<div><br></div>On Fri, Dec 31, 2010 at 4:19 AM, Dominick Grift <span dir="ltr"><<a href="mailto:domg472@gmail.com">domg472@gmail.com</a>></span> wrote:<div>[ ... ]<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><div class="h5">
> Maybe it makes sense to run the mail server backend in unconfined_t? That<br>
> seems risky in its own way.<br>
<br>
</div></div>Why not use the mta module policy for your qmail other mtas also run in<br>
this domain. i guess yoou could simply label qmail executable file<br>
sendmail_exec_t?<br></blockquote><div><br></div><div>Thanks, that is a good idea, I tried it out and am not getting so many warnings in my audit.log. I am concerned they may just be suppressed though; when I look at policies for system_mail_t by running:</div>
<div><br></div></div><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;"><div class="gmail_quote"><div><font class="Apple-style-span" face="'courier new', monospace">sesearch -a -s system_mail_t</font></div>
</div></blockquote><div class="gmail_quote"><div><br></div><div>I see lines like this:</div><div><br></div></div><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;"><div class="gmail_quote">
<div><div><font class="Apple-style-span" face="'courier new', monospace">dontaudit system_mail_t httpd_t : file { ioctl read getattr lock }; </font></div></div></div><div class="gmail_quote"><div><div><font class="Apple-style-span" face="'courier new', monospace">dontaudit system_mail_t httpd_t : tcp_socket { read write }; </font></div>
</div></div></blockquote><div class="gmail_quote"><div><br></div><div>Since I am currently running in permissive mode, those lines seem like they would mask the problem without solving it. Maybe I will need to set up a dev server to test this.<br>
</div><div><br></div><div>[ ... ]</div></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">
> > Third, is there a useful guide for troubleshooting SELinux policy<br>
>> execution?<br>
>>> When things don't work as I expect them to, it's hard to find the reason<br>
>> if<br>
>>> it's not obvious from the audit.log.<br>
>><br>
>> Examples?<br>
>><br>
>> It usually boils down to analyzing AVC denials.<br>
>><br>
><br>
> I may be able to find what I need in the AVC logs. I think I'm just not yet<br>
> confident enough that my policies work as they should, and it would be<br>
> reassuring to see the domain transitions as they run.<br>
<br>
</div>stuff only transitions if you tell it to transition.<br>
<br>
you can also use sesearch to see where your domain is allowed to transition:<br>
<br>
example:<br>
<br>
sesearch --allow -SC -s ntpd_t -t domain -c process -p transition<br></blockquote><div><br></div><div>Thanks, that is a great tool I did not know about!</div><div><br></div><div>So here then is an example I am not sure how to troubleshoot.</div>
<div><br></div><div><meta charset="utf-8"><div class="gmail_quote"><div>I don't understand how the mail backend is able to send messages without generating AVC denials. "ps -efZ" shows qmail-send, qmail's main backend process, and qmail-rspawn, which handles remote messages, as running with type "init_t". That makes sense, since they are started by a sequence that begins with init(8) and don't transition to any other context. To send the mail, it needs to read the configuration files, which are labeled "etc_mail_t", and read and write queue files labeled "mqueue_spool_t". It shouldn't have permission to do anything with those files:</div>
<div><br></div></div><blockquote class="webkit-indent-blockquote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 40px; border-top-style: none; border-right-style: none; border-bottom-style: none; border-left-style: none; border-width: initial; border-color: initial; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; ">
<div class="gmail_quote"><div><div><font class="Apple-style-span" face="'courier new', monospace">$ sesearch -a -s init_t |egrep 'etc_mail|mqueue'</font></div></div></div><div class="gmail_quote"><div><div>
<font class="Apple-style-span" face="'courier new', monospace">$ </font></div></div></div></blockquote><div class="gmail_quote"><div><br></div><div>But somehow it does, or at least seems to to it without generating any AVC denials.</div>
<div><br></div></div></div><meta charset="utf-8"><div>Since this is succeeding, there's nothing in the audit.log, and from my own inspection the contexts shouldn't allow this. If I were programming I would use a debugger or strace(1) to figure out exactly what is going on, but I'm not sure if there is an equivalent tool here, or what my options are apart from staring at the same information and hoping for insight.</div>
<div><br></div><div> [ ... ]</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">
> I have had some problems with failed assertions, which have far too little<br>
> debug information to troubleshoot them with anything but guesswork, but<br>
> that's probably a separate issue.<br>
<br>
</div>examples?<br></blockquote><div><br></div><div>For example, early on in trying out a qmail policy, I forgot this line:</div><div><br></div><div><font class="Apple-style-span" face="'courier new', monospace">domain_type(mail_qmail_queue_t)</font></div>
<div><br></div><div>The policy compiled fine, but when I tried to load it I got these errors:</div><div><div><ul><li><span class="Apple-style-span" style="font-family: 'courier new', monospace; ">libsepol.check_assertion_helper: assertion on line 0 violated by allow mail_qmail_queue_t sendmail_t:process { sigchld };</span></li>
<li><span class="Apple-style-span" style="font-family: 'courier new', monospace; ">libsepol.check_assertion_helper: assertion on line 0 violated by allow mail_qmail_queue_t httpd_sys_script_t:process { sigchld };</span></li>
<li><span class="Apple-style-span" style="font-family: 'courier new', monospace; ">libsepol.check_assertion_helper: assertion on line 0 violated by allow mail_qmail_queue_t httpd_t:process { sigchld };</span></li>
<li><span class="Apple-style-span" style="font-family: 'courier new', monospace; ">libsepol.check_assertion_helper: assertion on line 0 violated by allow mail_qmail_queue_t mail_qmail_queue_t:process { transition sigchld };</span></li>
<li><span class="Apple-style-span" style="font-family: 'courier new', monospace; ">libsepol.check_assertion_helper: assertion on line 0 violated by allow mail_qmail_queue_t unconfined_t:process { sigchld };</span></li>
<li><span class="Apple-style-span" style="font-family: 'courier new', monospace; ">libsepol.check_assertion_helper: assertion on line 0 violated by allow sendmail_t mail_qmail_queue_t:process { transition sigchld };</span></li>
<li><span class="Apple-style-span" style="font-family: 'courier new', monospace; ">libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_sys_script_t mail_qmail_queue_t:process { transition sigchld };</span></li>
<li><span class="Apple-style-span" style="font-family: 'courier new', monospace; ">libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_t mail_qmail_queue_t:process { transition sigchld };</span></li>
<li><span class="Apple-style-span" style="font-family: 'courier new', monospace; ">libsepol.check_assertion_helper: assertion on line 0 violated by allow unconfined_t mail_qmail_queue_t:process { transition sigchld };</span></li>
<li><span class="Apple-style-span" style="font-family: 'courier new', monospace; ">libsepol.check_assertion_helper: assertion on line 0 violated by allow sendmail_t mail_qmail_queue_t:process { transition };</span></li>
<li><span class="Apple-style-span" style="font-family: 'courier new', monospace; ">libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_sys_script_t mail_qmail_queue_t:process { transition };</span></li>
<li><span class="Apple-style-span" style="font-family: 'courier new', monospace; ">libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_t mail_qmail_queue_t:process { transition };</span></li>
<li><span class="Apple-style-span" style="font-family: 'courier new', monospace; ">libsepol.check_assertion_helper: assertion on line 0 violated by allow unconfined_t mail_qmail_queue_t:process { transition };</span></li>
<li><span class="Apple-style-span" style="font-family: 'courier new', monospace; ">libsepol.check_assertions: 13 assertion violations occured</span></li><li><span class="Apple-style-span" style="font-family: 'courier new', monospace; ">libsemanage.semanage_expand_sandbox: Expand module failed</span></li>
<li><span class="Apple-style-span" style="font-family: 'courier new', monospace; ">semodule: Failed!</span></li></ul></div></div><div>Eventually after staring at it awhile, a bit of googling, and some lucky guesses I was able to figure it out.</div>
<div><br></div><div>Are there any tools or guidelines that can help with these sorts of things?</div><div></div></div><br><div>Thanks again for all of your help!</div><div><br></div><div>-----Scott.</div><div><br></div></div>