qmail policy patch

Adi Fairbank adi at adiraj.org
Thu Aug 25 20:30:01 UTC 2011 

I had some trouble with the policy for the qmail service, as shipped  
with CentOS 6.  I assume the policy comes from the Fedora project, so  
I'm posting here.

It was preventing qmail-inject / qmail-queue / sendmail from search  
and write to /var/qmail/queue/, among other issues.  I noticed the  
problems because crond generated e-mail was not getting delivered,  
with an error message like:

  CROND[21591]: (root) MAIL (mailed 1290 bytes of output but got  
status 0x006f#012)

AVC errors in audit.log were:

type=AVC msg=audit(1314228902.078:112210): avc:  denied  { search }  
for  pid=12894 comm="qmail-queue" name="queue" dev=dm-4 ino=655368  
scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023  
tcontext=system_u:object_r:qmail_spool_t:s0 tclass=dir
type=AVC msg=audit(1314229501.848:112243): avc:  denied  { search }  
for  pid=13193 comm="qmail-queue" name="pid" dev=dm-4 ino=655470  
scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023  
tcontext=system_u:object_r:qmail_spool_t:s0 tclass=dir
type=AVC msg=audit(1314239102.056:112926): avc:  denied  { write }  
for  pid=946 comm="qmail-queue" name="pid" dev=dm-4 ino=655470  
scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023  
tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1314245701.871:113246): avc:  denied  { write }  
for  pid=21283 comm="qmail-queue" name="trigger" dev=dm-4 ino=655365  
scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023  
tcontext=system_u:object_r:qmail_spool_t:s0 tclass=fifo_file
type=AVC msg=audit(1314246901.535:113302): avc:  denied  { read }  
for  pid=21514 comm="qmail-queue" name="owners" dev=dm-4 ino=655362  
scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023  
tcontext=system_u:object_r:var_t:s0 tclass=lnk_file

Attached is a patch to the selinux-policy SRPM (the latest one from  
centos6 updates), including spec file diff.  Basically, it does the  
following:

  1. change file context of /var/qmail/owners(/.*)? to qmail_etc_t
  2. allow processes of scontext system_mail_t read, write, search  
access to files, dirs, and fifos of tcontext qmail_spool_t

Let me know if this policy change poses any security issues or could  
be implemented a different way, as I'm rather new to SElinux policy.   
I wonder if nobody else is running qmail with selinux in enforcing  
mode?  Or perhaps they have a different qmail installation than me.   
I don't know how the sendmail command could work because qmail-queue  
can't access /var/qmail/queue/ which is where qmail stores all its  
mail for processing.

Adi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: policy-qmail.patch
Type: application/octet-stream
Size: 2354 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110825/ff63c598/attachment.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: selinux-policy.spec.patch
Type: application/octet-stream
Size: 1046 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110825/ff63c598/attachment-0001.obj

More information about the selinux mailing list