qmail policy patch
Adi Fairbank
adi at adiraj.org
Thu Aug 25 20:30:01 UTC 2011
I had some trouble with the policy for the qmail service, as shipped
with CentOS 6. I assume the policy comes from the Fedora project, so
I'm posting here.
It was preventing qmail-inject / qmail-queue / sendmail from search
and write to /var/qmail/queue/, among other issues. I noticed the
problems because crond generated e-mail was not getting delivered,
with an error message like:
CROND[21591]: (root) MAIL (mailed 1290 bytes of output but got
status 0x006f#012)
AVC errors in audit.log were:
type=AVC msg=audit(1314228902.078:112210): avc: denied { search }
for pid=12894 comm="qmail-queue" name="queue" dev=dm-4 ino=655368
scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:qmail_spool_t:s0 tclass=dir
type=AVC msg=audit(1314229501.848:112243): avc: denied { search }
for pid=13193 comm="qmail-queue" name="pid" dev=dm-4 ino=655470
scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:qmail_spool_t:s0 tclass=dir
type=AVC msg=audit(1314239102.056:112926): avc: denied { write }
for pid=946 comm="qmail-queue" name="pid" dev=dm-4 ino=655470
scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1314245701.871:113246): avc: denied { write }
for pid=21283 comm="qmail-queue" name="trigger" dev=dm-4 ino=655365
scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:qmail_spool_t:s0 tclass=fifo_file
type=AVC msg=audit(1314246901.535:113302): avc: denied { read }
for pid=21514 comm="qmail-queue" name="owners" dev=dm-4 ino=655362
scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_t:s0 tclass=lnk_file
Attached is a patch to the selinux-policy SRPM (the latest one from
centos6 updates), including spec file diff. Basically, it does the
following:
1. change file context of /var/qmail/owners(/.*)? to qmail_etc_t
2. allow processes of scontext system_mail_t read, write, search
access to files, dirs, and fifos of tcontext qmail_spool_t
Let me know if this policy change poses any security issues or could
be implemented a different way, as I'm rather new to SElinux policy.
I wonder if nobody else is running qmail with selinux in enforcing
mode? Or perhaps they have a different qmail installation than me.
I don't know how the sendmail command could work because qmail-queue
can't access /var/qmail/queue/ which is where qmail stores all its
mail for processing.
Adi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: policy-qmail.patch
Type: application/octet-stream
Size: 2354 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110825/ff63c598/attachment.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: selinux-policy.spec.patch
Type: application/octet-stream
Size: 1046 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110825/ff63c598/attachment-0001.obj
More information about the selinux
mailing list