postfix, procmail and SELinux - No Go

Paul Howarth paul at city-fan.org
Wed Jun 28 20:13:58 UTC 2006 

On Wed, 2006-06-28 at 14:22 -0500, Marc Schwartz (via MN) wrote:
> On Wed, 2006-06-28 at 15:08 +0100, Paul Howarth wrote:
> > On Tue, 2006-06-27 at 12:34 -0500, Marc Schwartz (via MN) wrote:
> 
> <snip old avc's>
> 
> > > One thing to note here. I am on the new kernel: 2.6.17-1.2139_FC5
> > > 
> > > There have been some flaky things going on with networking as you may
> > > have noted on the general FC list, just in case any of that is relevant
> > > here. I have not installed the new (updates testing) initscripts as of
> > > yet, as I am still trying to get a sense of where things stand. I have
> > > seen some issues with network configs and device labelling issues,
> > > including wireless instability (using the bcm43xx driver) which was
> > > working under the former kernel with ndiswrapper. FWIW.
> > 
> > I don't think that any of the above AVCs are related to this.
> 
> OK. Wanted to make note of it, just in case.
> 
> <snip new policies>
> 
> # semodule -l
> amavis  1.0.4
> clamav  1.0.1
> dcc     1.0.0
> myclamav        0.1.4
> mydcc   0.1.8
> mypostfix       0.1.0
> mypyzor 0.2.3
> myspamassassin  0.1.1
> procmail        0.5.4
> pyzor   1.0.1
> razor   1.0.0
> 
> 
> New avc's:
> 
> type=AVC msg=audit(1151521329.964:1158): avc:  denied  { search } for  pid=5442 comm="local" name="clamav" dev=dm-1 ino=44957 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir
> type=SYSCALL msg=audit(1151521329.964:1158): arch=40000003 syscall=196 success=no exit=-2 a0=939f848 a1=bffd2e80 a2=721ff4 a3=3 items=1 pid=5442 auid=4294967295 uid=0 gid=0 euid=100 suid=0 fsuid=100 egid=101 sgid=0 fsgid=101 tty=(none) comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0
> type=CWD msg=audit(1151521329.964:1158):  cwd="/var/spool/postfix"
> type=PATH msg=audit(1151521329.964:1158): item=0 name="/var/lib/clamav/.forward" obj=system_u:object_r:etc_t:s0

postfix local looking in /var/lib/clamav

> type=AVC msg=audit(1151521329.988:1159): avc:  denied  { search } for  pid=5449 comm="procmail" name="clamav" dev=dm-1 ino=44957 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir
> type=SYSCALL msg=audit(1151521329.988:1159): arch=40000003 syscall=195 success=no exit=-2 a0=8dd0d60 a1=bfe27a6c a2=4891eff4 a3=0 items=1 pid=5449 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101 fsgid=101 tty=(none) comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0
> type=CWD msg=audit(1151521329.988:1159):  cwd="/var/spool/postfix"

same for procmail

This appears to be postfix local and procmail trying to
read /var/lib/clamav/.forward; does that sound reasonable?

You can bump myclamav.te to version 0.1.5 and append the following:

# ===========================================
# things that should be done via an interface
# ===========================================
allow postfix_local_t clamd_var_lib_t:dir r_dir_perms;
allow procmail_t clamd_var_lib_t:dir r_dir_perms;

Paul.

More information about the fedora-selinux-list mailing list