Denials from spamc and webalizer on Centos 5.2
Richard Chapman
rchapman at aardvark.com.au
Sun Jan 11 02:24:39 UTC 2009
Thanks Murray... It looks to me like Centos 5.2 and/or the 5.3 preview
policy release doesn;'t have that rule:
--------
[root at C5 ~]# sesearch --allow -s procmail_t -t spamc_exec_t
[root at C5 ~]#
--------
Can you advise me the easiest and/or best way to add this rule to to my
system?
Richard
Murray McAllister wrote:
> Richard Chapman wrote:
>> After some trouble getting the file-system relabelled - which was
>> eventually solved by Daniel's suggestion to change to a 5.3 preview
>> release of the policy packages - I now have (only) a couple of
>> intractable denials.
>>
>> One seems to be related to procmail running spamc. The other seems to
>> be webalizer being denied access to squid logs. Here is some
>> representative troubledhooter output:
>>
>> Summary
>> SELinux is preventing spamc (procmail_t) "execute" to ./spamc
>> (spamc_exec_t).
>> Detailed Description
>> [SELinux is in permissive mode, the operation would have been denied
>> but was permitted due to permissive mode.]
>>
>> SELinux denied access requested by spamc. It is not expected that
>> this access is required by spamc and this access may signal an
>> intrusion attempt. It is also possible that the specific version or
>> configuration of the application is causing it to require additional
>> access.
>>
>> Allowing Access
>> Sometimes labeling problems can cause SELinux denials. You could try
>> to restore the default system file context for ./spamc,
>>
>> restorecon -v './spamc'
>>
>> If this does not work, there is currently no automatic way to allow
>> this access. Instead, you can generate a local policy module to allow
>> this access - see FAQ
>> <http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can
>> disable SELinux protection altogether. Disabling SELinux protection
>> is not recommended. Please file a bug report
>> <http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this
>> package.
>>
>> Additional Information
>>
>> Source Context: system_u:system_r:procmail_t
>> Target Context: system_u:object_r:spamc_exec_t
>> Target Objects: ./spamc [ file ]
>> Source: spamc
>> Source Path: /usr/bin/spamc
>> Port: <Unknown>
>> Host: C5.aardvark.com.au
>> Source RPM Packages: spamassassin-3.2.4-1.el5
>> Target RPM Packages:
>> Policy RPM: selinux-policy-2.4.6-203.el5
>> Selinux Enabled: True
>> Policy Type: targeted
>> MLS Enabled: True
>> Enforcing Mode: Permissive
>> Plugin Name: catchall_file
>> Host Name: C5.aardvark.com.au
>> Platform: Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP
>> Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
>> Alert Count: 199
>> First Seen: Wed Jan 7 21:12:56 2009
>> Last Seen: Sat Jan 10 13:50:07 2009
>> Local ID: 72201679-d161-4d2d-8423-44b1b65a211f
>> Line Numbers:
> Fedora 10 has a rule that looks like it would resolve this issue:
>
> $ sesearch --allow -s procmail_t -t spamc_exec_t
> WARNING: This policy contained disabled aliases; they have been removed.
> Found 1 semantic av rules:
> allow procmail_t spamc_exec_t : file { ioctl read getattr execute } ;
>
> selinux-policy-3.5.13-38.fc10.noarch
> selinux-policy-targeted-3.5.13-38.fc10.noarch
>
> Do you have this rule when running the 5.3 preview packages? I am not
> sure about your webalizer issue...
>>
>> Raw Audit Messages :
>>
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
>> denied { execute } for pid=16474 comm="procmail" name="spamc"
>> dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0
>> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
>> denied { execute } for pid=16474 comm="procmail" name="spamc"
>> dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0
>> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
>> denied { execute_no_trans } for pid=16474 comm="procmail"
>> path="/usr/bin/spamc" dev=dm-0 ino=31336954
>> scontext=system_u:system_r:procmail_t:s0
>> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
>> denied { execute_no_trans } for pid=16474 comm="procmail"
>> path="/usr/bin/spamc" dev=dm-0 ino=31336954
>> scontext=system_u:system_r:procmail_t:s0
>> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
>> denied { read } for pid=16474 comm="procmail" path="/usr/bin/spamc"
>> dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0
>> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
>> denied { read } for pid=16474 comm="procmail" path="/usr/bin/spamc"
>> dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0
>> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563007.814:8005):
>> arch=c000003e syscall=59 success=yes exit=0 a0=196772e0 a1=196792a0
>> a2=196791f0 a3=8 items=0 ppid=16473 pid=16474 auid=4294967295 uid=500
>> gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501
>> tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc"
>> subj=system_u:system_r:procmail_t:s0 key=(null)
>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563007.814:8005):
>> arch=c000003e syscall=59 success=yes exit=0 a0=196772e0 a1=196792a0
>> a2=196791f0 a3=8 items=0 ppid=16473 pid=16474 auid=4294967295 uid=500
>> gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501
>> tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc"
>> subj=system_u:system_r:procmail_t:s0 key=(null)
>>
>>
>>
>>
>> Summary
>> SELinux is preventing webalizer (webalizer_t) "search" to ./webalizer
>> (bin_t).
>> Detailed Description
>> [SELinux is in permissive mode, the operation would have been denied
>> but was permitted due to permissive mode.]
>>
>> SELinux denied access requested by webalizer. It is not expected that
>> this access is required by webalizer and this access may signal an
>> intrusion attempt. It is also possible that the specific version or
>> configuration of the application is causing it to require additional
>> access.
>>
>> Allowing Access
>> Sometimes labeling problems can cause SELinux denials. You could try
>> to restore the default system file context for ./webalizer,
>>
>> restorecon -v './webalizer'
>>
>> If this does not work, there is currently no automatic way to allow
>> this access. Instead, you can generate a local policy module to allow
>> this access - see FAQ
>> <http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can
>> disable SELinux protection altogether. Disabling SELinux protection
>> is not recommended. Please file a bug report
>> <http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this
>> package.
>>
>> Additional Information
>>
>> Source Context: root:system_r:webalizer_t:SystemLow-SystemHigh
>> Target Context: system_u:object_r:bin_t
>> Target Objects: ./webalizer [ dir ]
>> Source: webalizer
>> Source Path: /usr/bin/webalizer
>> Port: <Unknown>
>> Host: C5.aardvark.com.au
>> Source RPM Packages: webalizer-2.01_10-30.1
>> Target RPM Packages:
>> Policy RPM: selinux-policy-2.4.6-203.el5
>> Selinux Enabled: True
>> Policy Type: targeted
>> MLS Enabled: True
>> Enforcing Mode: Permissive
>> Plugin Name: catchall_file
>> Host Name: C5.aardvark.com.au
>> Platform: Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP
>> Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
>> Alert Count: 119
>> First Seen: Wed Jan 7 22:00:02 2009
>> Last Seen: Sat Jan 10 14:00:01 2009
>> Local ID: fd879861-abb1-4e67-a190-0a721c66dc0e
>> Line Numbers:
>>
>> Raw Audit Messages :
>>
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027): avc:
>> denied { search } for pid=16510 comm="webalizer" name="webalizer"
>> dev=dm-0 ino=32479105
>> scontext=root:system_r:webalizer_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:bin_t:s0 tclass=dir
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027): avc:
>> denied { search } for pid=16510 comm="webalizer" name="webalizer"
>> dev=dm-0 ino=32479105
>> scontext=root:system_r:webalizer_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:bin_t:s0 tclass=dir
>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563601.389:8027):
>> arch=c000003e syscall=4 success=no exit=-2 a0=4171ee a1=7fff7d310db0
>> a2=7fff7d310db0 a3=21000 items=0 ppid=16509 pid=16510 auid=0 uid=0
>> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=730
>> comm="webalizer" exe="/usr/bin/webalizer"
>> subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)
>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563601.389:8027):
>> arch=c000003e syscall=4 success=no exit=-2 a0=4171ee a1=7fff7d310db0
>> a2=7fff7d310db0 a3=21000 items=0 ppid=16509 pid=16510 auid=0 uid=0
>> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=730
>> comm="webalizer" exe="/usr/bin/webalizer"
>> subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)
>>
>>
>>
>> I didn't think I was doing anything unusual here - so I am surprised
>> these aren't covered by standard policy. Am I don't something strange
>> - and if so - do I need to write my own local policy. Is there a more
>> standard way to run spamc and/.or webalizer which will prevent these
>> denials?
>>
>> Thanks
>>
>> Richard.
>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
More information about the selinux
mailing list