audit(1151428805.923:891): nargs=3 a0=3 a1=b7ef3ab8 a2=10

Get data from remote web server.

> One thing to note here. I am on the new kernel: 2.6.17-1.2139_FC5
> 
> There have been some flaky things going on with networking as you may
> have noted on the general FC list, just in case any of that is relevant
> here. I have not installed the new (updates testing) initscripts as of
> yet, as I am still trying to get a sense of where things stand. I have
> seen some issues with network configs and device labelling issues,
> including wireless instability (using the bcm43xx driver) which was
> working under the former kernel with ndiswrapper. FWIW.

I don't think that any of the above AVCs are related to this.

Updated policy:

::::::::::::::
myclamav.te
::::::::::::::
policy_module(myclamav, 0.1.4)

require {
        type clamd_t;
        type clamscan_t;
        type clamscan_tmp_t;
        type freshclam_t;
        type postfix_local_t;
        type procmail_t;
};

type clamassassin_t;
domain_type(clamassassin_t)

type clamassassin_exec_t;
domain_entry_file(clamassassin_t,clamassassin_exec_t)

# ========================================
# clamassassin local policy
# ========================================

# Transition from unconfined for command-line usage
ifdef(`targeted_policy',`
        clamav_domtrans_clamassassin(unconfined_t)
')

# clamassassin uses pipes
allow clamassassin_t self:fifo_file rw_file_perms;

# When clamassassin writes temp files, they're for clamscan to process
# so make them clamscan_tmp_t
allow clamassassin_t clamscan_tmp_t:dir create_dir_perms;
allow clamassassin_t clamscan_tmp_t:file create_file_perms;
files_tmp_filetrans(clamassassin_t, clamscan_tmp_t, { file dir })

# Use shared libraries
libs_use_ld_so(clamassassin_t)
libs_use_shared_libs(clamassassin_t)

# Run binaries such as /bin/mktemp
corecmd_exec_bin(clamassassin_t)
files_search_usr(clamassassin_t)

# Allow clamassassin (mktemp) to read /dev/urandom
dev_read_urand(clamassassin_t)

# Is this clamassassin writing via a pipe to postfix_local_t?
allow clamassassin_t postfix_local_t:fd use;
allow clamassassin_t postfix_local_t:fifo_file write;

# clamassassin probably doesn't need to be able to read /proc/meminfo
kernel_dontaudit_list_proc(clamassassin_t)
kernel_dontaudit_read_system_state(clamassassin_t)

# clamassassin needs to be able to call clamscan
clamav_domtrans_clamscan(clamassassin_t)

# ========================================
# clamd local policy
# ========================================

kernel_read_kernel_sysctls(clamd_t)

# ========================================
# clamscan local policy
# ========================================

# Is this clamscan writing via a pipe to postfix_local_t?
allow clamscan_t postfix_local_t:fd use;
allow clamscan_t postfix_local_t:fifo_file write;

# Is this clamscan_t reading via a pipe from procmail_t?
allow clamscan_t procmail_t:fd use;
allow clamscan_t procmail_t:fifo_file read;

# ========================================
# freshclam local policy
# ========================================

# Allow freshclam to send syslog messages
logging_send_syslog_msg(freshclam_t)

# Allow freshclam to read generic kernel sysctls
kernel_read_kernel_sysctls(freshclam_t)
::::::::::::::
mypyzor.te
::::::::::::::
policy_module(mypyzor, 0.2.3)

require {
        type etc_mail_t;
        type http_port_t;
        type pyzor_t;
        type pyzor_exec_t;
        type pyzor_port_t;
        type spamd_t;
};

# temp files
type pyzor_tmp_t;
files_tmp_file(pyzor_tmp_t)

# Allow pyzor to create and use temp files and dirs
allow pyzor_t pyzor_tmp_t:dir create_dir_perms;
allow pyzor_t pyzor_tmp_t:file create_file_perms;
files_type(pyzor_tmp_t)
files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir })

# Allow pyzor to read config (and any other file...)
# from user home directories
userdom_read_unpriv_users_home_content_files(pyzor_t)

# Allow pyzor to read /dev/urandom
dev_read_urand(pyzor_t)

# Work with nscd
nscd_socket_use(pyzor_t)

# Allow pyzor to send and receive pyzor messages!
allow pyzor_t pyzor_port_t:udp_socket send_msg;
allow pyzor_t pyzor_port_t:udp_socket recv_msg;

# Get data from remote websites
allow pyzor_t http_port_t:tcp_socket { name_connect recv_msg send_msg };

# Allow spamd to signal pyzor (kill/hup ?)
# [should be an interface for this in pyzor.if]
allow spamd_t pyzor_t:process signal;

# This doesn't seem to break anything
# [should be an interface for this in pyzor.if]
dontaudit spamd_t pyzor_exec_t:file getattr;

# Read sitewide config
allow pyzor_t etc_mail_t:dir { getattr search };
allow pyzor_t etc_mail_t:file { getattr read };

# Allow pyzor to read the routing table
allow pyzor_t self:netlink_route_socket { r_netlink_socket_perms };

# Allow pyzor to ...?
corecmd_search_bin(pyzor_t)
kernel_read_kernel_sysctls(pyzor_t)
# It does a getattr on /usr/bin/time for reasons unknown...
dontaudit pyzor_t bin_t:dir getattr;
dontaudit pyzor_t bin_t:file getattr;

# Pyzor/python probably doesn't need to be able to read /proc/meminfo
kernel_dontaudit_list_proc(pyzor_t)
kernel_dontaudit_read_system_state(pyzor_t)


Paul.

More information about the fedora-selinux-list mailing list