Denials from spamc and webalizer on Centos 5.2

Richard Chapman rchapman at aardvark.com.au
Mon Jan 26 09:27:52 UTC 2009 

Sorry Dominick - I pasted the wrong error into this email. I've pasted 
the right one below.

Richard Chapman wrote:
> Hi Dominick
>
> It has taken me a while to decide to go ahead with your suggestion 
> below... (I think I was hoping the problem would go away...:-)) and it 
> looks like I am heading in the right direction - but there is a little 
> more work to do.
>
> There seemed to be a problem with the quotes in the line:
>
> echo "optional_policy(`" >> myprocmail.te;
>
> but I edited the .te file - and the make worked fine - after I 
> installed the selinux-policy-devel package. Here is myprocmail.te:
>
> policy_module(myprocmail, 0.0.1)
> require { type procmail_t; }
> optional_policy(`spamassassin_domtrans_spamc(procmail_t)')
>
> I installed the policy file using teh GUI Selinux Administration tool.
>
> I think we have got rid of the procmail error - but now we have a new 
> error. (see below). I'm guessing I need another line or two in my 
> myprocmail.te file. Can you tell me what it is I need? I'm pretty sure 
> this is a new error - which might suggest that there is something 
> wrong with the above policy file??
>
> I haven't tried the webalizer changes yet. I have turned webalizer off 
> for the time being.
>
> Many thanks
>
> Richard.
>
> Summary
> SELinux is preventing spamc (spamc_t) "write" to pipe (postfix_local_t).
> Detailed Description
> [SELinux is in permissive mode, the operation would have been denied 
> but was permitted due to permissive mode.]
>
> SELinux denied access requested by spamc. It is not expected that this 
> access is required by spamc and this access may signal an intrusion 
> attempt. It is also possible that the specific version or 
> configuration of the application is causing it to require additional 
> access.
>
> Allowing Access
> You can generate a local policy module to allow this access - see FAQ 
> <http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can 
> disable SELinux protection altogether. Disabling SELinux protection is 
> not recommended. Please file a bug report 
> <http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this package.
> Additional Information
>
> Source Context:   	system_u:system_r:spamc_t
> Target Context:   	system_u:system_r:postfix_local_t
> Target Objects:   	pipe [ fifo_file ]
> Source:   	spamc
> Source Path:   	/usr/bin/spamc
> Port:   	<Unknown>
> Host:   	C5.aardvark.com.au
> Source RPM Packages:   	spamassassin-3.2.4-1.el5
> Target RPM Packages:   	
> Policy RPM:   	selinux-policy-2.4.6-203.el5
> Selinux Enabled:   	True
> Policy Type:   	targeted
> MLS Enabled:   	True
> Enforcing Mode:   	Permissive
> Plugin Name:   	catchall
> Host Name:   	C5.aardvark.com.au
> Platform:   	Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue 
> Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count:   	8
> First Seen:   	Mon Jan 26 14:24:43 2009
> Last Seen:   	Mon Jan 26 17:10:19 2009
> Local ID:   	8cff6375-1acd-4f86-bb7f-7c99129a9a2b
> Line Numbers:   	
>
> Raw Audit Messages :
>
> host=C5.aardvark.com.au type=AVC msg=audit(1232957419.466:2987): avc: 
> denied { write } for pid=17103 comm="spamc" path="pipe:[224027]" 
> dev=pipefs ino=224027 scontext=system_u:system_r:spamc_t:s0 
> tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
> host=C5.aardvark.com.au type=AVC msg=audit(1232957419.466:2987): avc: 
> denied { write } for pid=17103 comm="spamc" path="pipe:[224027]" 
> dev=pipefs ino=224027 scontext=system_u:system_r:spamc_t:s0 
> tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1232957419.466:2987): 
> arch=c000003e syscall=59 success=yes exit=0 a0=ac072e0 a1=ac09310 
> a2=ac09260 a3=8 items=0 ppid=17102 pid=17103 auid=4294967295 uid=500 
> gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 
> tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" 
> subj=system_u:system_r:spamc_t:s0 key=(null)
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1232957419.466:2987): 
> arch=c000003e syscall=59 success=yes exit=0 a0=ac072e0 a1=ac09310 
> a2=ac09260 a3=8 items=0 ppid=17102 pid=17103 auid=4294967295 uid=500 
> gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 
> tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" 
> subj=system_u:system_r:spamc_t:s0 key=(null)
>
>
>
> domg472 g472 wrote:
>> Hello,
>>
>> With regard to procmail, i think your policy is missing a domain
>> transition to spamassassin.
>>
>> A custom policy looking something like the following may or may not
>> fix that issue:
>>
>> mkdir ~/myprocmail; cd ~/myprocmail;
>> echo "policy_module(myprocmail, 0.0.1)" > myprocmail.te;
>> echo "require { type procmail_t; }" >> myprocmail.te;
>> echo "optional_policy(`" >> myprocmail.te;
>> echo "spamassassin_domtrans_spamc(procmail_t)" >> myprocmail.te;
>> echo "')" >> myprocmail.te;
>>
>> make -f /usr/share/selinux/devel/Makefile
>> /usr/sbin/semodule -i myprocmail.pp
>>
>> With regard to webalizer it looks like webalizer is searching
>> something in a "bin" directory.
>> If you want you can allow this.
>>
>> mkdir ~/mywebalizer; cd ~mywebalizer;
>> echo "policy_module(mywebalizer, 0.0.1)" > mywebalizer.te;
>> echo "require { type webalizer_t; }" >> mywebalizer.te;
>> echo "corecmd_search_bin(webalizer_t)" >> mywebalizer.te;
>>
>> make -f /usr/share/selinux/devel/Makefile
>> /usr/sbin/semodule -i  mywebalizer.pp
>>
>> It may be that both procmail and webalizer domains need more access
>> after this, but you will notice that if this is the case.
>>
>> P.s. You may or may not need to escape some of the characters in my 
>> example.
>>
>> Hth,
>> Dominick
>>
>>   
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>

More information about the fedora-selinux-list mailing list