postfix, procmail and SELinux - No Go

Paul Howarth paul at city-fan.org
Thu Jun 22 13:10:00 UTC 2006 

Marc Schwartz (via MN) wrote:
> On Wed, 2006-06-21 at 13:57 -0500, Marc Schwartz (via MN) wrote:
>> > Just to be clear, I should leave or remove the mydcc policy?
> 
> Paul,
> 
> I am getting errors when building the dcc and razor policies:
> 
> dcc.if:23: duplicate definition of dcc_domtrans_cdcc(). Original definition on 23.
> dcc.if:54: duplicate definition of dcc_run_cdcc(). Original definition on 54.
> dcc.if:76: duplicate definition of dcc_domtrans_client(). Original definition on 76.
> dcc.if:107: duplicate definition of dcc_run_client(). Original definition on 107.
> dcc.if:129: duplicate definition of dcc_domtrans_dbclean(). Original definition on 129.
> dcc.if:160: duplicate definition of dcc_run_dbclean(). Original definition on 160.
> dcc.if:181: duplicate definition of dcc_stream_connect_dccifd(). Original definition on 181.
> razor.if:101: duplicate definition of razor_common_domain_template(). Original definition on 101.
> razor.if:197: duplicate definition of razor_per_userdomain_template(). Original definition on 197.
> razor.if:218: duplicate definition of razor_domtrans(). Original definition on 218.
> 
> The modules do seem to build and install however. 
> 
> I do believe that I answered my own question above, in that the dcc
> policy will not load with the mydcc policy loaded.
> 
> Current status:
> 
> # semodule -l
> amavis  1.0.4
> clamav  1.0.1
> dcc     1.0.0
> myclamscan      0.2.0
> mypyzor 0.2.1
> procmail        0.5.3
> pyzor   1.0.1
> razor   1.0.0

I suspect that the current FC5 policy includes these interfaces but not 
the policy modules or file contexts. Can anyone confirm this? 
Renaming/removing the .if files makes these warnings go away anyway.

> On Wed, 2006-06-21 at 14:56 -0500, Marc Schwartz (via MN) wrote:
>> Just a quick note that so far, all seems to be well. 
>>
>> No avclist msgs since the change in policies to the above.
>>
>> Want me back in Enforcing mode?
> 
> Hold the presses.  Now getting avc's:
> 
> type=AVC msg=audit(1150920365.865:1776): avc:  denied  { execute } for  pid=4583 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
> type=AVC msg=audit(1150920365.865:1776): avc:  denied  { execute_no_trans } for  pid=4583 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
> type=AVC msg=audit(1150920365.865:1776): avc:  denied  { read } for  pid=4583 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file

This is spamassassin failing to transition to the pyzor_t domain. The 
strange thing is is that this should already be allowed by policy.

spamassassin.te has:

optional_policy(`
	pyzor_domtrans(spamd_t)
')

Anyone got any ideas why this isn't working?

> type=AVC msg=audit(1150920370.874:1778): avc:  denied  { create } for  pid=4787 comm="dccproc" scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1150920370.874:1778): arch=40000003 syscall=102 success=yes exit=3 a0=1 a1=bfea63f8 a2=4891eff4 a3=8069fbf items=0 pid=4787 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
> type=SOCKETCALL msg=audit(1150920370.874:1778): nargs=3 a0=10 a1=3 a2=0

This is dcc running in the spamd_t domain. We need to add a transition 
to dcc_client_t.

> type=AVC msg=audit(1150920370.874:1779): avc:  denied  { bind } for  pid=4787 comm="dccproc" scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1150920370.874:1779): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bfea63f8 a2=4891eff4 a3=3 items=0 pid=4787 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
> type=SOCKADDR msg=audit(1150920370.874:1779): saddr=100000000000000000000000
> type=SOCKETCALL msg=audit(1150920370.874:1779): nargs=3 a0=3 a1=bfea6404 a2=c
> type=AVC msg=audit(1150920370.874:1780): avc:  denied  { getattr } for  pid=4787 comm="dccproc" scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1150920370.874:1780): arch=40000003 syscall=102 success=yes exit=0 a0=6 a1=bfea63f8 a2=4891eff4 a3=3 items=0 pid=4787 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
> type=SOCKETCALL msg=audit(1150920370.874:1780): nargs=3 a0=3 a1=bfea6404 a2=bfea6410
> type=AVC msg=audit(1150920370.874:1781): avc:  denied  { write } for  pid=4787 comm="dccproc" scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
> type=AVC msg=audit(1150920370.874:1781): avc:  denied  { nlmsg_read } for  pid=4787 comm="dccproc" scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1150920370.874:1781): arch=40000003 syscall=102 success=yes exit=20 a0=b a1=bfea5344 a2=4891eff4 a3=ffffffcc items=0 pid=4787 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
> type=SOCKADDR msg=audit(1150920370.874:1781): saddr=100000000000000000000000
> type=SOCKETCALL msg=audit(1150920370.874:1781): nargs=6 a0=3 a1=bfea63bc a2=14 a3=0 a4=bfea63d0 a5=c
> type=AVC msg=audit(1150920370.874:1782): avc:  denied  { read } for  pid=4787 comm="dccproc" scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1150920370.874:1782): arch=40000003 syscall=102 success=yes exit=128 a0=11 a1=bfea5344 a2=4891eff4 a3=ffffffcc items=0 pid=4787 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
> type=SOCKETCALL msg=audit(1150920370.874:1782): nargs=3 a0=3 a1=bfea63a0 a2=0
> type=AVC msg=audit(1150920370.874:1783): avc:  denied  { search } for  pid=4787 comm="dccproc" name="dcc" dev=dm-1 ino=58510 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir
> type=SYSCALL msg=audit(1150920370.874:1783): arch=40000003 syscall=12 success=yes exit=0 a0=bfea5562 a1=0 a2=4891eff4 a3=8069fbf items=1 pid=4787 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
> type=CWD msg=audit(1150920370.874:1783):  cwd="/"
> type=PATH msg=audit(1150920370.874:1783): item=0 name="/var/dcc" flags=3  inode=58510 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1150920370.878:1784): avc:  denied  { read write } for  pid=4787 comm="dccproc" name="map" dev=dm-1 ino=59007 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_map_t:s0 tclass=file
> type=SYSCALL msg=audit(1150920370.878:1784): arch=40000003 syscall=5 success=yes exit=3 a0=80ba6e0 a1=2 a2=180 a3=8069fbf items=1 pid=4787 auid=4294967295 uid=500 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
> type=CWD msg=audit(1150920370.878:1784):  cwd="/var/dcc"
> type=PATH msg=audit(1150920370.878:1784): item=0 name="/var/dcc/map" flags=101  inode=59007 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1150920370.878:1785): avc:  denied  { getattr } for  pid=4787 comm="dccproc" name="map" dev=dm-1 ino=59007 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_map_t:s0 tclass=file
> type=SYSCALL msg=audit(1150920370.878:1785): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfea5378 a2=4891eff4 a3=3 items=0 pid=4787 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
> type=AVC_PATH msg=audit(1150920370.878:1785):  path="/var/dcc/map"
> type=AVC msg=audit(1150920370.878:1786): avc:  denied  { lock } for  pid=4787 comm="dccproc" name="map" dev=dm-1 ino=59007 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_map_t:s0 tclass=file
> type=SYSCALL msg=audit(1150920370.878:1786): arch=40000003 syscall=221 success=yes exit=0 a0=3 a1=7 a2=bfea64f4 a3=bfea64f4 items=0 pid=4787 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
> type=AVC_PATH msg=audit(1150920370.878:1786):  path="/var/dcc/map"

All of these are the dcc client running in the wrong domain.

> It would seem that I just noted what may be a valuable piece of
> information here.
> 
> When testing the remote checks by using the test spam e-mail:
> 
> cat /usr/share/doc/spamassassin-3.1.3/sample-spam.txt | spamassassin -D
> 
> there are no avc's generated.

This is probably because the processes were running unconfined (you 
invoked them in "user space").

> However, the above avc's were generated after an e-mail came through the
> normal fetchmail process, where postfix/procmail are being used to fire
> up spamassassin.
> 
> I just replicated both processes and indeed, no avc's were generated
> with the test e-mail, but as soon as a new inbound e-mail came through,
> avc's.

In this case, the processes are running in "system space", and are confined.

> On Wed, 2006-06-21 at 21:07 +0100, Paul Howarth wrote:
>> > Can you remind me where the files are actually installed on your system
>> > (presumably upstream default locations?)?
>> > 
>> > Some may need adding to the .fc files.
> 
> /var/dcc/*  and sub-dirs

That looks to be covered by the dcc policy.

> /usr/bin/razor*

That looks to be covered by the razor policy.

> /root/.razor/*

This has special contexts in strict policy, but not in targeted. So for 
targeted we may need to allow it to read home directories.

> /.razor/*

That looks rather dubious.

> dcc was installed from the upstream tarball at Rhyolite.  It is not in
> FE.  Built with default options.

I think there are probably licensing issues that preclude it from being 
in Extras; not sure though.

> razor is installed via FE with perl-Razor-Agent-2.77-3.fc5.

OK, I'll look there if needs be.

> pyzor is also from FE with pyzor-0.4.0-9.fc4. Presumably the RPM naming
> should be updated to fc5?

It just needs a rebuild. But since FC4 and FC5 are both based on python 
2.4, it doesn't really matter.

> On Wed, 2006-06-21 at 21:18 +0100, Paul Howarth wrote:
> In addition to my prior e-mail with the dcc and razor files, here are
> the pyzor files:
> 
> /.pyzor/*

That looks dubious.

> /root/.pyzor/*

This has special contexts in strict policy, but not in targeted. So for 
targeted we may need to allow it to read home directories.

> /usr/bin/pyzor*

Already in policy.

> /usr/lib/python2.4/site-packages/pyzor/*

Nothing special should be needed for those.

> BTW, one more piece of information on the testing.
> 
> It dawned on me that there might be a difference in running SA using the
> above syntax versus using SA via the spamd daemon. Thus, I tried:
> 
> cat /usr/share/doc/spamassassin-3.1.3/sample-spam.txt | spamc -l
> 
> and this does now reproducibly generate the avc's, while still
> generating an adequate trace of the tests.

I think spamc talks to spamd, which is running in "system space" and 
thus is confined.

Try this myspamassassin.te to get the domain transitions for dcc and 
razor working:

policy_module(myspamassassin, 0.1.0)

require {
         type spamd_t;
}

# This will be included in FC5 policy when dcc module is included
dcc_domtrans_client(spamd_t)

# This will be included in FC5 policy when razor module is included
razor_domtrans(spamd_t)


Paul.

More information about the selinux mailing list