melaina@xxxxxxxxx wrote:
Hello,
a follow-up to my last e-mail. I fear part of the problem may be caused by the policy shipping with Plesk, contained in the file plesk.te. Could this transition be causing the issue?
# qmail permissions
# always enabled
allow system_mail_t system_mail_t:fifo_file rw_file_perms;
can_exec(system_mail_t, sendmail_exec_t)
r_dir_file(system_mail_t, sendmail_exec_t)
ifdef(`mta.te', `
domain_auto_trans(httpd_sys_script_t, sendmail_exec_t, system_mail_t)
')
THis says that if a cgi script comes upon a sendmail_exec_t it will
transition to a system_mail_t, And it adds the ability for system_mail_t
to exec sendmail_t files, AS well as talk to itself via a fifo_file.
---------- Initial Header -----------
From : "Daniel J Walsh" dwalsh@xxxxxxxxxx
To : "melaina@xxxxxxxxx" melaina@xxxxxxxxx
Cc : "fedora-selinux-list" fedora-selinux-list@xxxxxxxxxx
Date : Tue, 06 Feb 2007 12:15:05 -0500
Subject : Re: Mail problems...
melaina@xxxxxxxxx wrote:
Hello!
I have just started playing a bit with SELinux in permissive mode on my system. I have qmail with spamassassin installed; the only AVC denied messages I get (after I relabeled the system and fixed domains on a couple of log files), is the following:
Jan 30 20:23:13 drake kernel: audit(1170210193.998:8): avc: denied { read } for pid=11862 comm="sendmail" name="RsmVLSTr" dev=loop0 ino=20 scontext=user_u: system_r:system_mail_t tcontext=user_u:object_r:httpd_sys_script_rw_t tclass=fil e
Jan 30 20:23:13 drake kernel: audit(1170210193.998:9): avc: denied { read wr ite } for pid=11862 comm="sendmail" name="jk-runtime-status" dev=hda5 ino=49827 49 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:httpd_log_t tclass=file
Jan 30 20:23:14 drake kernel: audit(1170210194.019:10): avc: denied { ioctl } for pid=11863 comm="qmail-scanner-q" name="error_log" dev=hda5 ino=4984894 sc ontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:httpd_log_t tcla ss=file
Jan 30 20:23:14 drake kernel: audit(1170210194.026:11): avc: denied { read } for pid=11863 comm="sperl5.8.5" name="mounts" dev=proc ino=777453584 scontext= user_u:system_r:system_mail_t tcontext=user_u:system_r:system_mail_t tclass=file
Jan 30 20:23:14 drake kernel: audit(1170210194.026:12): avc: denied { getatt r } for pid=11863 comm="sperl5.8.5" name="mounts" dev=proc ino=777453584 sconte xt=user_u:system_r:system_mail_t tcontext=user_u:system_r:system_mail_t tclass=f ile
Jan 30 20:23:15 drake kernel: audit(1170210195.204:13): avc: denied { append } for pid=11863 comm="perl5.8.5" name="qmail-queue.log" dev=hda5 ino=5130271 s context=user_u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tcl ass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.204:14): avc: denied { ioctl } for pid=11863 comm="perl5.8.5" name="qmail-queue.log" dev=hda5 ino=5130271 sc ontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tcla ss=file
Jan 30 20:23:15 drake kernel: audit(1170210195.205:15): avc: denied { getatt r } for pid=11863 comm="perl5.8.5" name="qmail-queue.log" dev=hda5 ino=5130271 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tc lass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.206:16): avc: denied { read } for pid=11863 comm="perl5.8.5" name="qmail-scanner-queue-version.txt" dev=hda5 ino=5130273 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:v ar_spool_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.208:17): avc: denied { write } for pid=11863 comm="perl5.8.5" name="tmp" dev=hda5 ino=5195094 scontext=user_ u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.208:18): avc: denied { add_na me } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com1170210195772118 63" scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_ t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.208:19): avc: denied { create } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863 " scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:var_spool_t tc lass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.409:20): avc: denied { create } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863 " scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:var_spool_t tc lass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.410:21): avc: denied { ioctl } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:obj ect_r:var_spool_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.410:22): avc: denied { getatt r } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com11702101957721186 3" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:o bject_r:var_spool_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.414:23): avc: denied { write } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:obj ect_r:var_spool_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.418:24): avc: denied { link } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:obje ct_r:var_spool_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.419:25): avc: denied { remove _name } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com1170210195772 11863" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=syst em_u:object_r:var_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.419:26): avc: denied { unlink } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863 " dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:ob ject_r:var_spool_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.424:27): avc: denied { read w rite } for pid=11864 comm="sh" name="tty" dev=tmpfs ino=1804 scontext=user_u:sy stem_r:system_mail_t tcontext=system_u:object_r:devtty_t tclass=chr_file
Jan 30 20:23:15 drake kernel: audit(1170210195.431:28): avc: denied { read } for pid=11865 comm="sh" name="drake.mydomain.com117021019577211863" dev=hda 5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:va r_spool_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.434:29): avc: denied { write } for pid=11865 comm="reformime" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5408221 scontext=user_u:system_r:system_mail_t tcontext=user_u:obj ect_r:var_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.434:30): avc: denied { add_na me } for pid=11865 comm="reformime" name="1170210195.11865-0.drake.mydomain. com" scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:var_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.739:31): avc: denied { read } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5408221 scontext=user_u:system_r:system_mail_t tcontext=user_u:obje ct_r:var_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.755:32): avc: denied { read } for pid=11863 comm="perl5.8.5" name="tmp" dev=hda5 ino=4980740 scontext=user_u :system_r:system_mail_t tcontext=system_u:object_r:var_t tclass=lnk_file
Jan 30 20:23:15 drake kernel: audit(1170210195.795:33): avc: denied { execut e } for pid=11867 comm="perl5.8.5" name="find" dev=hda5 ino=5297451 scontext=us er_u:system_r:system_mail_t tcontext=system_u:object_r:file_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.796:34): avc: denied { execut e_no_trans } for pid=11867 comm="perl5.8.5" name="find" dev=hda5 ino=5297451 sc ontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:file_t tclass=fi le
Jan 30 20:23:15 drake kernel: audit(1170210195.796:35): avc: denied { read } for pid=11867 comm="perl5.8.5" name="find" dev=hda5 ino=5297451 scontext=user_ u:system_r:system_mail_t tcontext=system_u:object_r:file_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.798:36): avc: denied { search } for pid=11867 comm="find" name="selinux" dev=hda5 ino=557257 scontext=user_u :system_r:system_mail_t tcontext=system_u:object_r:selinux_config_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.798:37): avc: denied { read } for pid=11867 comm="find" name="config" dev=hda5 ino=557274 scontext=user_u:sy stem_r:system_mail_t tcontext=user_u:object_r:selinux_config_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.798:38): avc: denied { getatt r } for pid=11867 comm="find" name="config" dev=hda5 ino=557274 scontext=user_u :system_r:system_mail_t tcontext=user_u:object_r:selinux_config_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.860:39): avc: denied { read } for pid=11871 comm="rm" name="qscan" dev=hda5 ino=5130256 scontext=user_u:syst em_r:system_mail_t tcontext=system_u:object_r:var_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.860:40): avc: denied { remove _name } for pid=11871 comm="rm" name="1170210195.11865-0.drake.mydomain.com" dev=hda5 ino=5408222 scontext=user_u:system_r:system_mail_t tcontext=user_u:obj ect_r:var_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.861:41): avc: denied { rmdir } for pid=11871 comm="rm" name="drake.mydomain.com117021019577211863" dev=hd a5 ino=5408221 scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:v ar_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.873:42): avc: denied { sigchl d } for pid=1 comm="init" scontext=user_u:system_r:system_mail_t tcontext=user_ u:system_r:unconfined_t tclass=process
Any directions to fix this?
Thanks!
This looks like qmail is doing a lot more stuff then a normal sendmail
would do.
Running this log file under audit2allow gives the following rules
allow system_mail_t devtty_t:chr_file { read write };
> This probably can be ignored.
allow system_mail_t file_t:file { execute execute_no_trans read };
> Indicates something is still mislabeled.
allow system_mail_t httpd_log_t:file { ioctl read write };
> Why would mail be updating httpd_log_t
allow system_mail_t httpd_sys_script_rw_t:file read;
>Reading a script file?
allow system_mail_t selinux_config_t:dir search;
allow system_mail_t selinux_config_t:file { getattr read };
> These disappear in enforcing mode.
allow system_mail_t self:file { getattr read };
> Qmail specific
allow system_mail_t unconfined_t:process sigchld;
> qmail is somehow execing init to send a sigchld to an unconfined
process???
allow system_mail_t var_spool_t:dir { add_name create read remove_name
rmdir write };
allow system_mail_t var_spool_t:file { append create getattr ioctl link
read unlink write };
allow system_mail_t var_t:lnk_file read;
> qmail is updating files in /var/spool?
------------------------------------------------------
Mutuo da 200.000 €? Tassi ridotti da 4.25%. Solo per richieste online. Mutuionline.it
http://click.libero.it/mutuionline31ge07
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
------------------------------------------------------
Passa a Infostrada. ADSL e Telefono senza limiti e senza canone Telecom
http://click.libero.it/infostrada11feb07
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
