I still notice lots of AVCs in the messages log regarding postfix,
clamv, amavisd-new, spamassassin.
I am using selinux-policy-targeted-2.3.2-1.fc5 and
selinux-policy-2.3.2-1.fc5.
In order to get amavisd-new and clamscan to work with these selinux
versions, the booleans for clamscan_disable_trans and
amavis_disable_trans have to be set to on. I have noticed a lot of
traffic on the list regarding postfix, procmail, integration. Maybe the
policies being developed could be expanded upon to take care of the
postfix, amavis-new, clamv, spamassassin case.
I ran the AVCs through audit2allow and came up with the rules. Here are
the rules followed by the causing AVC:
allow amavis_t clamd_var_run_t:sock_file write;
Jul 26 18:43:18 somehostname kernel: audit(1153953798.370:869):
avc: denied { write } for pid=17186 comm="amavisd"
name="clamd.sock" dev=dm-0 ino=1333000
scontext=root:system_r:amavis_t:s0
tcontext=root:object_r:clamd_var_run_t:s0 tclass=sock_file
allow amavis_t postfix_etc_t:dir search;
Jul 25 16:26:56 somehostname kernel: audit(1153859216.437:772):
avc: denied { search } for pid=4207 comm="amavisd"
name="postfix" dev=dm-0 ino=359267
scontext=root:system_r:amavis_t:s0
tcontext=system_u:object_r:postfix_etc_t:s0 tclass=dir
allow amavis_t razor_port_t:tcp_socket name_connect;
Jul 26 16:42:14 somehostname kernel: audit(1153946534.516:865):
avc: denied { name_connect } for pid=17183 comm="amavisd"
dest=2703 scontext=root:system_r:amavis_t:s0
tcontext=system_u:object_r:razor_port_t:s0 tclass=tcp_socket
allow clamd_t amavis_var_run_t:dir search;
Jul 27 14:31:14 somehostname kernel: audit(1154025074.534:1208):
avc: denied { search } for pid=26308 comm="clamd.amavisd"
name="amavisd" dev=dm-0 ino=1334115
scontext=root:system_r:clamd_t:s0
tcontext=system_u:object_r:amavis_var_run_t:s0 tclass=dir
allow clamd_t sysctl_kernel_t:dir search;
Jul 27 14:31:11 somehostname kernel: audit(1154025071.062:1206):
avc: denied { search } for pid=26307 comm="clamd.amavisd"
scontext=root:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
allow clamd_t sysctl_t:dir search;
Jul 27 14:31:11 somehostname kernel: audit(1154025071.062:1207):
avc: denied { search } for pid=26307 comm="clamd.amavisd"
name="sys" dev=proc ino=-268435429
scontext=root:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_t:s0 tclass=dir
allow postfix_cleanup_t bin_t:file getattr;
Jul 26 14:10:52 somehostname kernel: audit(1153937452.370:819):
avc: denied { getattr } for pid=15469 comm="sh" name="sleep"
dev=dm-0 ino=1299281
scontext=root:system_r:postfix_cleanup_t:s0-s0:c0.c255
tcontext=system_u:object_r:bin_t:s0 tclass=file
allow postfix_local_t clamd_var_lib_t:dir search;
Jul 26 08:10:16 somehostname kernel: audit(1153915816.342:802):
avc: denied { search } for pid=13112 comm="local"
name="clamav" dev=dm-0 ino=1334110
scontext=root:system_r:postfix_local_t:s0
tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir
allow postfix_map_t nscd_var_run_t:dir search;
Jul 25 11:41:37 somehostname kernel: audit(1153842097.261:264):
avc: denied { search } for pid=8233 comm="postmap"
name="nscd" dev=dm-0 ino=1332052
scontext=root:system_r:postfix_map_t:s0-s0:c0.c255
tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=dir
allow postfix_pickup_t bin_t:file getattr;
Jul 26 14:06:34 somehostname kernel: audit(1153937194.032:816):
avc: denied { getattr } for pid=15411 comm="sh" name="sleep"
dev=dm-0 ino=1299281
scontext=root:system_r:postfix_pickup_t:s0-s0:c0.c255
tcontext=system_u:object_r:bin_t:s0 tclass=file
allow postfix_qmgr_t bin_t:file getattr;
Jul 26 14:06:34 somehostname kernel: audit(1153937194.036:817):
avc: denied { getattr } for pid=15409 comm="sh" name="sleep"
dev=dm-0 ino=1299281
scontext=root:system_r:postfix_qmgr_t:s0-s0:c0.c255
tcontext=system_u:object_r:bin_t:s0 tclass=file
allow postfix_smtpd_t bin_t:file getattr;
Jul 26 14:08:02 somehostname kernel: audit(1153937282.152:818):
avc: denied { getattr } for pid=15433 comm="sh" name="sleep"
dev=dm-0 ino=1299281
scontext=root:system_r:postfix_smtpd_t:s0-s0:c0.c255
tcontext=system_u:object_r:bin_t:s0 tclass=file
allow semanage_t postfix_etc_t:dir search;
Jul 27 14:29:59 somehostname kernel: audit(1154024994.164:1204):
avc: denied { search } for pid=26252 comm="genhomedircon"
name="postfix" dev=dm-0 ino=359267
scontext=root:system_r:semanage_t:s0-s0:c0.c255
tcontext=system_u:object_r:postfix_etc_t:s0 tclass=dir
allow spamd_t postfix_etc_t:dir search;
Jul 27 14:31:21 somehostname kernel: audit(1154025077.106:1430):
avc: denied { search } for pid=26384 comm="spamd"
name="postfix" dev=dm-0 ino=359267
scontext=root:system_r:spamd_t:s0
tcontext=system_u:object_r:postfix_etc_t:s0 tclass=dir
allow spamd_t root_t:dir write;
Jul 27 14:31:21 somehostname kernel: audit(1154025078.575:1431):
avc: denied { write } for pid=26386 comm="spamd" name="/"
dev=dm-0 ino=2 scontext=root:system_r:spamd_t:s0
tcontext=system_u:object_r:root_t:s0 tclass=dir
allow spamd_t user_home_dir_t:dir write;
Jul 27 14:31:21 somehostname kernel: audit(1154025078.575:1432):
avc: denied { write } for pid=26386 comm="spamd" name="root"
dev=dm-0 ino=292321 scontext=root:system_r:spamd_t:s0
tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
The configuration for postfix, anavisd-new, clamv, and spamassassin are
pretty plain vanilla with the only changes to configuration files being
those necessary for host and to enable the content filter in postfix
using the modifications outlined in the README.fedora and README.postfix
for amavisd-new.
Regards,
John
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
