On Fri, 2006-06-30 at 14:19 +0100, Paul Howarth wrote:
> Marc Schwartz wrote:
> > I just got home and noted the following avc's which appear to be a
> > post-reboot scenario.
> >
> > There are some that appear to be networking related, which may indeed be
> > associated with the kernel related reports. I have more than one network
> > profile, where I used one at home that has a fixed IP address behind a
> > router. At work, I use NM with DHCP. As I noted in a prior post, some
> > network things have been flaky with the new kernel.
> >
> > Is this an indication that I should consider the 'updates testing'
> > initscripts update as referenced in other threads on the general lists?
>
> Possibly; my understanding of the update is that it fixes the order of
> assignment of network devices at boot time. This is useful to me for
> instance, as I have a two-interface firewall, which doesn't work if it
> boots with the internal and external interfaces the wrong way around.
Yeah, eth0 (should be a hardwired connection) and eth1 (which should be
a wireless connection) have been frequently switching back and forth.
Under the former kernel, the wireless was wlan0 when using ndiswrapper.
OK. I updated the rpm.
I have not fully tested the updated scripts, but what was interesting is
that I had modified rc.sysinit to handle my LUKS partitions during boot,
but the update (which includes the default file) did not overwrite my
modified version. I presume that there may be an entry in the spec file
for the rpm to check for this, though I have not taken the time to
review it.
> > Up until the reboot, there were no other avc's.
> >
> > Note also what appears to be a double "//" in the path to the
> > razor-agent.log. Not sure where that comes from, as the mods that I
> > made in the config files are:
> >
> > local.cf:
> > razor_config /etc/mail/spamassassin/razor/razor-agent.conf
> >
> > razor-agent.conf :
> > razorhome = /etc/mail/spamassassin/razor/
> >
> > The trailing '/' in the second file was there previously.
>
> You could try it without the trailing slash and see what happens. Double
> slashes aren't usually an issue though.
I'll leave it for now and see if it continues to show.
> > New avc's:
> >
> > type=AVC msg=audit(1151607255.655:1577): avc: denied { signal } for pid=2283 comm="spamd" scontext=system_u:system_r:spamd_t:s0 t context=system_u:system_r:dcc_client_t:s0 tclass=process
> > type=SYSCALL msg=audit(1151607255.655:1577): arch=40000003 syscall=37 success=no exit=-13 a0=780b a1=f a2=2b5b8c a3=90e7894 items=0 pid=2283 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0
>
> Spamassassin signalling dcc_client. I wonder if the "a1" value is the
> signal number? If so, that's SIGTERM.
>
> > type=AVC msg=audit(1151620643.074:452): avc: denied { append } for pid=2312 comm="spamd" name="razor-agent.log" dev=hdc7 ino=1081 390 scontext=system_u:system_r:spamd_t:s0 tcontext=user_u:object_r:etc_mail_t:s0 tclass=file
> > type=SYSCALL msg=audit(1151620643.074:452): arch=40000003 syscall=5 success=no exit=-13 a0=b5c6ee0 a1=8441 a2=1b6 a3=8441 items=1 pi d=2312 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="spamd" exe="/usr/bin/perl" subj=syst em_u:system_r:spamd_t:s0
> > type=CWD msg=audit(1151620643.074:452): cwd="/"
> > type=PATH msg=audit(1151620643.074:452): item=0 name="/etc/mail/spamassassin/razor//razor-agent.log" parent=1081385 dev=16:07 mode=0 40755 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:etc_mail_t:s0
>
> Trying to append to /etc/mail/spamassassin/razor/razor-agent.log, which
> of course is etc_mail_t. Is there any way to persuade razor to put this
> log in /var/log instead?
Yep. Done. I made a change in:
/etc/mail/spamassassin/razor/razor-agent.conf
Now with a line:
logfile = /var/log/razor-agent.log
which was just
logfile = razor-agent.log
Specifying the full path overrides the normal home dir for razor files.
After a spamassassin service restart, the log file is now:
ls -lZ /var/log/razor-agent.log
-rw-r--r-- root root user_u:object_r:var_log_t /var/log/razor-agent.log
Note the change in context below.
> > type=AVC msg=audit(1151620645.415:453): avc: denied { setgid } for pid=2410 comm="dccproc" capability=6 scontext=system_u:system_ r:dcc_client_t:s0 tcontext=system_u:system_r:dcc_client_t:s0 tclass=capability
> > type=SYSCALL msg=audit(1151620645.415:453): arch=40000003 syscall=210 success=yes exit=0 a0=ffffffff a1=0 a2=ffffffff a3=47fcfcc0 it ems=0 pid=2410 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin /dccproc" subj=system_u:system_r:dcc_client_t:s0
>
> dccproc changing its group ID.
>
> > type=AVC msg=audit(1151620795.471:481): avc: denied { use } for pid=5120 comm="dhclient" name="[10508]" dev=pipefs ino=10508 scon text=user_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
> > type=AVC msg=audit(1151620795.471:481): avc: denied { use } for pid=5120 comm="dhclient" name="[10508]" dev=pipefs ino=10508 scon text=user_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
> > type=SYSCALL msg=audit(1151620795.471:481): arch=40000003 syscall=11 success=yes exit=0 a0=99120f8 a1=993b580 a2=9912608 a3=993b5f0 items=2 pid=5120 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="dhclient" exe="/sbin/dhcl ient" subj=user_u:system_r:dhcpc_t:s0
> > type=AVC_PATH msg=audit(1151620795.471:481): path="pipe:[10508]"
> > type=AVC_PATH msg=audit(1151620795.471:481): path="pipe:[10508]"
> > type=CWD msg=audit(1151620795.471:481): cwd="/etc/sysconfig/network-scripts"
> > type=PATH msg=audit(1151620795.471:481): item=0 name="/sbin/dhclient" inode=3542818 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:dhcpc_exec_t:s0
> > type=PATH msg=audit(1151620795.471:481): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_ u:object_r:ld_so_t:s0
> > type=AVC msg=audit(1151620808.228:498): avc: denied { use } for pid=5217 comm="dhclient-script" name="[10508]" dev=pipefs ino=105 08 scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
> > type=AVC msg=audit(1151620808.228:498): avc: denied { use } for pid=5217 comm="dhclient-script" name="[10508]" dev=pipefs ino=105 08 scontext=user_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
> > type=SYSCALL msg=audit(1151620808.228:498): arch=40000003 syscall=11 success=yes exit=0 a0=9fdff30 a1=a0044c8 a2=9fe1378 a3=a002498 items=3 pid=5217 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="dhclient-script" exe="/bi n/bash" subj=user_u:system_r:dhcpc_t:s0
> > type=AVC_PATH msg=audit(1151620808.228:498): path="pipe:[10508]"
> > type=AVC_PATH msg=audit(1151620808.228:498): path="pipe:[10508]"
> > type=CWD msg=audit(1151620808.228:498): cwd="/etc/sysconfig/network-scripts"
> > type=PATH msg=audit(1151620808.228:498): item=0 name="/sbin/dhclient-script" inode=3548518 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev =00:00 obj=system_u:object_r:dhcpc_exec_t:s0
> > type=PATH msg=audit(1151620808.228:498): item=1 name=(null) inode=1966191 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system _u:object_r:shell_exec_t:s0
> > type=PATH msg=audit(1151620808.228:498): item=2 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_ u:object_r:ld_so_t:s0
>
> These appear to be unrelated network issues.
>
> Could be allowed by having
> xserver_use_xdm_fds(dhcpc_t)
> in the sysnetwork policy but I'm not sure what's happening there and if
> that would be the right thing to do.
>
> Updated policy:
> ::::::::::::::
> mydcc.if
> ::::::::::::::
> ########################################
> ## <summary>
> ## Signal the dcc client
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## The type of the process performing this action.
> ## </summary>
> ## </param>
> #
> interface(`dcc_signal_client',`
> gen_require(`
> type dcc_client_t;
> ')
>
> allow $1 dcc_client_t:process signal;
> ')
>
> ::::::::::::::
> myspamassassin.te
> ::::::::::::::
> policy_module(myspamassassin, 0.1.2)
>
> require {
> type spamd_t;
> }
>
> # This will be included in FC5 policy when dcc module is included
> dcc_domtrans_client(spamd_t)
>
> # This is already supposed to be included but doesn't seem to be working
> pyzor_domtrans(spamd_t)
>
> # This will be included in FC5 policy when razor module is included
> razor_domtrans(spamd_t)
>
> # Signal the dcc client (SIGTERM is used?)
> dcc_signal_client(spamd_t)
> ::::::::::::::
> mydcc.te
> ::::::::::::::
> policy_module(mydcc, 0.1.9)
>
> # ==================================================
> # Declarations
> # ==================================================
>
> require {
> type dcc_client_t;
> }
>
> # ==================================================
> # DCC client local policy
> # ==================================================
>
> allow dcc_client_t self:capability setgid;
> allow dcc_client_t self:netlink_route_socket r_netlink_socket_perms;
>
> corenet_udp_bind_inaddr_any_node(dcc_client_t)
>
> # dcc_client probably doesn't need to be able to read /proc/meminfo
> kernel_dontaudit_list_proc(dcc_client_t)
> kernel_dontaudit_read_system_state(dcc_client_t)
>
> spamassassin_read_spamd_tmp_files(dcc_client_t)
Policies updated:
amavis 1.0.4
clamav 1.0.1
dcc 1.0.0
myclamav 0.1.5
mydcc 0.1.9
mypostfix 0.1.0
mypyzor 0.2.3
myspamassassin 0.1.2
procmail 0.5.4
pyzor 1.0.1
razor 1.0.0
I also ran a restorecon on /var/log/razor-agent.log, which is now:
ls -lZ /var/log/razor-agent.log
-rw-r--r-- root root system_u:object_r:razor_log_t /var/log/razor-agent.log
New avc's so far, after manually running all relevant cron jobs and a
re-boot:
type=AVC msg=audit(1151774266.909:5311): avc: denied { search } for pid=11652 comm="spamd" name="log" dev=dm-1 ino=73126 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1151774266.909:5311): arch=40000003 syscall=5 success=no exit=-13 a0=b1676f0 a1=8441 a2=1b6 a3=8441 items=1 pid=11652 auid=500 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0
type=CWD msg=audit(1151774266.909:5311): cwd="/"
type=PATH msg=audit(1151774266.909:5311): item=0 name="/var/log/razor-agent.log" obj=user_u:object_r:etc_mail_t:s0
type=AVC msg=audit(1151774267.629:5312): avc: denied { read } for pid=18080 comm="dccproc" name=".fonts.cache-2" dev=hdc7 ino=427877 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1151774267.629:5312): arch=40000003 syscall=11 success=yes exit=0 a0=b0c96b8 a1=a432fd8 a2=b18feb8 a3=bfce606c items=2 pid=18080 auid=500 uid=500 gid=0 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0
type=AVC_PATH msg=audit(1151774267.629:5312): path="/root/.rh-fontconfig/.fonts.cache-2"
type=CWD msg=audit(1151774267.629:5312): cwd="/"
type=PATH msg=audit(1151774267.629:5312): item=0 name="/usr/local/bin/dccproc" inode=3118478 dev=16:07 mode=0104555 ouid=0 ogid=1 rdev=00:00 obj=system_u:object_r:dcc_client_exec_t:s0
type=PATH msg=audit(1151774267.629:5312): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
Thanks,
Marc
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
