postfix, procmail and SELinux - No Go

Paul Howarth paul at city-fan.org
Fri Jun 30 13:19:10 UTC 2006 

Marc Schwartz wrote:
> I just got home and noted the following avc's which appear to be a
> post-reboot scenario.
> 
> There are some that appear to be networking related, which may indeed be
> associated with the kernel related reports. I have more than one network
> profile, where I used one at home that has a fixed IP address behind a
> router. At work, I use NM with DHCP. As I noted in a prior post, some
> network things have been flaky with the new kernel.
> 
> Is this an indication that I should consider the 'updates testing'
> initscripts update as referenced in other threads on the general lists?

Possibly; my understanding of the update is that it fixes the order of 
assignment of network devices at boot time. This is useful to me for 
instance, as I have a two-interface firewall, which doesn't work if it 
boots with the internal and external interfaces the wrong way around.

> Up until the reboot, there were no other avc's.
> 
> Note also what appears to be a double "//" in the path to the
> razor-agent.log.  Not sure where that comes from, as the mods that I
> made in the config files are:
> 
> local.cf:
> razor_config /etc/mail/spamassassin/razor/razor-agent.conf
> 
> razor-agent.conf :
> razorhome              = /etc/mail/spamassassin/razor/
> 
> The trailing '/' in the second file was there previously.

You could try it without the trailing slash and see what happens. Double 
slashes aren't usually an issue though.

> New avc's:
> 
> type=AVC msg=audit(1151607255.655:1577): avc:  denied  { signal } for  pid=2283 comm="spamd" scontext=system_u:system_r:spamd_t:s0 t context=system_u:system_r:dcc_client_t:s0 tclass=process
> type=SYSCALL msg=audit(1151607255.655:1577): arch=40000003 syscall=37 success=no exit=-13 a0=780b a1=f a2=2b5b8c a3=90e7894 items=0 pid=2283 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="spamd" exe="/usr/bin/perl"  subj=system_u:system_r:spamd_t:s0

Spamassassin signalling dcc_client. I wonder if the "a1" value is the 
signal number? If so, that's SIGTERM.

> type=AVC msg=audit(1151620643.074:452): avc:  denied  { append } for  pid=2312 comm="spamd" name="razor-agent.log" dev=hdc7 ino=1081 390 scontext=system_u:system_r:spamd_t:s0 tcontext=user_u:object_r:etc_mail_t:s0 tclass=file
> type=SYSCALL msg=audit(1151620643.074:452): arch=40000003 syscall=5 success=no exit=-13 a0=b5c6ee0 a1=8441 a2=1b6 a3=8441 items=1 pi d=2312 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="spamd" exe="/usr/bin/perl" subj=syst em_u:system_r:spamd_t:s0
> type=CWD msg=audit(1151620643.074:452):  cwd="/"
> type=PATH msg=audit(1151620643.074:452): item=0 name="/etc/mail/spamassassin/razor//razor-agent.log" parent=1081385 dev=16:07 mode=0 40755 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:etc_mail_t:s0

Trying to append to /etc/mail/spamassassin/razor/razor-agent.log, which 
of course is etc_mail_t. Is there any way to persuade razor to put this 
log in /var/log instead?

> type=AVC msg=audit(1151620645.415:453): avc:  denied  { setgid } for  pid=2410 comm="dccproc" capability=6 scontext=system_u:system_ r:dcc_client_t:s0 tcontext=system_u:system_r:dcc_client_t:s0 tclass=capability
> type=SYSCALL msg=audit(1151620645.415:453): arch=40000003 syscall=210 success=yes exit=0 a0=ffffffff a1=0 a2=ffffffff a3=47fcfcc0 it ems=0 pid=2410 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin /dccproc" subj=system_u:system_r:dcc_client_t:s0

dccproc changing its group ID.

> type=AVC msg=audit(1151620795.471:481): avc:  denied  { use } for  pid=5120 comm="dhclient" name="[10508]" dev=pipefs ino=10508 scon text=user_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
> type=AVC msg=audit(1151620795.471:481): avc:  denied  { use } for  pid=5120 comm="dhclient" name="[10508]" dev=pipefs ino=10508 scon text=user_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
> type=SYSCALL msg=audit(1151620795.471:481): arch=40000003 syscall=11 success=yes exit=0 a0=99120f8 a1=993b580 a2=9912608 a3=993b5f0 items=2 pid=5120 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="dhclient" exe="/sbin/dhcl ient" subj=user_u:system_r:dhcpc_t:s0
> type=AVC_PATH msg=audit(1151620795.471:481):  path="pipe:[10508]"
> type=AVC_PATH msg=audit(1151620795.471:481):  path="pipe:[10508]"
> type=CWD msg=audit(1151620795.471:481):  cwd="/etc/sysconfig/network-scripts"
> type=PATH msg=audit(1151620795.471:481): item=0 name="/sbin/dhclient" inode=3542818 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:dhcpc_exec_t:s0
> type=PATH msg=audit(1151620795.471:481): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_ u:object_r:ld_so_t:s0
> type=AVC msg=audit(1151620808.228:498): avc:  denied  { use } for  pid=5217 comm="dhclient-script" name="[10508]" dev=pipefs ino=105 08 scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
> type=AVC msg=audit(1151620808.228:498): avc:  denied  { use } for  pid=5217 comm="dhclient-script" name="[10508]" dev=pipefs ino=105 08 scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
> type=SYSCALL msg=audit(1151620808.228:498): arch=40000003 syscall=11 success=yes exit=0 a0=9fdff30 a1=a0044c8 a2=9fe1378 a3=a002498 items=3 pid=5217 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="dhclient-script" exe="/bi n/bash" subj=user_u:system_r:dhcpc_t:s0
> type=AVC_PATH msg=audit(1151620808.228:498):  path="pipe:[10508]"
> type=AVC_PATH msg=audit(1151620808.228:498):  path="pipe:[10508]"
> type=CWD msg=audit(1151620808.228:498):  cwd="/etc/sysconfig/network-scripts"
> type=PATH msg=audit(1151620808.228:498): item=0 name="/sbin/dhclient-script" inode=3548518 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev =00:00 obj=system_u:object_r:dhcpc_exec_t:s0
> type=PATH msg=audit(1151620808.228:498): item=1 name=(null) inode=1966191 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system _u:object_r:shell_exec_t:s0
> type=PATH msg=audit(1151620808.228:498): item=2 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_ u:object_r:ld_so_t:s0

These appear to be unrelated network issues.

Could be allowed by having
xserver_use_xdm_fds(dhcpc_t)
in the sysnetwork policy but I'm not sure what's happening there and if 
that would be the right thing to do.

Updated policy:
::::::::::::::
mydcc.if
::::::::::::::
########################################
## <summary>
##      Signal the dcc client
## </summary>
## <param name="domain">
##      <summary>
##      The type of the process performing this action.
##      </summary>
## </param>
#
interface(`dcc_signal_client',`
         gen_require(`
                 type dcc_client_t;
         ')

         allow $1 dcc_client_t:process signal;
')

::::::::::::::
myspamassassin.te
::::::::::::::
policy_module(myspamassassin, 0.1.2)

require {
         type spamd_t;
}

# This will be included in FC5 policy when dcc module is included
dcc_domtrans_client(spamd_t)

# This is already supposed to be included but doesn't seem to be working
pyzor_domtrans(spamd_t)

# This will be included in FC5 policy when razor module is included
razor_domtrans(spamd_t)

# Signal the dcc client (SIGTERM is used?)
dcc_signal_client(spamd_t)
::::::::::::::
mydcc.te
::::::::::::::
policy_module(mydcc, 0.1.9)

# ==================================================
# Declarations
# ==================================================

require {
         type dcc_client_t;
}

# ==================================================
# DCC client local policy
# ==================================================

allow dcc_client_t self:capability setgid;
allow dcc_client_t self:netlink_route_socket r_netlink_socket_perms;

corenet_udp_bind_inaddr_any_node(dcc_client_t)

# dcc_client probably doesn't need to be able to read /proc/meminfo
kernel_dontaudit_list_proc(dcc_client_t)
kernel_dontaudit_read_system_state(dcc_client_t)

spamassassin_read_spamd_tmp_files(dcc_client_t)



Paul.

More information about the fedora-selinux-list mailing list