Denials from spamc and webalizer on Centos 5.2

Richard Chapman rchapman at aardvark.com.au
Sun Jan 11 02:24:39 UTC 2009 

Thanks Murray... It looks to me like Centos 5.2 and/or the 5.3 preview 
policy release doesn;'t have that rule:

--------
[root at C5 ~]# sesearch --allow -s procmail_t -t spamc_exec_t

[root at C5 ~]#
--------

Can you advise me the easiest and/or best way to add this rule to to my 
system?

Richard



Murray McAllister wrote:
> Richard Chapman wrote:
>> After some trouble getting the file-system relabelled - which was 
>> eventually solved by Daniel's suggestion to change to a 5.3 preview 
>> release of the policy packages - I now have (only) a couple of 
>> intractable denials.
>>
>> One seems to be related to procmail running spamc. The other seems to 
>> be webalizer being denied access to squid logs. Here is some 
>> representative troubledhooter output:
>>
>> Summary
>> SELinux is preventing spamc (procmail_t) "execute" to ./spamc 
>> (spamc_exec_t).
>> Detailed Description
>> [SELinux is in permissive mode, the operation would have been denied 
>> but was permitted due to permissive mode.]
>>
>> SELinux denied access requested by spamc. It is not expected that 
>> this access is required by spamc and this access may signal an 
>> intrusion attempt. It is also possible that the specific version or 
>> configuration of the application is causing it to require additional 
>> access.
>>
>> Allowing Access
>> Sometimes labeling problems can cause SELinux denials. You could try 
>> to restore the default system file context for ./spamc,
>>
>> restorecon -v './spamc'
>>
>> If this does not work, there is currently no automatic way to allow 
>> this access. Instead, you can generate a local policy module to allow 
>> this access - see FAQ 
>> <http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can 
>> disable SELinux protection altogether. Disabling SELinux protection 
>> is not recommended. Please file a bug report 
>> <http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this 
>> package.
>>
>> Additional Information
>>
>> Source Context:       system_u:system_r:procmail_t
>> Target Context:       system_u:object_r:spamc_exec_t
>> Target Objects:       ./spamc [ file ]
>> Source:       spamc
>> Source Path:       /usr/bin/spamc
>> Port:       <Unknown>
>> Host:       C5.aardvark.com.au
>> Source RPM Packages:       spamassassin-3.2.4-1.el5
>> Target RPM Packages:      
>> Policy RPM:       selinux-policy-2.4.6-203.el5
>> Selinux Enabled:       True
>> Policy Type:       targeted
>> MLS Enabled:       True
>> Enforcing Mode:       Permissive
>> Plugin Name:       catchall_file
>> Host Name:       C5.aardvark.com.au
>> Platform:       Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP 
>> Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
>> Alert Count:       199
>> First Seen:       Wed Jan 7 21:12:56 2009
>> Last Seen:       Sat Jan 10 13:50:07 2009
>> Local ID:       72201679-d161-4d2d-8423-44b1b65a211f
>> Line Numbers:      
> Fedora 10 has a rule that looks like it would resolve this issue:
>
> $ sesearch --allow -s procmail_t -t spamc_exec_t
> WARNING: This policy contained disabled aliases; they have been removed.
> Found 1 semantic av rules:
>    allow procmail_t spamc_exec_t : file { ioctl read getattr execute } ;
>
> selinux-policy-3.5.13-38.fc10.noarch
> selinux-policy-targeted-3.5.13-38.fc10.noarch
>
> Do you have this rule when running the 5.3 preview packages? I am not 
> sure about your webalizer issue...
>>
>> Raw Audit Messages :
>>
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
>> denied { execute } for pid=16474 comm="procmail" name="spamc" 
>> dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0 
>> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
>> denied { execute } for pid=16474 comm="procmail" name="spamc" 
>> dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0 
>> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
>> denied { execute_no_trans } for pid=16474 comm="procmail" 
>> path="/usr/bin/spamc" dev=dm-0 ino=31336954 
>> scontext=system_u:system_r:procmail_t:s0 
>> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
>> denied { execute_no_trans } for pid=16474 comm="procmail" 
>> path="/usr/bin/spamc" dev=dm-0 ino=31336954 
>> scontext=system_u:system_r:procmail_t:s0 
>> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
>> denied { read } for pid=16474 comm="procmail" path="/usr/bin/spamc" 
>> dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0 
>> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
>> denied { read } for pid=16474 comm="procmail" path="/usr/bin/spamc" 
>> dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0 
>> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563007.814:8005): 
>> arch=c000003e syscall=59 success=yes exit=0 a0=196772e0 a1=196792a0 
>> a2=196791f0 a3=8 items=0 ppid=16473 pid=16474 auid=4294967295 uid=500 
>> gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 
>> tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" 
>> subj=system_u:system_r:procmail_t:s0 key=(null)
>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563007.814:8005): 
>> arch=c000003e syscall=59 success=yes exit=0 a0=196772e0 a1=196792a0 
>> a2=196791f0 a3=8 items=0 ppid=16473 pid=16474 auid=4294967295 uid=500 
>> gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 
>> tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" 
>> subj=system_u:system_r:procmail_t:s0 key=(null)
>>
>>
>>
>>
>> Summary
>> SELinux is preventing webalizer (webalizer_t) "search" to ./webalizer 
>> (bin_t).
>> Detailed Description
>> [SELinux is in permissive mode, the operation would have been denied 
>> but was permitted due to permissive mode.]
>>
>> SELinux denied access requested by webalizer. It is not expected that 
>> this access is required by webalizer and this access may signal an 
>> intrusion attempt. It is also possible that the specific version or 
>> configuration of the application is causing it to require additional 
>> access.
>>
>> Allowing Access
>> Sometimes labeling problems can cause SELinux denials. You could try 
>> to restore the default system file context for ./webalizer,
>>
>> restorecon -v './webalizer'
>>
>> If this does not work, there is currently no automatic way to allow 
>> this access. Instead, you can generate a local policy module to allow 
>> this access - see FAQ 
>> <http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can 
>> disable SELinux protection altogether. Disabling SELinux protection 
>> is not recommended. Please file a bug report 
>> <http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this 
>> package.
>>
>> Additional Information
>>
>> Source Context:       root:system_r:webalizer_t:SystemLow-SystemHigh
>> Target Context:       system_u:object_r:bin_t
>> Target Objects:       ./webalizer [ dir ]
>> Source:       webalizer
>> Source Path:       /usr/bin/webalizer
>> Port:       <Unknown>
>> Host:       C5.aardvark.com.au
>> Source RPM Packages:       webalizer-2.01_10-30.1
>> Target RPM Packages:      
>> Policy RPM:       selinux-policy-2.4.6-203.el5
>> Selinux Enabled:       True
>> Policy Type:       targeted
>> MLS Enabled:       True
>> Enforcing Mode:       Permissive
>> Plugin Name:       catchall_file
>> Host Name:       C5.aardvark.com.au
>> Platform:       Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP 
>> Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
>> Alert Count:       119
>> First Seen:       Wed Jan 7 22:00:02 2009
>> Last Seen:       Sat Jan 10 14:00:01 2009
>> Local ID:       fd879861-abb1-4e67-a190-0a721c66dc0e
>> Line Numbers:      
>>
>> Raw Audit Messages :
>>
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027): avc: 
>> denied { search } for pid=16510 comm="webalizer" name="webalizer" 
>> dev=dm-0 ino=32479105 
>> scontext=root:system_r:webalizer_t:s0-s0:c0.c1023 
>> tcontext=system_u:object_r:bin_t:s0 tclass=dir
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027): avc: 
>> denied { search } for pid=16510 comm="webalizer" name="webalizer" 
>> dev=dm-0 ino=32479105 
>> scontext=root:system_r:webalizer_t:s0-s0:c0.c1023 
>> tcontext=system_u:object_r:bin_t:s0 tclass=dir
>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563601.389:8027): 
>> arch=c000003e syscall=4 success=no exit=-2 a0=4171ee a1=7fff7d310db0 
>> a2=7fff7d310db0 a3=21000 items=0 ppid=16509 pid=16510 auid=0 uid=0 
>> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=730 
>> comm="webalizer" exe="/usr/bin/webalizer" 
>> subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)
>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563601.389:8027): 
>> arch=c000003e syscall=4 success=no exit=-2 a0=4171ee a1=7fff7d310db0 
>> a2=7fff7d310db0 a3=21000 items=0 ppid=16509 pid=16510 auid=0 uid=0 
>> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=730 
>> comm="webalizer" exe="/usr/bin/webalizer" 
>> subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)
>>
>>
>>
>> I didn't think I was doing anything unusual here - so I am surprised 
>> these aren't covered by standard policy. Am I don't something strange 
>> - and if so - do I need to write my own local policy. Is there a more 
>> standard way to run spamc and/.or webalizer which will prevent these 
>> denials?
>>
>> Thanks
>>
>> Richard.
>>
>>
>> ------------------------------------------------------------------------
>>
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>

More information about the selinux mailing list