postfix, procmail and SELinux - No Go
Paul Howarth
paul at city-fan.org
Sat Jun 24 09:12:57 UTC 2006
On Thu, 2006-06-22 at 20:19 -0500, Marc Schwartz wrote:
> On Thu, 2006-06-22 at 14:10 +0100, Paul Howarth wrote:
> > Marc Schwartz (via MN) wrote:
> > > On Wed, 2006-06-21 at 13:57 -0500, Marc Schwartz (via MN) wrote:
> > >> > Just to be clear, I should leave or remove the mydcc policy?
> > >
> > > Paul,
> > >
> > > I am getting errors when building the dcc and razor policies:
> > >
> > > dcc.if:23: duplicate definition of dcc_domtrans_cdcc(). Original definition on 23.
> > > dcc.if:54: duplicate definition of dcc_run_cdcc(). Original definition on 54.
> > > dcc.if:76: duplicate definition of dcc_domtrans_client(). Original definition on 76.
> > > dcc.if:107: duplicate definition of dcc_run_client(). Original definition on 107.
> > > dcc.if:129: duplicate definition of dcc_domtrans_dbclean(). Original definition on 129.
> > > dcc.if:160: duplicate definition of dcc_run_dbclean(). Original definition on 160.
> > > dcc.if:181: duplicate definition of dcc_stream_connect_dccifd(). Original definition on 181.
> > > razor.if:101: duplicate definition of razor_common_domain_template(). Original definition on 101.
> > > razor.if:197: duplicate definition of razor_per_userdomain_template(). Original definition on 197.
> > > razor.if:218: duplicate definition of razor_domtrans(). Original definition on 218.
> > >
> > > The modules do seem to build and install however.
> > >
> > > I do believe that I answered my own question above, in that the dcc
> > > policy will not load with the mydcc policy loaded.
> > >
> > > Current status:
> > >
> > > # semodule -l
> > > amavis 1.0.4
> > > clamav 1.0.1
> > > dcc 1.0.0
> > > myclamscan 0.2.0
> > > mypyzor 0.2.1
> > > procmail 0.5.3
> > > pyzor 1.0.1
> > > razor 1.0.0
> >
> > I suspect that the current FC5 policy includes these interfaces but not
> > the policy modules or file contexts. Can anyone confirm this?
> > Renaming/removing the .if files makes these warnings go away anyway.
>
> Yep. I removed the .if files and all seems well.
I'm going to rename the myclamscan module to myclamav, and merge
together the myclamscan policy with some clamav tweaks I did for someone
on fedora-list. This will make it easier to eventually merge it into the
main policy.
> > > On Wed, 2006-06-21 at 14:56 -0500, Marc Schwartz (via MN) wrote:
> > >> Just a quick note that so far, all seems to be well.
> > >>
> > >> No avclist msgs since the change in policies to the above.
> > >>
> > >> Want me back in Enforcing mode?
> > >
> > > Hold the presses. Now getting avc's:
> > >
> > > type=AVC msg=audit(1150920365.865:1776): avc: denied { execute } for pid=4583 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
> > > type=AVC msg=audit(1150920365.865:1776): avc: denied { execute_no_trans } for pid=4583 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
> > > type=AVC msg=audit(1150920365.865:1776): avc: denied { read } for pid=4583 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
> >
> > This is spamassassin failing to transition to the pyzor_t domain. The
> > strange thing is is that this should already be allowed by policy.
> >
> > spamassassin.te has:
> >
> > optional_policy(`
> > pyzor_domtrans(spamd_t)
> > ')
> >
> > Anyone got any ideas why this isn't working?
Given that this is causing problems, I'll add it locally for now.
(snip)
> > > /.razor/*
> >
> > That looks rather dubious.
>
> I initially thought that these files in / were from the initial install.
>
> However, the dates on the log files in that path are current as of last
> night, when the cron jobs run.
What are the cron jobs doing? We need to find a way of stopping them
writing here. There's no way I'm going to add policy to allow this.
> The files in /root/.razor appear to be tagged as during the day today,
> perhaps when cron jobs result in e-mails to root, which are then mapped
> to my userID by postfix.
It's unfortunate that the mapping takes place later than the razor
invocation.
(snip)
> > > On Wed, 2006-06-21 at 21:18 +0100, Paul Howarth wrote:
> > > In addition to my prior e-mail with the dcc and razor files, here are
> > > the pyzor files:
> > >
> > > /.pyzor/*
> >
> > That looks dubious.
>
> I think that this is the same situation as with razor above.
Probably so.
(snip)
> OK. Here are the latest avc's subsequent to the above change and now
> using the spamc/d approach:
>
> type=AVC msg=audit(1151025305.852:691): avc: denied { execute } for pid=22050 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scon text=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
> type=AVC msg=audit(1151025305.852:691): avc: denied { execute_no_trans } for pid=22050 comm="spamd" name="pyzor" dev=hdc7 ino=314 0757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
spamd failing to transition to pyzor again.
(snip)
> type=AVC msg=audit(1151025306.136:693): avc: denied { search } for pid=22051 comm="dccproc" name="dcc" dev=dm-1 ino=58510 scontex t=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir
> type=SYSCALL msg=audit(1151025306.136:693): arch=40000003 syscall=12 success=yes exit=0 a0=bfe79ac2 a1=0 a2=4891eff4 a3=37 items=1 p id=22051 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
Failed to transition to dcc type, which will be because dccproc isn't
labelled correctly (it's in /usr/local/bin but policy expects it
in /usr/bin). Please check in dcc.fc if there are any other programs not
in the right place.
Here are the new policy modules. You can get rid of myclamscan now.
::::::::::::::
myclamav.if
::::::::::::::
## <summary>Clamassassin Virus Scanner Wrapper.</summary>
########################################
## <summary>
## Execute the clamassassin program in the clamassassin domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`clamav_domtrans_clamassassin',`
gen_require(`
type clamassassin_t, clamassassin_exec_t;
')
corecmd_search_bin($1)
domain_auto_trans($1, clamassassin_exec_t, clamassassin_t)
allow $1 clamassassin_t:fd use;
allow clamassassin_t $1:fd use;
allow clamassassin_t $1:fifo_file rw_file_perms;
allow clamassassin_t $1:process sigchld;
')
::::::::::::::
myclamav.fc
::::::::::::::
/usr/bin/clamassassin --
gen_context(system_u:object_r:clamassassin_exec_t,s0)
/usr/local/bin/clamassassin --
gen_context(system_u:object_r:clamassassin_exec_t,s0)
/var/log/clamav/clamd.* --
gen_context(system_u:object_r:clamd_var_log_t,s0)
::::::::::::::
myclamav.te
::::::::::::::
policy_module(myclamav, 0.1.1)
require {
type clamd_t;
type clamscan_t;
type clamscan_tmp_t;
type freshclam_t;
type postfix_local_t;
type procmail_t;
};
type clamassassin_t;
domain_type(clamassassin_t)
type clamassassin_exec_t;
domain_entry_file(clamassassin_t,clamassassin_exec_t)
# ========================================
# clamassassin local policy
# ========================================
# Transition from unconfined for command-line usage
ifdef(`targeted_policy',`
clamav_domtrans_clamassassin(unconfined_t)
')
# When clamassassin writes temp files, they're for clamscan to process
# so make them clamscan_tmp_t
allow clamassassin_t clamscan_tmp_t:dir create_dir_perms;
allow clamassassin_t clamscan_tmp_t:file create_file_perms;
files_tmp_filetrans(clamassassin_t, clamscan_tmp_t, { file dir })
# clamassassin needs to be able to call clamscan
clamav_domtrans_clamscan(clamassassin_t)
# ========================================
# clamd local policy
# ========================================
kernel_read_kernel_sysctls(clamd_t)
# ========================================
# clamscan local policy
# ========================================
# Allow clamscan output to be piped back into the
# postfix local delivery process
# (this might now be clamassassin_t)
#allow clamscan_t postfix_local_t:fd use;
#allow clamscan_t postfix_local_t:fifo_file write;
# ========================================
# freshclam local policy
# ========================================
# Allow freshclam to send syslog messages
logging_send_syslog_msg(freshclam_t)
# Allow freshclam to read generic kernel sysctls
kernel_read_kernel_sysctls(freshclam_t)
::::::::::::::
mydcc.fc
::::::::::::::
/usr/local/bin/cdcc --
gen_context(system_u:object_r:cdcc_exec_t,s0)
/usr/local/bin/dccproc --
gen_context(system_u:object_r:dcc_client_exec_t,s0)
::::::::::::::
mydcc.te
::::::::::::::
policy_module(mydcc, 0.1.5)
require {
type spamd_t;
}
::::::::::::::
myspamassassin.te
::::::::::::::
policy_module(myspamassassin, 0.1.1)
require {
type spamd_t;
}
# This will be included in FC5 policy when dcc module is included
dcc_domtrans_client(spamd_t)
# This is already supposed to be included but doesn't seem to be working
pyzor_domtrans(spamd_t)
# This will be included in FC5 policy when razor module is included
razor_domtrans(spamd_t)
::::::::::::::
procmail.fc
::::::::::::::
/var/log/procmail\.log --
gen_context(system_u:object_r:procmail_var_log_t,s0)
::::::::::::::
procmail.te
::::::::::::::
policy_module(procmail, 0.5.4)
require {
type procmail_t;
type sendmail_t;
};
# temp files
type procmail_tmp_t;
files_tmp_file(procmail_tmp_t)
# log files
type procmail_var_log_t;
logging_log_file(procmail_var_log_t)
# Write log to /var/log/procmail.log
allow procmail_t procmail_var_log_t:file create_file_perms;
allow procmail_t procmail_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(procmail_t,procmail_var_log_t, { file dir })
# Allow programs called from procmail to read/write temp files and dirs
allow procmail_t procmail_tmp_t:dir create_dir_perms;
allow procmail_t procmail_tmp_t:file create_file_perms;
files_type(procmail_tmp_t)
files_tmp_filetrans(procmail_t, procmail_tmp_t, { file dir })
# ==============================================
# Procmail needs to call sendmail for forwarding
# ==============================================
# Read alternatives link (still not in policy)
corecmd_read_sbin_symlinks(procmail_t)
# Procmail occasionally signals sendmail, e.g. when it times out during
forwarding
allow procmail_t sendmail_t:process signal;
# Allow transition to sendmail
# This is in selinux-policy-2.2.34-2 onwards
# (may need similar code for other MTAs that can replace sendmail)
# sendmail_domtrans(procmail_t)
# ==============================================
# Procmail needs to be able to call clamassassin
# ==============================================
clamav_domtrans_clamassassin(procmail_t)
After localing these modules, please do:
# restorecon -rv /usr/local/bin
Moving clamassassin into its own domain may cause lots of new AVCs. This
is expected...
Paul.
More information about the selinux
mailing list