On Wed, 2006-06-21 at 14:56 -0500, Marc Schwartz (via MN) wrote:
Just a quick note that so far, all seems to be well.
No avclist msgs since the change in policies to the above.
Want me back in Enforcing mode?
Hold the presses. Now getting avc's:
type=AVC msg=audit(1150920365.865:1776): avc: denied { execute } for pid=4583
comm="spamd" name="pyzor" dev=hdc7 ino=3140757
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0
tclass=file
type=AVC msg=audit(1150920365.865:1776): avc: denied { execute_no_trans } for pid=4583
comm="spamd" name="pyzor" dev=hdc7 ino=3140757
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0
tclass=file
type=AVC msg=audit(1150920365.865:1776): avc: denied { read } for pid=4583
comm="spamd" name="pyzor" dev=hdc7 ino=3140757
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0
tclass=file
type=SYSCALL msg=audit(1150920365.865:1776): arch=40000003 syscall=11 success=yes exit=0
a0=a890768 a1=a83ff88 a2=a864c60 a3=bfa440ac items=3 pid=4583 auid=4294967295 uid=500
gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor"
exe="/usr/bin/python"
type=AVC_PATH msg=audit(1150920365.865:1776): path="/usr/bin/pyzor"
type=AVC_PATH msg=audit(1150920365.865:1776): path="/usr/bin/pyzor"
type=CWD msg=audit(1150920365.865:1776): cwd="/"
type=PATH msg=audit(1150920365.865:1776): item=0 name="/usr/bin/pyzor" flags=101
inode=3140757 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1150920365.865:1776): item=1 flags=101 inode=3140290 dev=16:07
mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1150920365.865:1776): item=2 flags=101 inode=754491 dev=16:07
mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1150920365.877:1777): avc: denied { ioctl } for pid=4583
comm="pyzor" name="pyzor" dev=hdc7 ino=3140757
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0
tclass=file
type=SYSCALL msg=audit(1150920365.877:1777): arch=40000003 syscall=54 success=no exit=-25
a0=3 a1=5401 a2=bfd14638 a3=bfd14678 items=0 pid=4583 auid=4294967295 uid=500 gid=0
euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor"
exe="/usr/bin/python"
type=AVC_PATH msg=audit(1150920365.877:1777): path="/usr/bin/pyzor"
type=AVC msg=audit(1150920370.874:1778): avc: denied { create } for pid=4787
comm="dccproc" scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1150920370.874:1778): arch=40000003 syscall=102 success=yes exit=3
a0=1 a1=bfea63f8 a2=4891eff4 a3=8069fbf items=0 pid=4787 auid=4294967295 uid=500 gid=0
euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
type=SOCKETCALL msg=audit(1150920370.874:1778): nargs=3 a0=10 a1=3 a2=0
type=AVC msg=audit(1150920370.874:1779): avc: denied { bind } for pid=4787
comm="dccproc" scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1150920370.874:1779): arch=40000003 syscall=102 success=yes exit=0
a0=2 a1=bfea63f8 a2=4891eff4 a3=3 items=0 pid=4787 auid=4294967295 uid=500 gid=0 euid=500
suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
type=SOCKADDR msg=audit(1150920370.874:1779): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1150920370.874:1779): nargs=3 a0=3 a1=bfea6404 a2=c
type=AVC msg=audit(1150920370.874:1780): avc: denied { getattr } for pid=4787
comm="dccproc" scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1150920370.874:1780): arch=40000003 syscall=102 success=yes exit=0
a0=6 a1=bfea63f8 a2=4891eff4 a3=3 items=0 pid=4787 auid=4294967295 uid=500 gid=0 euid=500
suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
type=SOCKETCALL msg=audit(1150920370.874:1780): nargs=3 a0=3 a1=bfea6404 a2=bfea6410
type=AVC msg=audit(1150920370.874:1781): avc: denied { write } for pid=4787
comm="dccproc" scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1150920370.874:1781): avc: denied { nlmsg_read } for pid=4787
comm="dccproc" scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1150920370.874:1781): arch=40000003 syscall=102 success=yes exit=20
a0=b a1=bfea5344 a2=4891eff4 a3=ffffffcc items=0 pid=4787 auid=4294967295 uid=500 gid=0
euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
type=SOCKADDR msg=audit(1150920370.874:1781): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1150920370.874:1781): nargs=6 a0=3 a1=bfea63bc a2=14 a3=0
a4=bfea63d0 a5=c
type=AVC msg=audit(1150920370.874:1782): avc: denied { read } for pid=4787
comm="dccproc" scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1150920370.874:1782): arch=40000003 syscall=102 success=yes
exit=128 a0=11 a1=bfea5344 a2=4891eff4 a3=ffffffcc items=0 pid=4787 auid=4294967295
uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
type=SOCKETCALL msg=audit(1150920370.874:1782): nargs=3 a0=3 a1=bfea63a0 a2=0
type=AVC msg=audit(1150920370.874:1783): avc: denied { search } for pid=4787
comm="dccproc" name="dcc" dev=dm-1 ino=58510
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir
type=SYSCALL msg=audit(1150920370.874:1783): arch=40000003 syscall=12 success=yes exit=0
a0=bfea5562 a1=0 a2=4891eff4 a3=8069fbf items=1 pid=4787 auid=4294967295 uid=500 gid=0
euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
type=CWD msg=audit(1150920370.874:1783): cwd="/"
type=PATH msg=audit(1150920370.874:1783): item=0 name="/var/dcc" flags=3
inode=58510 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1150920370.878:1784): avc: denied { read write } for pid=4787
comm="dccproc" name="map" dev=dm-1 ino=59007
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_map_t:s0
tclass=file
type=SYSCALL msg=audit(1150920370.878:1784): arch=40000003 syscall=5 success=yes exit=3
a0=80ba6e0 a1=2 a2=180 a3=8069fbf items=1 pid=4787 auid=4294967295 uid=500 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
type=CWD msg=audit(1150920370.878:1784): cwd="/var/dcc"
type=PATH msg=audit(1150920370.878:1784): item=0 name="/var/dcc/map" flags=101
inode=59007 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1150920370.878:1785): avc: denied { getattr } for pid=4787
comm="dccproc" name="map" dev=dm-1 ino=59007
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_map_t:s0
tclass=file
type=SYSCALL msg=audit(1150920370.878:1785): arch=40000003 syscall=197 success=yes exit=0
a0=3 a1=bfea5378 a2=4891eff4 a3=3 items=0 pid=4787 auid=4294967295 uid=500 gid=0 euid=500
suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
type=AVC_PATH msg=audit(1150920370.878:1785): path="/var/dcc/map"
type=AVC msg=audit(1150920370.878:1786): avc: denied { lock } for pid=4787
comm="dccproc" name="map" dev=dm-1 ino=59007
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_map_t:s0
tclass=file
type=SYSCALL msg=audit(1150920370.878:1786): arch=40000003 syscall=221 success=yes exit=0
a0=3 a1=7 a2=bfea64f4 a3=bfea64f4 items=0 pid=4787 auid=4294967295 uid=500 gid=0 euid=500
suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc"
exe="/usr/local/bin/dccproc"
type=AVC_PATH msg=audit(1150920370.878:1786): path="/var/dcc/map"
It would seem that I just noted what may be a valuable piece of
information here.
When testing the remote checks by using the test spam e-mail:
cat /usr/share/doc/spamassassin-3.1.3/sample-spam.txt | spamassassin -D
there are no avc's generated.
However, the above avc's were generated after an e-mail came through the
normal fetchmail process, where postfix/procmail are being used to fire
up spamassassin.
I just replicated both processes and indeed, no avc's were generated
with the test e-mail, but as soon as a new inbound e-mail came through,
avc's.
Curious.
Marc