Re: postfix, procmail and SELinux - No Go

"Marc Schwartz (via MN)" <mschwartz@xxxxxxxxx> · Tue, 30 May 2006 14:47:38 -0500

<snipped some content for space>

On Tue, 2006-05-30 at 20:05 +0100, Paul Howarth wrote:
> On Tue, 2006-05-30 at 13:41 -0500, Marc Schwartz (via MN) wrote:
> > On Tue, 2006-05-30 at 16:32 +0100, Paul Howarth wrote:
> > > If you run SELinux in permissive mode and post the AVCs that get logged 
> > > when procmail is running, it should be possible to get this fixed.
> > 
> > Paul,
> > 
> > Thanks for the reply.
> > 
> > I have re-booted with SELinux in Permissive Mode.
> > 
> > However, while procmail is working still, I see no avc messages at all
> > in /var/log/messages that would seemingly be related here. There are
> > other avc's there, most of which appear to be related to the boot
> > process and the relabelling of files subsequent to having disabled
> > SELinux earlier.
> > 
> > Is this something more subtle or is there someplace else that I should
> > be looking?
> 
> Perhaps you have auditd running, and have AVCs logged
> to /var/log/audit/audit.log instead?

Yep.  That's it.

Thanks to Tom also for pointing this out.

For reference, here is my ~/.procmailrc:

# Scan for viruses using ClamAV + clamassassin
:0 fw
| /usr/local/bin/clamassassin

# Scan with SpamAssasin (+ razor, pyzor and dcc)
:0 fw
| /usr/bin/spamc -s 256000

I'm not sure how much you might need/want, but here is a sampling. I
tried to catch what appear to be complete "cycles" in each case.

Here are some using grep 'procmail':

type=AVC_PATH msg=audit(1149015973.940:563):  path="/home/marcs/.procmailrc"
type=PATH msg=audit(1149015973.940:563): item=0 name="/home/marcs/.procmailrc" flags=1  inode=426353 dev=fd:00 mode=0100664 ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1149015973.940:564): avc:  denied  { read } for  pid=11095 comm="procmail" name=".procmailrc" dev=dm-0 ino=426353 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=SYSCALL msg=audit(1149015973.940:564): arch=40000003 syscall=5 success=yes exit=4 a0=9337d60 a1=8000 a2=0 a3=8000 items=1 pid=11095 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="procmail" exe="/usr/bin/procmail"
type=PATH msg=audit(1149015973.940:564): item=0 name="/home/marcs/.procmailrc" flags=101  inode=426353 dev=fd:00 mode=0100664 ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1149015973.956:565): avc:  denied  { execute } for  pid=11101 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file
type=AVC msg=audit(1149015973.956:565): avc:  denied  { execute_no_trans } for  pid=11101 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file
type=AVC msg=audit(1149015973.956:565): avc:  denied  { read } for  pid=11101 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file
type=AVC msg=audit(1149015973.960:566): avc:  denied  { search } for  pid=11101 comm="clamscan" name="clamav" dev=hdc5 ino=30881 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1149015973.960:566): avc:  denied  { read } for  pid=11101 comm="clamscan" name="daily.cvd" dev=hdc5 ino=29403 scontext=system_u:system_r:procmail_t:s0 tcontext=user_u:object_r:clamd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1149015973.960:567): avc:  denied  { getattr } for  pid=11101 comm="clamscan" name="daily.cvd" dev=hdc5 ino=29403 scontext=system_u:system_r:procmail_t:s0 tcontext=user_u:object_r:clamd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1149015973.972:568): avc:  denied  { read } for  pid=11105 comm="clamscan" name="clamav" dev=hdc5 ino=30881 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1149015973.972:569): avc:  denied  { getattr } for  pid=11105 comm="clamscan" name="clamav" dev=hdc5 ino=30881 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1149015973.972:570): avc:  denied  { read } for  pid=11105 comm="clamscan" name="main.cvd" dev=hdc5 ino=30890 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1149015973.972:571): avc:  denied  { getattr } for  pid=11105 comm="clamscan" name="main.cvd" dev=hdc5 ino=30890 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1149015974.368:572): avc:  denied  { write } for  pid=11105 comm="clamscan" name="main.ndb" dev=hdc6 ino=146248 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1149015974.368:573): avc:  denied  { read } for  pid=11105 comm="clamscan" name="clamav-5f6ea15f5332ca86" dev=hdc6 ino=30 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1149015974.532:574): avc:  denied  { create } for  pid=11105 comm="clamscan" name="main.zmd" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1149015974.532:575): avc:  denied  { getattr } for  pid=11105 comm="clamscan" name="main.zmd" dev=hdc6 ino=146249 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1149015974.532:576): avc:  denied  { unlink } for  pid=11105 comm="clamscan" name="clamav-5f6ea15f5332ca86" dev=hdc6 ino=30 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1149015974.992:577): avc:  denied  { search } for  pid=11105 comm="clamscan" name="/" dev=hdc6 ino=2 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149015975.444:578): avc:  denied  { read } for  pid=11105 comm="clamscan" name="clamav-a0ba2088c392494c" dev=hdc6 ino=146243 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149015975.444:579): avc:  denied  { setattr } for  pid=11105 comm="clamscan" name="clamav-a0ba2088c392494c" dev=hdc6 ino=146243 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149015975.444:580): avc:  denied  { write } for  pid=11105 comm="clamscan" name="/" dev=hdc6 ino=2 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149015975.444:580): avc:  denied  { remove_name } for  pid=11105 comm="clamscan" name="clamav-a0ba2088c392494c" dev=hdc6 ino=146243 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149015975.444:580): avc:  denied  { rmdir } for  pid=11105 comm="clamscan" name="clamav-a0ba2088c392494c" dev=hdc6 ino=146243 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149015975.452:581): avc:  denied  { add_name } for  pid=11105 comm="clamscan" name="clamav-c8c20a1e39aef1bc" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149015975.452:581): avc:  denied  { create } for  pid=11105 comm="clamscan" name="clamav-c8c20a1e39aef1bc" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

Here are some using grep 'postfix':

type=SYSCALL msg=audit(1149014661.600:328): arch=40000003 syscall=196 success=no exit=-2 a0=9769930 a1=bf8a4b80 a2=580ff4 a3=3 items=1 pid=8367 auid=500 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="local" exe="/usr/libexec/postfix/local"
type=CWD msg=audit(1149014661.600:328):  cwd="/var/spool/postfix"
type=CWD msg=audit(1149014661.604:329):  cwd="/var/spool/postfix"
type=CWD msg=audit(1149014661.604:330):  cwd="/var/spool/postfix"
type=AVC msg=audit(1149014770.075:378): avc:  denied  { search } for  pid=8646 comm="local" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir

Some using grep 'pyzor'. Note that neither 'razor' nor 'dcc' are showing
up curiously:

type=AVC_PATH msg=audit(1149015851.011:541):  path="/home/marcs/.pyzor"
type=PATH msg=audit(1149015851.011:541): item=0 name="/home/marcs/.pyzor" flags=1  inode=427255 dev=fd:00 mode=040755 ouid=500 ogid=5 00 rdev=00:00
type=AVC msg=audit(1149015851.015:542): avc:  denied  { getattr } for  pid=10802 comm="pyzor" name="servers" dev=dm-0 ino=427256 scon text=system_u:system_r:pyzor_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1149015851.015:542): arch=40000003 syscall=195 success=yes exit=0 a0=86c1fb0 a1=bf9b8da8 a2=4891eff4 a3=868e1b 0 items=1 pid=10802 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/ python"
type=AVC_PATH msg=audit(1149015851.015:542):  path="/home/marcs/.pyzor/servers"
type=PATH msg=audit(1149015851.015:542): item=0 name="/home/marcs/.pyzor/servers" flags=1  inode=427256 dev=fd:00 mode=0100664 ouid=5 00 ogid=500 rdev=00:00
type=AVC msg=audit(1149015851.015:543): avc:  denied  { search } for  pid=10802 comm="pyzor" name="marcs" dev=dm-0 ino=425153 scontex t=system_u:system_r:pyzor_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1149015851.015:543): avc:  denied  { read } for  pid=10802 comm="pyzor" name="servers" dev=dm-0 ino=427256 scontex t=system_u:system_r:pyzor_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1149015851.015:543): arch=40000003 syscall=5 success=yes exit=3 a0=87273d0 a1=8000 a2=1b6 a3=86e0b90 items=1 p id=10802 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python"
type=PATH msg=audit(1149015851.015:543): item=0 name="/home/marcs/.pyzor/servers" flags=101  inode=427256 dev=fd:00 mode=0100664 ouid =500 ogid=500 rdev=00:00
type=AVC msg=audit(1149015851.027:544): avc:  denied  { search } for  pid=10802 comm="pyzor" name="/" dev=hdc6 ino=2 scontext=system_ u:system_r:pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149015851.027:544): avc:  denied  { write } for  pid=10802 comm="pyzor" name="/" dev=hdc6 ino=2 scontext=system_u :system_r:pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149015851.027:544): avc:  denied  { add_name } for  pid=10802 comm="pyzor" name="bBOXo3" scontext=system_u:system _r:pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149015851.027:544): avc:  denied  { create } for  pid=10802 comm="pyzor" name="bBOXo3" scontext=system_u:system_r :pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

More with grep 'spamd':

type=AVC msg=audit(1149017045.372:768): avc:  denied  { search } for  pid=1949 comm="spamd" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1149017045.372:768): arch=40000003 syscall=195 success=yes exit=0 a0=a3a19c0 a1=9ffa0c8 a2=4891eff4 a3=a3a19c0 items=1 pid=1949 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl"
type=PATH msg=audit(1149017045.372:768): item=0 name="/home/marcs/.spamassassin/user_prefs" flags=1  inode=1193881 dev=fd:00 mode=0100664 ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1149017045.380:769): avc:  denied  { getattr } for  pid=1949 comm="spamd" name="bayes_toks" dev=dm-0 ino=1193882 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=SYSCALL msg=audit(1149017045.380:769): arch=40000003 syscall=195 success=yes exit=0 a0=a3a19c0 a1=9ffa0c8 a2=4891eff4 a3=a3a19c0 items=1 pid=1949 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl"
type=AVC_PATH msg=audit(1149017045.380:769):  path="/home/marcs/.spamassassin/bayes_toks"
type=PATH msg=audit(1149017045.380:769): item=0 name="/home/marcs/.spamassassin/bayes_toks" flags=1  inode=1193882 dev=fd:00 mode=0100600 ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1149017045.380:770): avc:  denied  { read } for  pid=1949 comm="spamd" name="bayes_toks" dev=dm-0 ino=1193882 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=SYSCALL msg=audit(1149017045.380:770): arch=40000003 syscall=5 success=yes exit=8 a0=b1db3b8 a1=8000 a2=0 a3=8000 items=1 pid=1949 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl"
type=PATH msg=audit(1149017045.380:770): item=0 name="/home/marcs/.spamassassin/bayes_toks" flags=101  inode=1193882 dev=fd:00 mode=0100600 ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1149017047.188:771): avc:  denied  { append } for  pid=1949 comm="spamd" name="bayes_journal" dev=dm-0 ino=2338489 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=SYSCALL msg=audit(1149017047.188:771): arch=40000003 syscall=5 success=yes exit=10 a0=b8211d8 a1=8441 a2=1b6 a3=8441 items=1 pid=1949 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl"
type=PATH msg=audit(1149017047.188:771): item=0 name="/home/marcs/.spamassassin/bayes_journal" flags=310  inode=1193874 dev=fd:00 mode=040755 ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1149017047.188:772): avc:  denied  { ioctl } for  pid=1949 comm="spamd" name="bayes_journal" dev=dm-0 ino=2338489 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=SYSCALL msg=audit(1149017047.188:772): arch=40000003 syscall=54 success=no exit=-25 a0=a a1=5401 a2=bf84f5d8 a3=bf84f618 items=0 pid=1949 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl"
type=AVC_PATH msg=audit(1149017047.188:772):  path="/home/marcs/.spamassassin/bayes_journal"
type=AVC msg=audit(1149017047.828:791): avc:  denied  { write } for  pid=1949 comm="spamd" name="bayes_toks" dev=dm-0 ino=1193882 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file

Finally with grep "clamassassin":

type=SYSCALL msg=audit(1149016209.330:652): arch=40000003 syscall=5 success=yes exit=3 a0=99e48c0 a1=8241 a2=1b6 a3=8241 items=1 pid=11646 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamassassin" exe="/bin/bash"
type=PATH msg=audit(1149016209.330:652): item=0 name="/tmp/clamassassinmsg.jSBOI11644" flags=310  inode=2 dev=16:06 mode=041777 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149016209.330:653): avc:  denied  { getattr } for  pid=11646 comm="cat" name="clamassassinmsg.jSBOI11644" dev=hdc6 ino=28 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC_PATH msg=audit(1149016209.330:653):  path="/tmp/clamassassinmsg.jSBOI11644"
type=AVC msg=audit(1149016209.334:654): avc:  denied  { execute } for  pid=11647 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file
type=AVC msg=audit(1149016209.334:654): avc:  denied  { execute_no_trans } for  pid=11647 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file
type=AVC msg=audit(1149016209.334:654): avc:  denied  { read } for  pid=11647 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file
type=AVC msg=audit(1149016209.346:657): avc:  denied  { read } for  pid=11651 comm="clamassassin" name="clamassassinmsg.jSBOI11644" dev=hdc6 ino=28 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1149016209.346:657): arch=40000003 syscall=5 success=yes exit=3 a0=99e1190 a1=8000 a2=0 a3=8000 items=1 pid=11651 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamassassin" exe="/bin/bash"
type=PATH msg=audit(1149016209.346:657): item=0 name="/tmp/clamassassinmsg.jSBOI11644" flags=101  inode=28 dev=16:06 mode=0100600 ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1149017043.144:752): avc:  denied  { add_name } for  pid=13192 comm="mktemp" name="clamassassinmsg.QRJvd13192" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149017043.144:752): avc:  denied  { create } for  pid=13192 comm="mktemp" name="clamassassinmsg.QRJvd13192" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=PATH msg=audit(1149017043.144:752): item=0 name="/tmp/clamassassinmsg.QRJvd13192" flags=310  inode=2 dev=16:06 mode=041777 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149017043.152:753): avc:  denied  { write } for  pid=13194 comm="clamassassin" name="clamassassinmsg.QRJvd13192" dev=hdc6 ino=28 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

> > BTW, on a separate and possible SELinux related issue, I had noted that
> > the Evolution Data Server was crashing after I first installed FC5 with
> > SELinux enabled.  For the time this morning that I had SELinux disabled,
> > I was not getting the crash.  Didn't make the association initially, but
> > now that I have it re-enabled in Permissive Mode, it's crashing again.
> > No avc's in the log here either.
> 
> Don't know what's happening with that. Having SELinux in permissive mode
> should behave almost identically to disabled mode really.

No avc's in /var/log/audit/audit.log, now that I am searching that.

Yeah, this is curious. I'll pay attention to it and post back with any
further data.

Thanks,

Marc

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list