Bug 427347

Did you add the context your self using?

semanage fcontext -a 

If you did and you remove your mappings

semanage fcontext -d '/var/qmail/control(/.*)?'

Are you getting AVC messages?

Created attachment 290791 [details]
local.pp and /te policy before and after the targeted update

No I added nothing.

The server has had Plesk installed and runs 23 domains.  After I yum update and
added the new policy (I rebooted as there was also a new kernel), I then
noticed the warnings during the bootup.

When it was running I noticed there was no smtp server running, I noticed qmail
refused to start.  I then changed selinux to permissive and it would run.

I tried the previous kernel, no difference and indeed
/etc/selinux/targeted/contexts/files/file_contexts does have 2 entries for
/var/qmail/control and /var/qmail/queue.

I also had a local.pp policy running on the server BEFORE the update.  I also
have one now.  I have attached both files as that should help you see what has
changed.  The local.pp now is massive due to the mislabels.

normal.local.pp and normal.locat.te are the policy on the server before the
update.

new.local.pp and new.local.te are the policy now (after adding in every single
avc error in /var/log/audit).

Is it also possible to look at including the normal.local.pp into selinux
targeted?

Meantime can you suggest a fix so I can at least run with selinux enforcing, I
dont like running a busy server without selinux on.

Thanks!

David

Created attachment 290795 [details]
qmail.pp policy

Daniel,

I found this file in /etc/selinux/targeted/modules/active/modules

Its qmail.pp

As far as I can tell the correct policy for the contexts from this file should
be:

/var/qmail/control(/.*)?		system_u:object_r:qmail_etc_t:s0

/var/qmail/queue(/.*)?			system_u:object_r:qmail_spool_t:s0

However have a look at my previous local.pp and the local.pp now it should tell
you the issue.

module local 1.0;

require {
	type unconfined_t;
	type webalizer_t;
	type pyzor_t;
	type mount_t;
	type usr_t;
	type root_t;
	type proc_t;
	type unspec_node_t;
	type initrc_t;
	type etc_mail_t;
	type inaddr_any_node_t;
	type tmp_t;
	type spamd_tmp_t;
	type httpd_sys_script_t;
	type spamd_t;
	type httpd_sys_content_t;
	type var_lib_t;
	type ndc_t;
	type sendmail_exec_t;
	type mail_spool_t;
	type system_mail_t;
	type dcc_client_t;
	type iptables_t;
	type httpd_suexec_t;
	type crond_t;
	type ftpd_t;
	type var_t;
	type httpd_t;
	class key { search link };
	class process signal;
	class unix_stream_socket { read write };
	class capability setgid;
	class file { rename execute setattr read lock create ioctl execute_no_trans
write getattr link unlink append };
	class netlink_route_socket { write getattr read bind create nlmsg_read };
	class unix_dgram_socket { read write };
	class udp_socket node_bind;
	class dir { write search remove_name create add_name };
}

#============= dcc_client_t ==============
allow dcc_client_t inaddr_any_node_t:udp_socket node_bind;
allow dcc_client_t proc_t:file { read getattr };
allow dcc_client_t self:capability setgid;
allow dcc_client_t self:netlink_route_socket { write getattr read bind create
nlmsg_read };
allow dcc_client_t spamd_tmp_t:file { read getattr };

>>>>>> I have added these to F8/Rawhide and will back port to f7

#============= ftpd_t ==============
allow ftpd_t crond_t:key { search link };
allow ftpd_t httpd_suexec_t:key { search link };

>>>>>> I did not think pam_keyinit is in F7.  Keying is broken.

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t self:netlink_route_socket create;
allow httpd_sys_script_t unspec_node_t:udp_socket node_bind;

>>>>>  These look ok, although not something I would add to general policy.
>>>>>  Is this a package that is causing this, or your own stuff?

#============= httpd_t ==============
allow httpd_t etc_mail_t:dir search;
allow httpd_t etc_mail_t:file read;
allow httpd_t sendmail_exec_t:file { read execute getattr execute_no_trans };
allow httpd_t tmp_t:file { write ioctl };
allow httpd_t var_t:dir { write create add_name };
allow httpd_t var_t:file { read write getattr create lock };

>>>>>setsebool -P httpd_can_sendmail=1  
>>>>>Should eliminate the need for some of these.
>>>>>What is apache writing to in /var?

#============= iptables_t ==============
allow iptables_t initrc_t:unix_dgram_socket { read write };
>>>> Leaked File descriptor from app that is execing iptables
allow iptables_t var_t:file read;
>>>> What file is iptables trying to read?

#============= mount_t ==============
allow mount_t usr_t:file append;
>>>> Lookls like a  redirection of stdout from mount command?

#============= ndc_t ==============
allow ndc_t usr_t:file append;
>>>> Lookls like a  redirection of stdout from ndc command?

>>>>Some kind of log in /usr?

#============= pyzor_t ==============
allow pyzor_t var_t:dir { write create add_name };
allow pyzor_t var_t:file { write read create getattr };
>>>> What file/directory is pyzor trying to write to?

#============= spamd_t ==============
allow spamd_t dcc_client_t:process signal;
allow spamd_t mail_spool_t:dir { write remove_name search add_name };
allow spamd_t mail_spool_t:file { rename setattr read write ioctl link unlink
append };
allow spamd_t root_t:dir { write add_name };
allow spamd_t root_t:file { create ioctl };
allow spamd_t tmp_t:file { write ioctl };
allow spamd_t usr_t:file append;
allow spamd_t var_t:dir { write create add_name };
allow spamd_t var_t:file { write getattr read create ioctl append };
>>>> This looks like a missing transition rule?  Did spam assassin exec another
tool?


#============= system_mail_t ==============
allow system_mail_t httpd_sys_content_t:file append;

#============= webalizer_t ==============
allow webalizer_t unconfined_t:unix_stream_socket { read write };
allow webalizer_t var_lib_t:file { read lock getattr write };
allow webalizer_t var_t:file write;
>>>> What file/directory is webalizer trying to write to?

Looks like qmail is not in Fedora 8 and Rawhide.  I am suprized it was turned on
in Fedora 7.

You should probably remove it.

Make sure no qmail processes are running.
# semodule -r qmail
# fixfiles -R qmail restore

I will remove it from Fedora 7 policy.

Did you upgrade to Fedora 8?

Hi Daniel let me answer your questions..

No this is a clean install Fedora 7 not an upgrade.

The semodule + fixfiles did not work :(

[root@server ~]# ps aux | grep qmail
root      3319  0.0  0.0   4004   700 pts/0    S+   09:36   0:00 grep qmail
[root@server ~]# semodule -r qmail
libsepol.print_missing_requirements: local's global requirements were not met:
type/attribute qmail_inject_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!
[root@server ~]# fixfiles -R qmail restore
qmail not found
[root@server ~]#

Now your policy questions..

dcc_client_t - thanks for adding this and backporting!

ftpd_t - I don't have anything special but these events are triggered by anyone
ftping in to any oif thge domains on the server, so something is triggering the
avc errors.  Here are the pam modules installed:
Installed Packages
pam.i386                                 0.99.7.1-5.2.fc7       installed
pam-devel.i386                           0.99.7.1-5.2.fc7       installed
pam_ccreds.i386                          4-2.fc7                installed
pam_krb5.i386                            2.2.11-1               installed
pam_passwdqc.i386                        1.0.2-1.2.2            installed
pam_pkcs11.i386                          0.5.3-24               installed
pam_smb.i386                             1.1.7-7.2.1            installed

httpd_sys_script_t - again no special package or something I have added. 
However I do see these AVCs occur regular.  There are sites using forums and use
of apache and mysql and also mailing out info to users subscribed on certain
threads.  I understand you don't want to add these in general policy, however
could these be added as options off my default in boolean of httpd?

httpd_t - Again this is triggered by the forums (apache) wanting to send out
emails to new users registering, etc.  Some of these would be fixed by "httpd
can send mail" as I only noticed this boolean after I could not get email
notifications sent out, so some of these are still needed even with "httpd can
send mail" set to on.  Any writing in /var is where the domain is.

iptables_t - there are 32 IP addresses on the server and most domains have their
own SSL so there is going to be some iptables, also plesk has its own firewall
module.

all the pyzor, dcc, spamd and webalizer all write to /var
(var/www/vhosts/domainname.com) for stats and for spam protection.  You
mentioned spamd exec another tool, yes it does call up pyzor, razor and dcc to
process emails, also if spamd is set to use a lot of the plugins (for aggressive
spam protection) it will call up other modules associated.  I suspect some of
these are the issue.

I happen to have all the /var/log/audit/audit.log audit.log.1 anmd audit.log.2
for all these events (this was before the policy change).  I can put them on a
ftp server for you. Total size is about 15MB, but every thing is in there.

Let me know what ever you need.  On the next selinux policy, I can remove
local.pp, and do another run and send you the results.

Is there anyway meantime of fixing the qmail I can do some more testing for you.
 I also don't mind having to manually edit the polict files if needed.

Thanks again!

David

Created attachment 290872 [details]
Here are the audit logs BEFORE the policy update

Daniel,

Here are the logs, this will have details that created the rules in the
local.pp policy on the server BEFORE the update.  Its only 674K archived up,
but all the details are in there.

Cheers,

David

Daniel,

Any updates I have not heard anything.  Is there a way of modifying the policy
to remove qmail in the meantime while I wait for a policy update?

I also above answered your questions and provided the actual logs showing the
policy questions on the other items you asked for.

Cheers,

David

You need to remove your custom policy module which is referencing qmail.  It
will not allow the qmail policy to be removed.  

semodule -r MYPOLICY qmail
Should remove it.

Then you can rebuild your policy module without the references to qmail.

Thanks Daniel,

Did you have questions on the other policy changes I mentioned above?

Thanks!

David

Created attachment 291481 [details]
Audit log deleted before reboot

Daniel,

Got some small errors if you can assist please.

Ok I removed the qmail policy: semodule -r qmail

I then restored fixfiles -R psa-qmail restore

All no errors :)

However on a reboot I see this on the screen (I had to type this to excuse any
wrong spaces):

inode_doinit_with_dentry: context_to_sid (system_u:object_r:qmail_etc_t:s0)
returned 22 for dev=dm-0 ino=58163378

inode_doinit_with_dentry: context_to_sid (system_u:object_r:qmail_etc_t:s0)
returned 22 for dev=dm-0 ino=58163379

inode_doinit_with_dentry: context_to_sid (system_u:object_r:qmail_etc_t:s0)
returned 22 for dev=dm-0 ino=71172098

I am still running selinux=permissive, and I attached the audit log, it was
deleted before reboot so it will only contain the reboot and a few mins of the
server being up.

Thanks!

David

restorecon -R -v /etc /var

This means you still have files on disk labeled qmail_etc_t.