postfix, procmail and SELinux - No Go

Sat Jun 24 09:12:57 UTC 2006

On Thu, 2006-06-22 at 20:19 -0500, Marc Schwartz wrote:
> On Thu, 2006-06-22 at 14:10 +0100, Paul Howarth wrote:
> > Marc Schwartz (via MN) wrote:
> > > On Wed, 2006-06-21 at 13:57 -0500, Marc Schwartz (via MN) wrote:
> > >> > Just to be clear, I should leave or remove the mydcc policy?
> > > 
> > > Paul,
> > > 
> > > I am getting errors when building the dcc and razor policies:
> > > 
> > > dcc.if:23: duplicate definition of dcc_domtrans_cdcc(). Original definition on 23.
> > > dcc.if:54: duplicate definition of dcc_run_cdcc(). Original definition on 54.
> > > dcc.if:76: duplicate definition of dcc_domtrans_client(). Original definition on 76.
> > > dcc.if:107: duplicate definition of dcc_run_client(). Original definition on 107.
> > > dcc.if:129: duplicate definition of dcc_domtrans_dbclean(). Original definition on 129.
> > > dcc.if:160: duplicate definition of dcc_run_dbclean(). Original definition on 160.
> > > dcc.if:181: duplicate definition of dcc_stream_connect_dccifd(). Original definition on 181.
> > > razor.if:101: duplicate definition of razor_common_domain_template(). Original definition on 101.
> > > razor.if:197: duplicate definition of razor_per_userdomain_template(). Original definition on 197.
> > > razor.if:218: duplicate definition of razor_domtrans(). Original definition on 218.
> > > 
> > > The modules do seem to build and install however. 
> > > 
> > > I do believe that I answered my own question above, in that the dcc
> > > policy will not load with the mydcc policy loaded.
> > > 
> > > Current status:
> > > 
> > > # semodule -l
> > > amavis  1.0.4
> > > clamav  1.0.1
> > > dcc     1.0.0
> > > myclamscan      0.2.0
> > > mypyzor 0.2.1
> > > procmail        0.5.3
> > > pyzor   1.0.1
> > > razor   1.0.0
> > 
> > I suspect that the current FC5 policy includes these interfaces but not 
> > the policy modules or file contexts. Can anyone confirm this? 
> > Renaming/removing the .if files makes these warnings go away anyway.
> 
> Yep. I removed the .if files and all seems well.

I'm going to rename the myclamscan module to myclamav, and merge
together the myclamscan policy with some clamav tweaks I did for someone
on fedora-list. This will make it easier to eventually merge it into the
main policy.

> > > On Wed, 2006-06-21 at 14:56 -0500, Marc Schwartz (via MN) wrote:
> > >> Just a quick note that so far, all seems to be well. 
> > >>
> > >> No avclist msgs since the change in policies to the above.
> > >>
> > >> Want me back in Enforcing mode?
> > > 
> > > Hold the presses.  Now getting avc's:
> > > 
> > > type=AVC msg=audit(1150920365.865:1776): avc:  denied  { execute } for  pid=4583 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
> > > type=AVC msg=audit(1150920365.865:1776): avc:  denied  { execute_no_trans } for  pid=4583 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
> > > type=AVC msg=audit(1150920365.865:1776): avc:  denied  { read } for  pid=4583 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
> > 
> > This is spamassassin failing to transition to the pyzor_t domain. The 
> > strange thing is is that this should already be allowed by policy.
> > 
> > spamassassin.te has:
> > 
> > optional_policy(`
> > 	pyzor_domtrans(spamd_t)
> > ')
> > 
> > Anyone got any ideas why this isn't working?

Given that this is causing problems, I'll add it locally for now.

(snip)

> > > /.razor/*
> > 
> > That looks rather dubious.
> 
> I initially thought that these files in / were from the initial install.
> 
> However, the dates on the log files in that path are current as of last
> night, when the cron jobs run.

What are the cron jobs doing? We need to find a way of stopping them
writing here. There's no way I'm going to add policy to allow this.

> The files in /root/.razor appear to be tagged as during the day today,
> perhaps when cron jobs result in e-mails to root, which are then mapped
> to my userID by postfix.

It's unfortunate that the mapping takes place later than the razor
invocation.

(snip)

> > > On Wed, 2006-06-21 at 21:18 +0100, Paul Howarth wrote:
> > > In addition to my prior e-mail with the dcc and razor files, here are
> > > the pyzor files:
> > > 
> > > /.pyzor/*
> > 
> > That looks dubious.
> 
> I think that this is the same situation as with razor above.

Probably so.

(snip)

> OK.  Here are the latest avc's subsequent to the above change and now
> using the spamc/d approach:
> 
> type=AVC msg=audit(1151025305.852:691): avc:  denied  { execute } for  pid=22050 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scon text=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
> type=AVC msg=audit(1151025305.852:691): avc:  denied  { execute_no_trans } for  pid=22050 comm="spamd" name="pyzor" dev=hdc7 ino=314 0757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file

spamd failing to transition to pyzor again.

(snip)

> type=AVC msg=audit(1151025306.136:693): avc:  denied  { search } for  pid=22051 comm="dccproc" name="dcc" dev=dm-1 ino=58510 scontex t=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir
> type=SYSCALL msg=audit(1151025306.136:693): arch=40000003 syscall=12 success=yes exit=0 a0=bfe79ac2 a1=0 a2=4891eff4 a3=37 items=1 p id=22051 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"

Failed to transition to dcc type, which will be because dccproc isn't
labelled correctly (it's in /usr/local/bin but policy expects it
in /usr/bin). Please check in dcc.fc if there are any other programs not
in the right place.

Here are the new policy modules. You can get rid of myclamscan now.

::::::::::::::
myclamav.if
::::::::::::::
## <summary>Clamassassin Virus Scanner Wrapper.</summary>

########################################
## <summary>
##      Execute the clamassassin program in the clamassassin domain.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`clamav_domtrans_clamassassin',`
        gen_require(`
                type clamassassin_t, clamassassin_exec_t;
        ')

        corecmd_search_bin($1)
        domain_auto_trans($1, clamassassin_exec_t, clamassassin_t)

        allow $1 clamassassin_t:fd use;
        allow clamassassin_t $1:fd use;
        allow clamassassin_t $1:fifo_file rw_file_perms;
        allow clamassassin_t $1:process sigchld;
')

::::::::::::::
myclamav.fc
::::::::::::::
/usr/bin/clamassassin           --
gen_context(system_u:object_r:clamassassin_exec_t,s0)
/usr/local/bin/clamassassin     --
gen_context(system_u:object_r:clamassassin_exec_t,s0)

/var/log/clamav/clamd.*         --
gen_context(system_u:object_r:clamd_var_log_t,s0)
::::::::::::::
myclamav.te
::::::::::::::
policy_module(myclamav, 0.1.1)

require {
        type clamd_t;
        type clamscan_t;
        type clamscan_tmp_t;
        type freshclam_t;
        type postfix_local_t;
        type procmail_t;
};

type clamassassin_t;
domain_type(clamassassin_t)

type clamassassin_exec_t;
domain_entry_file(clamassassin_t,clamassassin_exec_t)

# ========================================
# clamassassin local policy
# ========================================

# Transition from unconfined for command-line usage
ifdef(`targeted_policy',`
        clamav_domtrans_clamassassin(unconfined_t)
')

# When clamassassin writes temp files, they're for clamscan to process
# so make them clamscan_tmp_t
allow clamassassin_t clamscan_tmp_t:dir create_dir_perms;
allow clamassassin_t clamscan_tmp_t:file create_file_perms;
files_tmp_filetrans(clamassassin_t, clamscan_tmp_t, { file dir })

# clamassassin needs to be able to call clamscan
clamav_domtrans_clamscan(clamassassin_t)

# ========================================
# clamd local policy
# ========================================

kernel_read_kernel_sysctls(clamd_t)

# ========================================
# clamscan local policy
# ========================================

# Allow clamscan output to be piped back into the
# postfix local delivery process
# (this might now be clamassassin_t)
#allow clamscan_t postfix_local_t:fd use;
#allow clamscan_t postfix_local_t:fifo_file write;

# ========================================
# freshclam local policy
# ========================================

# Allow freshclam to send syslog messages
logging_send_syslog_msg(freshclam_t)

# Allow freshclam to read generic kernel sysctls
kernel_read_kernel_sysctls(freshclam_t)

::::::::::::::
mydcc.fc
::::::::::::::
/usr/local/bin/cdcc             --
gen_context(system_u:object_r:cdcc_exec_t,s0)
/usr/local/bin/dccproc          --
gen_context(system_u:object_r:dcc_client_exec_t,s0)
::::::::::::::
mydcc.te
::::::::::::::
policy_module(mydcc, 0.1.5)

require {
        type spamd_t;
}

::::::::::::::
myspamassassin.te
::::::::::::::
policy_module(myspamassassin, 0.1.1)

require {
        type spamd_t;
}

# This will be included in FC5 policy when dcc module is included
dcc_domtrans_client(spamd_t)

# This is already supposed to be included but doesn't seem to be working
pyzor_domtrans(spamd_t)

# This will be included in FC5 policy when razor module is included
razor_domtrans(spamd_t)

::::::::::::::
procmail.fc
::::::::::::::
/var/log/procmail\.log  --
gen_context(system_u:object_r:procmail_var_log_t,s0)
::::::::::::::
procmail.te
::::::::::::::
policy_module(procmail, 0.5.4)

require {
        type procmail_t;
        type sendmail_t;
};

# temp files
type procmail_tmp_t;
files_tmp_file(procmail_tmp_t)

# log files
type procmail_var_log_t;
logging_log_file(procmail_var_log_t)

# Write log to /var/log/procmail.log
allow procmail_t procmail_var_log_t:file create_file_perms;
allow procmail_t procmail_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(procmail_t,procmail_var_log_t, { file dir })

# Allow programs called from procmail to read/write temp files and dirs
allow procmail_t procmail_tmp_t:dir create_dir_perms;
allow procmail_t procmail_tmp_t:file create_file_perms;
files_type(procmail_tmp_t)
files_tmp_filetrans(procmail_t, procmail_tmp_t, { file dir })

# ==============================================
# Procmail needs to call sendmail for forwarding
# ==============================================

# Read alternatives link (still not in policy)
corecmd_read_sbin_symlinks(procmail_t)

# Procmail occasionally signals sendmail, e.g. when it times out during
forwarding
allow procmail_t sendmail_t:process signal;

# Allow transition to sendmail
# This is in selinux-policy-2.2.34-2 onwards
# (may need similar code for other MTAs that can replace sendmail)
# sendmail_domtrans(procmail_t)

# ==============================================
# Procmail needs to be able to call clamassassin
# ==============================================
clamav_domtrans_clamassassin(procmail_t)

After localing these modules, please do:
# restorecon -rv /usr/local/bin

Moving clamassassin into its own domain may cause lots of new AVCs. This
is expected...

Paul.