Bug 427347
Summary: | Multiple specifications /var/qmail/queue and /var/qmail/control | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David <webmaster> | ||||||||||
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||||||||
Status: | CLOSED NOTABUG | QA Contact: | Ben Levenson <benl> | ||||||||||
Severity: | urgent | Docs Contact: | |||||||||||
Priority: | low | ||||||||||||
Version: | 7 | ||||||||||||
Target Milestone: | --- | ||||||||||||
Target Release: | --- | ||||||||||||
Hardware: | All | ||||||||||||
OS: | Linux | ||||||||||||
Whiteboard: | |||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||
Doc Text: | Story Points: | --- | |||||||||||
Clone Of: | Environment: | ||||||||||||
Last Closed: | 2008-02-26 22:59:18 UTC | Type: | --- | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Attachments: |
|
Description
David
2008-01-03 12:06:23 UTC
Did you add the context your self using? semanage fcontext -a If you did and you remove your mappings semanage fcontext -d '/var/qmail/control(/.*)?' Are you getting AVC messages? Created attachment 290791 [details]
local.pp and /te policy before and after the targeted update
No I added nothing.
The server has had Plesk installed and runs 23 domains. After I yum update and
added the new policy (I rebooted as there was also a new kernel), I then
noticed the warnings during the bootup.
When it was running I noticed there was no smtp server running, I noticed qmail
refused to start. I then changed selinux to permissive and it would run.
I tried the previous kernel, no difference and indeed
/etc/selinux/targeted/contexts/files/file_contexts does have 2 entries for
/var/qmail/control and /var/qmail/queue.
I also had a local.pp policy running on the server BEFORE the update. I also
have one now. I have attached both files as that should help you see what has
changed. The local.pp now is massive due to the mislabels.
normal.local.pp and normal.locat.te are the policy on the server before the
update.
new.local.pp and new.local.te are the policy now (after adding in every single
avc error in /var/log/audit).
Is it also possible to look at including the normal.local.pp into selinux
targeted?
Meantime can you suggest a fix so I can at least run with selinux enforcing, I
dont like running a busy server without selinux on.
Thanks!
David
Created attachment 290795 [details]
qmail.pp policy
Daniel,
I found this file in /etc/selinux/targeted/modules/active/modules
Its qmail.pp
As far as I can tell the correct policy for the contexts from this file should
be:
/var/qmail/control(/.*)? system_u:object_r:qmail_etc_t:s0
/var/qmail/queue(/.*)? system_u:object_r:qmail_spool_t:s0
However have a look at my previous local.pp and the local.pp now it should tell
you the issue.
module local 1.0; require { type unconfined_t; type webalizer_t; type pyzor_t; type mount_t; type usr_t; type root_t; type proc_t; type unspec_node_t; type initrc_t; type etc_mail_t; type inaddr_any_node_t; type tmp_t; type spamd_tmp_t; type httpd_sys_script_t; type spamd_t; type httpd_sys_content_t; type var_lib_t; type ndc_t; type sendmail_exec_t; type mail_spool_t; type system_mail_t; type dcc_client_t; type iptables_t; type httpd_suexec_t; type crond_t; type ftpd_t; type var_t; type httpd_t; class key { search link }; class process signal; class unix_stream_socket { read write }; class capability setgid; class file { rename execute setattr read lock create ioctl execute_no_trans write getattr link unlink append }; class netlink_route_socket { write getattr read bind create nlmsg_read }; class unix_dgram_socket { read write }; class udp_socket node_bind; class dir { write search remove_name create add_name }; } #============= dcc_client_t ============== allow dcc_client_t inaddr_any_node_t:udp_socket node_bind; allow dcc_client_t proc_t:file { read getattr }; allow dcc_client_t self:capability setgid; allow dcc_client_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; allow dcc_client_t spamd_tmp_t:file { read getattr }; >>>>>> I have added these to F8/Rawhide and will back port to f7 #============= ftpd_t ============== allow ftpd_t crond_t:key { search link }; allow ftpd_t httpd_suexec_t:key { search link }; >>>>>> I did not think pam_keyinit is in F7. Keying is broken. #============= httpd_sys_script_t ============== allow httpd_sys_script_t self:netlink_route_socket create; allow httpd_sys_script_t unspec_node_t:udp_socket node_bind; >>>>> These look ok, although not something I would add to general policy. >>>>> Is this a package that is causing this, or your own stuff? #============= httpd_t ============== allow httpd_t etc_mail_t:dir search; allow httpd_t etc_mail_t:file read; allow httpd_t sendmail_exec_t:file { read execute getattr execute_no_trans }; allow httpd_t tmp_t:file { write ioctl }; allow httpd_t var_t:dir { write create add_name }; allow httpd_t var_t:file { read write getattr create lock }; >>>>>setsebool -P httpd_can_sendmail=1 >>>>>Should eliminate the need for some of these. >>>>>What is apache writing to in /var? #============= iptables_t ============== allow iptables_t initrc_t:unix_dgram_socket { read write }; >>>> Leaked File descriptor from app that is execing iptables allow iptables_t var_t:file read; >>>> What file is iptables trying to read? #============= mount_t ============== allow mount_t usr_t:file append; >>>> Lookls like a redirection of stdout from mount command? #============= ndc_t ============== allow ndc_t usr_t:file append; >>>> Lookls like a redirection of stdout from ndc command? >>>>Some kind of log in /usr? #============= pyzor_t ============== allow pyzor_t var_t:dir { write create add_name }; allow pyzor_t var_t:file { write read create getattr }; >>>> What file/directory is pyzor trying to write to? #============= spamd_t ============== allow spamd_t dcc_client_t:process signal; allow spamd_t mail_spool_t:dir { write remove_name search add_name }; allow spamd_t mail_spool_t:file { rename setattr read write ioctl link unlink append }; allow spamd_t root_t:dir { write add_name }; allow spamd_t root_t:file { create ioctl }; allow spamd_t tmp_t:file { write ioctl }; allow spamd_t usr_t:file append; allow spamd_t var_t:dir { write create add_name }; allow spamd_t var_t:file { write getattr read create ioctl append }; >>>> This looks like a missing transition rule? Did spam assassin exec another tool? #============= system_mail_t ============== allow system_mail_t httpd_sys_content_t:file append; #============= webalizer_t ============== allow webalizer_t unconfined_t:unix_stream_socket { read write }; allow webalizer_t var_lib_t:file { read lock getattr write }; allow webalizer_t var_t:file write; >>>> What file/directory is webalizer trying to write to? Looks like qmail is not in Fedora 8 and Rawhide. I am suprized it was turned on in Fedora 7. You should probably remove it. Make sure no qmail processes are running. # semodule -r qmail # fixfiles -R qmail restore I will remove it from Fedora 7 policy. Did you upgrade to Fedora 8? Hi Daniel let me answer your questions.. No this is a clean install Fedora 7 not an upgrade. The semodule + fixfiles did not work :( [root@server ~]# ps aux | grep qmail root 3319 0.0 0.0 4004 700 pts/0 S+ 09:36 0:00 grep qmail [root@server ~]# semodule -r qmail libsepol.print_missing_requirements: local's global requirements were not met: type/attribute qmail_inject_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! [root@server ~]# fixfiles -R qmail restore qmail not found [root@server ~]# Now your policy questions.. dcc_client_t - thanks for adding this and backporting! ftpd_t - I don't have anything special but these events are triggered by anyone ftping in to any oif thge domains on the server, so something is triggering the avc errors. Here are the pam modules installed: Installed Packages pam.i386 0.99.7.1-5.2.fc7 installed pam-devel.i386 0.99.7.1-5.2.fc7 installed pam_ccreds.i386 4-2.fc7 installed pam_krb5.i386 2.2.11-1 installed pam_passwdqc.i386 1.0.2-1.2.2 installed pam_pkcs11.i386 0.5.3-24 installed pam_smb.i386 1.1.7-7.2.1 installed httpd_sys_script_t - again no special package or something I have added. However I do see these AVCs occur regular. There are sites using forums and use of apache and mysql and also mailing out info to users subscribed on certain threads. I understand you don't want to add these in general policy, however could these be added as options off my default in boolean of httpd? httpd_t - Again this is triggered by the forums (apache) wanting to send out emails to new users registering, etc. Some of these would be fixed by "httpd can send mail" as I only noticed this boolean after I could not get email notifications sent out, so some of these are still needed even with "httpd can send mail" set to on. Any writing in /var is where the domain is. iptables_t - there are 32 IP addresses on the server and most domains have their own SSL so there is going to be some iptables, also plesk has its own firewall module. all the pyzor, dcc, spamd and webalizer all write to /var (var/www/vhosts/domainname.com) for stats and for spam protection. You mentioned spamd exec another tool, yes it does call up pyzor, razor and dcc to process emails, also if spamd is set to use a lot of the plugins (for aggressive spam protection) it will call up other modules associated. I suspect some of these are the issue. I happen to have all the /var/log/audit/audit.log audit.log.1 anmd audit.log.2 for all these events (this was before the policy change). I can put them on a ftp server for you. Total size is about 15MB, but every thing is in there. Let me know what ever you need. On the next selinux policy, I can remove local.pp, and do another run and send you the results. Is there anyway meantime of fixing the qmail I can do some more testing for you. I also don't mind having to manually edit the polict files if needed. Thanks again! David Created attachment 290872 [details]
Here are the audit logs BEFORE the policy update
Daniel,
Here are the logs, this will have details that created the rules in the
local.pp policy on the server BEFORE the update. Its only 674K archived up,
but all the details are in there.
Cheers,
David
Daniel, Any updates I have not heard anything. Is there a way of modifying the policy to remove qmail in the meantime while I wait for a policy update? I also above answered your questions and provided the actual logs showing the policy questions on the other items you asked for. Cheers, David You need to remove your custom policy module which is referencing qmail. It will not allow the qmail policy to be removed. semodule -r MYPOLICY qmail Should remove it. Then you can rebuild your policy module without the references to qmail. Thanks Daniel, Did you have questions on the other policy changes I mentioned above? Thanks! David Created attachment 291481 [details]
Audit log deleted before reboot
Daniel,
Got some small errors if you can assist please.
Ok I removed the qmail policy: semodule -r qmail
I then restored fixfiles -R psa-qmail restore
All no errors :)
However on a reboot I see this on the screen (I had to type this to excuse any
wrong spaces):
inode_doinit_with_dentry: context_to_sid (system_u:object_r:qmail_etc_t:s0)
returned 22 for dev=dm-0 ino=58163378
inode_doinit_with_dentry: context_to_sid (system_u:object_r:qmail_etc_t:s0)
returned 22 for dev=dm-0 ino=58163379
inode_doinit_with_dentry: context_to_sid (system_u:object_r:qmail_etc_t:s0)
returned 22 for dev=dm-0 ino=71172098
I am still running selinux=permissive, and I attached the audit log, it was
deleted before reboot so it will only contain the reboot and a few mins of the
server being up.
Thanks!
David
restorecon -R -v /etc /var This means you still have files on disk labeled qmail_etc_t. |