On Thu, 2006-06-22 at 14:10 +0100, Paul Howarth wrote:
Marc Schwartz (via MN) wrote:
> On Wed, 2006-06-21 at 13:57 -0500, Marc Schwartz (via MN) wrote:
>> > Just to be clear, I should leave or remove the mydcc policy?
>
> Paul,
>
> I am getting errors when building the dcc and razor policies:
>
> dcc.if:23: duplicate definition of dcc_domtrans_cdcc(). Original definition on 23.
> dcc.if:54: duplicate definition of dcc_run_cdcc(). Original definition on 54.
> dcc.if:76: duplicate definition of dcc_domtrans_client(). Original definition on
76.
> dcc.if:107: duplicate definition of dcc_run_client(). Original definition on 107.
> dcc.if:129: duplicate definition of dcc_domtrans_dbclean(). Original definition on
129.
> dcc.if:160: duplicate definition of dcc_run_dbclean(). Original definition on 160.
> dcc.if:181: duplicate definition of dcc_stream_connect_dccifd(). Original definition
on 181.
> razor.if:101: duplicate definition of razor_common_domain_template(). Original
definition on 101.
> razor.if:197: duplicate definition of razor_per_userdomain_template(). Original
definition on 197.
> razor.if:218: duplicate definition of razor_domtrans(). Original definition on 218.
>
> The modules do seem to build and install however.
>
> I do believe that I answered my own question above, in that the dcc
> policy will not load with the mydcc policy loaded.
>
> Current status:
>
> # semodule -l
> amavis 1.0.4
> clamav 1.0.1
> dcc 1.0.0
> myclamscan 0.2.0
> mypyzor 0.2.1
> procmail 0.5.3
> pyzor 1.0.1
> razor 1.0.0
I suspect that the current FC5 policy includes these interfaces but not
the policy modules or file contexts. Can anyone confirm this?
Renaming/removing the .if files makes these warnings go away anyway.
Yep. I removed the .if files and all seems well.
> On Wed, 2006-06-21 at 14:56 -0500, Marc Schwartz (via MN)
wrote:
>> Just a quick note that so far, all seems to be well.
>>
>> No avclist msgs since the change in policies to the above.
>>
>> Want me back in Enforcing mode?
>
> Hold the presses. Now getting avc's:
>
> type=AVC msg=audit(1150920365.865:1776): avc: denied { execute } for pid=4583
comm="spamd" name="pyzor" dev=hdc7 ino=3140757
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0
tclass=file
> type=AVC msg=audit(1150920365.865:1776): avc: denied { execute_no_trans } for
pid=4583 comm="spamd" name="pyzor" dev=hdc7 ino=3140757
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0
tclass=file
> type=AVC msg=audit(1150920365.865:1776): avc: denied { read } for pid=4583
comm="spamd" name="pyzor" dev=hdc7 ino=3140757
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0
tclass=file
This is spamassassin failing to transition to the pyzor_t domain. The
strange thing is is that this should already be allowed by policy.
spamassassin.te has:
optional_policy(`
pyzor_domtrans(spamd_t)
')
Anyone got any ideas why this isn't working?
> type=AVC msg=audit(1150920370.874:1778): avc: denied { create } for pid=4787
comm="dccproc" scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1150920370.874:1778): arch=40000003 syscall=102 success=yes
exit=3 a0=1 a1=bfea63f8 a2=4891eff4 a3=8069fbf items=0 pid=4787 auid=4294967295 uid=500
gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
> type=SOCKETCALL msg=audit(1150920370.874:1778): nargs=3 a0=10 a1=3 a2=0
This is dcc running in the spamd_t domain. We need to add a transition
to dcc_client_t.
> type=AVC msg=audit(1150920370.874:1779): avc: denied { bind } for pid=4787
comm="dccproc" scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1150920370.874:1779): arch=40000003 syscall=102 success=yes
exit=0 a0=2 a1=bfea63f8 a2=4891eff4 a3=3 items=0 pid=4787 auid=4294967295 uid=500 gid=0
euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
> type=SOCKADDR msg=audit(1150920370.874:1779): saddr=100000000000000000000000
> type=SOCKETCALL msg=audit(1150920370.874:1779): nargs=3 a0=3 a1=bfea6404 a2=c
> type=AVC msg=audit(1150920370.874:1780): avc: denied { getattr } for pid=4787
comm="dccproc" scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1150920370.874:1780): arch=40000003 syscall=102 success=yes
exit=0 a0=6 a1=bfea63f8 a2=4891eff4 a3=3 items=0 pid=4787 auid=4294967295 uid=500 gid=0
euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
> type=SOCKETCALL msg=audit(1150920370.874:1780): nargs=3 a0=3 a1=bfea6404
a2=bfea6410
> type=AVC msg=audit(1150920370.874:1781): avc: denied { write } for pid=4787
comm="dccproc" scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
> type=AVC msg=audit(1150920370.874:1781): avc: denied { nlmsg_read } for pid=4787
comm="dccproc" scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1150920370.874:1781): arch=40000003 syscall=102 success=yes
exit=20 a0=b a1=bfea5344 a2=4891eff4 a3=ffffffcc items=0 pid=4787 auid=4294967295 uid=500
gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
> type=SOCKADDR msg=audit(1150920370.874:1781): saddr=100000000000000000000000
> type=SOCKETCALL msg=audit(1150920370.874:1781): nargs=6 a0=3 a1=bfea63bc a2=14 a3=0
a4=bfea63d0 a5=c
> type=AVC msg=audit(1150920370.874:1782): avc: denied { read } for pid=4787
comm="dccproc" scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1150920370.874:1782): arch=40000003 syscall=102 success=yes
exit=128 a0=11 a1=bfea5344 a2=4891eff4 a3=ffffffcc items=0 pid=4787 auid=4294967295
uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
> type=SOCKETCALL msg=audit(1150920370.874:1782): nargs=3 a0=3 a1=bfea63a0 a2=0
> type=AVC msg=audit(1150920370.874:1783): avc: denied { search } for pid=4787
comm="dccproc" name="dcc" dev=dm-1 ino=58510
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir
> type=SYSCALL msg=audit(1150920370.874:1783): arch=40000003 syscall=12 success=yes
exit=0 a0=bfea5562 a1=0 a2=4891eff4 a3=8069fbf items=1 pid=4787 auid=4294967295 uid=500
gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
> type=CWD msg=audit(1150920370.874:1783): cwd="/"
> type=PATH msg=audit(1150920370.874:1783): item=0 name="/var/dcc" flags=3
inode=58510 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1150920370.878:1784): avc: denied { read write } for pid=4787
comm="dccproc" name="map" dev=dm-1 ino=59007
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_map_t:s0
tclass=file
> type=SYSCALL msg=audit(1150920370.878:1784): arch=40000003 syscall=5 success=yes
exit=3 a0=80ba6e0 a1=2 a2=180 a3=8069fbf items=1 pid=4787 auid=4294967295 uid=500 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
> type=CWD msg=audit(1150920370.878:1784): cwd="/var/dcc"
> type=PATH msg=audit(1150920370.878:1784): item=0 name="/var/dcc/map"
flags=101 inode=59007 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1150920370.878:1785): avc: denied { getattr } for pid=4787
comm="dccproc" name="map" dev=dm-1 ino=59007
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_map_t:s0
tclass=file
> type=SYSCALL msg=audit(1150920370.878:1785): arch=40000003 syscall=197 success=yes
exit=0 a0=3 a1=bfea5378 a2=4891eff4 a3=3 items=0 pid=4787 auid=4294967295 uid=500 gid=0
euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
> type=AVC_PATH msg=audit(1150920370.878:1785): path="/var/dcc/map"
> type=AVC msg=audit(1150920370.878:1786): avc: denied { lock } for pid=4787
comm="dccproc" name="map" dev=dm-1 ino=59007
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_map_t:s0
tclass=file
> type=SYSCALL msg=audit(1150920370.878:1786): arch=40000003 syscall=221 success=yes
exit=0 a0=3 a1=7 a2=bfea64f4 a3=bfea64f4 items=0 pid=4787 auid=4294967295 uid=500 gid=0
euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
> type=AVC_PATH msg=audit(1150920370.878:1786): path="/var/dcc/map"
All of these are the dcc client running in the wrong domain.
> It would seem that I just noted what may be a valuable piece of
> information here.
>
> When testing the remote checks by using the test spam e-mail:
>
> cat /usr/share/doc/spamassassin-3.1.3/sample-spam.txt | spamassassin -D
>
> there are no avc's generated.
This is probably because the processes were running unconfined (you
invoked them in "user space").
Yep.
> However, the above avc's were generated after an e-mail came
through the
> normal fetchmail process, where postfix/procmail are being used to fire
> up spamassassin.
>
> I just replicated both processes and indeed, no avc's were generated
> with the test e-mail, but as soon as a new inbound e-mail came through,
> avc's.
In this case, the processes are running in "system space", and are confined.
Yep again. :-)
> On Wed, 2006-06-21 at 21:07 +0100, Paul Howarth wrote:
>> > Can you remind me where the files are actually installed on your system
>> > (presumably upstream default locations?)?
>> >
>> > Some may need adding to the .fc files.
>
> /var/dcc/* and sub-dirs
That looks to be covered by the dcc policy.
> /usr/bin/razor*
That looks to be covered by the razor policy.
> /root/.razor/*
This has special contexts in strict policy, but not in targeted. So for
targeted we may need to allow it to read home directories.
> /.razor/*
That looks rather dubious.
I initially thought that these files in / were from the initial install.
However, the dates on the log files in that path are current as of last
night, when the cron jobs run.
The files in /root/.razor appear to be tagged as during the day today,
perhaps when cron jobs result in e-mails to root, which are then mapped
to my userID by postfix.
> dcc was installed from the upstream tarball at Rhyolite. It is
not in
> FE. Built with default options.
I think there are probably licensing issues that preclude it from being
in Extras; not sure though.
> razor is installed via FE with perl-Razor-Agent-2.77-3.fc5.
OK, I'll look there if needs be.
> pyzor is also from FE with pyzor-0.4.0-9.fc4. Presumably the RPM naming
> should be updated to fc5?
It just needs a rebuild. But since FC4 and FC5 are both based on python
2.4, it doesn't really matter.
> On Wed, 2006-06-21 at 21:18 +0100, Paul Howarth wrote:
> In addition to my prior e-mail with the dcc and razor files, here are
> the pyzor files:
>
> /.pyzor/*
That looks dubious.
I think that this is the same situation as with razor above.
> /root/.pyzor/*
This has special contexts in strict policy, but not in targeted. So for
targeted we may need to allow it to read home directories.
> /usr/bin/pyzor*
Already in policy.
> /usr/lib/python2.4/site-packages/pyzor/*
Nothing special should be needed for those.
> BTW, one more piece of information on the testing.
>
> It dawned on me that there might be a difference in running SA using the
> above syntax versus using SA via the spamd daemon. Thus, I tried:
>
> cat /usr/share/doc/spamassassin-3.1.3/sample-spam.txt | spamc -l
>
> and this does now reproducibly generate the avc's, while still
> generating an adequate trace of the tests.
I think spamc talks to spamd, which is running in "system space" and
thus is confined.
Yep yet again.
Try this myspamassassin.te to get the domain transitions for dcc and
razor working:
policy_module(myspamassassin, 0.1.0)
require {
type spamd_t;
}
# This will be included in FC5 policy when dcc module is included
dcc_domtrans_client(spamd_t)
# This will be included in FC5 policy when razor module is included
razor_domtrans(spamd_t)
Done.
OK. Here are the latest avc's subsequent to the above change and now
using the spamc/d approach:
type=AVC msg=audit(1151025305.852:691): avc: denied { execute } for pid=22050
comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scon
text=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
type=AVC msg=audit(1151025305.852:691): avc: denied { execute_no_trans } for pid=22050
comm="spamd" name="pyzor" dev=hdc7 ino=314 0757
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0
tclass=file
type=AVC msg=audit(1151025305.852:691): avc: denied { read } for pid=22050
comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scontex
t=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1151025305.852:691): arch=40000003 syscall=11 success=yes exit=0
a0=b535ee0 a1=ba6e0d0 a2=baa2150 a3=bf81af1c items=3 pid=22050 auid=4294967295 uid=500
gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor"
exe="/usr/bin/ python"
type=AVC_PATH msg=audit(1151025305.852:691): path="/usr/bin/pyzor"
type=AVC_PATH msg=audit(1151025305.852:691): path="/usr/bin/pyzor"
type=CWD msg=audit(1151025305.852:691): cwd="/"
type=PATH msg=audit(1151025305.852:691): item=0 name="/usr/bin/pyzor" flags=101
inode=3140757 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1151025305.852:691): item=1 flags=101 inode=3140290 dev=16:07
mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1151025305.852:691): item=2 flags=101 inode=754491 dev=16:07
mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1151025305.884:692): avc: denied { ioctl } for pid=22050
comm="pyzor" name="pyzor" dev=hdc7 ino=3140757 sconte
xt=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1151025305.884:692): arch=40000003 syscall=54 success=no exit=-25
a0=3 a1=5401 a2=bf8a4998 a3=bf8a49d8 items= 0 pid=22050 auid=4294967295 uid=500 gid=0
euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor"
exe="/usr/bin/python"
type=AVC_PATH msg=audit(1151025305.884:692): path="/usr/bin/pyzor"
type=AVC msg=audit(1151025306.136:693): avc: denied { search } for pid=22051
comm="dccproc" name="dcc" dev=dm-1 ino=58510 scontex
t=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir
type=SYSCALL msg=audit(1151025306.136:693): arch=40000003 syscall=12 success=yes exit=0
a0=bfe79ac2 a1=0 a2=4891eff4 a3=37 items=1 p id=22051 auid=4294967295 uid=500 gid=0
euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
type=CWD msg=audit(1151025306.136:693): cwd="/"
type=PATH msg=audit(1151025306.136:693): item=0 name="/var/dcc" flags=3
inode=58510 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1151025306.136:694): avc: denied { read write } for pid=22051
comm="dccproc" name="map" dev=dm-1 ino=59007 sco
ntext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_map_t:s0
tclass=file
type=SYSCALL msg=audit(1151025306.136:694): arch=40000003 syscall=5 success=yes exit=3
a0=80ba6e0 a1=2 a2=180 a3=37 items=1 pid=2205 1 auid=4294967295 uid=500 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
type=CWD msg=audit(1151025306.136:694): cwd="/var/dcc"
type=PATH msg=audit(1151025306.136:694): item=0 name="/var/dcc/map" flags=101
inode=59007 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev =00:00
type=AVC msg=audit(1151025306.136:695): avc: denied { getattr } for pid=22051
comm="dccproc" name="map" dev=dm-1 ino=59007 sconte
xt=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_map_t:s0
tclass=file
type=SYSCALL msg=audit(1151025306.136:695): arch=40000003 syscall=197 success=yes exit=0
a0=3 a1=bfe798d8 a2=4891eff4 a3=3 items=0 p id=22051 auid=4294967295 uid=500 gid=0
euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
type=AVC_PATH msg=audit(1151025306.136:695): path="/var/dcc/map"
type=AVC msg=audit(1151025306.136:696): avc: denied { lock } for pid=22051
comm="dccproc" name="map" dev=dm-1 ino=59007 scontext=
system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_map_t:s0 tclass=file
type=SYSCALL msg=audit(1151025306.136:696): arch=40000003 syscall=221 success=yes exit=0
a0=3 a1=7 a2=bfe7aa54 a3=bfe7aa54 items=0 p id=22051 auid=4294967295 uid=500 gid=0
euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
type=AVC_PATH msg=audit(1151025306.136:696): path="/var/dcc/map"
Thanks Paul,
Marc