postfix, procmail and SELinux - No Go

Paul Howarth paul at city-fan.org
Wed Jun 28 21:23:47 UTC 2006 

On Wed, 2006-06-28 at 15:56 -0500, Marc Schwartz (via MN) wrote:
> On Wed, 2006-06-28 at 21:13 +0100, Paul Howarth wrote:
> > On Wed, 2006-06-28 at 14:22 -0500, Marc Schwartz (via MN) wrote:
> > > New avc's:
> > > 
> > > type=AVC msg=audit(1151521329.964:1158): avc:  denied  { search } for  pid=5442 comm="local" name="clamav" dev=dm-1 ino=44957 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir
> > > type=SYSCALL msg=audit(1151521329.964:1158): arch=40000003 syscall=196 success=no exit=-2 a0=939f848 a1=bffd2e80 a2=721ff4 a3=3 items=1 pid=5442 auid=4294967295 uid=0 gid=0 euid=100 suid=0 fsuid=100 egid=101 sgid=0 fsgid=101 tty=(none) comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0
> > > type=CWD msg=audit(1151521329.964:1158):  cwd="/var/spool/postfix"
> > > type=PATH msg=audit(1151521329.964:1158): item=0 name="/var/lib/clamav/.forward" obj=system_u:object_r:etc_t:s0
> > 
> > postfix local looking in /var/lib/clamav
> > 
> > > type=AVC msg=audit(1151521329.988:1159): avc:  denied  { search } for  pid=5449 comm="procmail" name="clamav" dev=dm-1 ino=44957 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir
> > > type=SYSCALL msg=audit(1151521329.988:1159): arch=40000003 syscall=195 success=no exit=-2 a0=8dd0d60 a1=bfe27a6c a2=4891eff4 a3=0 items=1 pid=5449 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101 fsgid=101 tty=(none) comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0
> > > type=CWD msg=audit(1151521329.988:1159):  cwd="/var/spool/postfix"
> > 
> > same for procmail
> > 
> > This appears to be postfix local and procmail trying to
> > read /var/lib/clamav/.forward; does that sound reasonable?
> 
> There are no .forward files on my system at all, unless that is a temp
> file, which does not make sense location-wise.
> 
> A Google search came up empty for that file, so I can only presume that
> there are certain configuration scenarios where the pipelining of
> e-mails would require that file.
> 
> Since I am using clamassassin, I also searched through that script and
> noted nothing relevant here.
> 
> Not sure what else to make of it.

That might be dontaudit-able. Is /var/lib/clamav any user's home
directory?

> > You can bump myclamav.te to version 0.1.5 and append the following:
> > 
> > # ===========================================
> > # things that should be done via an interface
> > # ===========================================
> > allow postfix_local_t clamd_var_lib_t:dir r_dir_perms;
> > allow procmail_t clamd_var_lib_t:dir r_dir_perms;
> > 
> > Paul.
> 
> Done, including the add in your second e-mail.
> 
> # semodule -l
> amavis  1.0.4
> clamav  1.0.1
> dcc     1.0.0
> myclamav        0.1.5
> mydcc   0.1.8
> mypostfix       0.1.0
> mypyzor 0.2.3
> myspamassassin  0.1.1
> procmail        0.5.4
> pyzor   1.0.1
> razor   1.0.0
> 
> 
> No further avc's at this time.
> 
> Is it time to venture back into the Enforcing World once again?

Give it a try. Bear in mind it may fail if any of the dontaudit rules
should be allows instead.

Paul.

More information about the selinux mailing list