Bug 504260
Summary: | selinux warnings for "/" from dccproc, pyzor, file under amavisd/postfix | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ian Donaldson <iand> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 10 | CC: | dwalsh, eparis, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-11-18 13:00:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ian Donaldson
2009-06-05 07:54:22 UTC
If you make a modified policy you must not name it with the existing name. So name the policy myamavis.te and myamavis.pp The failure is because you are replacing the existing amavis.pp The real question is why are the tools suddenly trying to getattr on the filesystem? Any chance you are running out of space on /? Can you grab the full output of ausearch -m avc, so we can see the other parts of the AVC message. Ok, thanks. Wasn't aware of the duplicate policy names; the error message didn't really give direct hints about that... As to whether there is a space issue on /, no. 17G free there. There is however a mismatch with the FC10 supplied policy and my dcc install. I compiled dcc-1.3.105 with no args to 'configure'. Policy before... # semanage fcontext -l | grep dcc /etc/dcc(/.*)? all files system_u:object_r:dcc_var_t:s0 /etc/dcc/dccifd socket system_u:object_r:dccifd_var_run_t:s0 /etc/dcc/map regular file system_u:object_r:dcc_client_map_t:s0 /usr/bin/cdcc regular file system_u:object_r:cdcc_exec_t:s0 /usr/bin/dccproc regular file system_u:object_r:dcc_client_exec_t:s0 /usr/libexec/dcc/dbclean regular file system_u:object_r:dcc_dbclean_exec_t:s0 /usr/libexec/dcc/dccd regular file system_u:object_r:dccd_exec_t:s0 /usr/libexec/dcc/dccifd regular file system_u:object_r:dccifd_exec_t:s0 /usr/libexec/dcc/dccm regular file system_u:object_r:dccm_exec_t:s0 /usr/libexec/dcc/start-.* regular file system_u:object_r:initrc_exec_t:s0 /usr/libexec/dcc/stop-.* regular file system_u:object_r:initrc_exec_t:s0 /usr/libexec/hal-dccm regular file system_u:object_r:hald_dccm_exec_t:s0 /var/dcc(/.*)? all files system_u:object_r:dcc_var_t:s0 /var/dcc/map regular file system_u:object_r:dcc_client_map_t:s0 /var/lib/dcc(/.*)? all files system_u:object_r:dcc_var_t:s0 /var/lib/dcc/map regular file system_u:object_r:dcc_client_map_t:s0 /var/run/dcc(/.*)? all files system_u:object_r:dcc_var_run_t:s0 /var/run/dcc/dccifd socket system_u:object_r:dccifd_var_run_t:s0 /var/run/dcc/map regular file system_u:object_r:dcc_client_map_t:s0 # ll /usr/bin/dccproc /bin/ls: cannot access /usr/bin/dccproc: No such file or directory # ll /usr/local/bin/dccproc -r-sr-xr-x 1 root bin 490312 May 31 11:12 /usr/local/bin/dccproc # ll -Z /usr/local/bin/dccproc -r-sr-xr-x root bin unconfined_u:object_r:bin_t:s0 /usr/local/bin/dccproc So I've modified my policy, to emulate the FC10 dcc related policy using my dcc's default paths: semanage fcontext -a -t dcc_client_exec_t /usr/local/bin/dccproc restorecon /usr/local/bin/dccproc semanage fcontext -a -t amavis_spool_t /var/dcc semanage fcontext -a -t amavis_spool_t '/var/dcc(/.*)?' semanage fcontext -a -t cdcc_exec_t /usr/local/bin/cdcc restorecon /usr/local/bin/cdcc semanage fcontext -a -t dcc_dbclean_exec_t /var/dcc/libexec/dbclean semanage fcontext -a -t dccd_exec_t /var/dcc/libexec/dccd semanage fcontext -a -t dccifd_exec_t /var/dcc/libexec/dccifd semanage fcontext -a -t dccm_exec_t /var/dcc/libexec/dccm semanage fcontext -a -t initrc_exec_t '/var/dcc/libexec/start-.*' semanage fcontext -a -t initrc_exec_t '/var/dcc/libexec/stop-.*' restorecon -R /var/dcc/libexec and added a module to fix up the startup issues. # cat dcc2.te module dcc2 1.0; require { type amavis_spool_t; type dcc_var_t; type dcc_client_t; class dir { write add_name }; class file { write read create getattr }; } #============= dcc_client_t ============== allow dcc_client_t amavis_spool_t:file { read getattr }; allow dcc_client_t dcc_var_t:dir { write add_name }; allow dcc_client_t dcc_var_t:file { write create }; based on this: type=SYSCALL msg=audit(1244452113.405:267): arch=40000003 syscall=11 success=yes exit=0 a0=bb797fc a1=a39e39c a2=bc93e90 a3=b368fac items=0 ppid=3984 pid=4332 auid=143 uid=493 gid=492 euid=0 suid=0 fsuid=0 egid=492 sgid=492 fsgid=492 tty=(none) ses=1 comm="dccproc" exe="/usr/local/bin/dccproc" subj=unconfined_u:system_r:dcc_client_t:s0 key=(null) type=AVC msg=audit(1244452113.405:267): avc: denied { read } for pid=4332 comm="dccproc" path="/var/spool/amavisd/tmp/.spamassassin3984yERxILtmp" dev=dm-0 ino=156072 scontext=unconfined_u:system_r:dcc_client_t:s0 tcontext=unconfined_u:object_r:amavis_spool_t:s0 tclass=file type=SYSCALL msg=audit(1244452113.411:268): arch=40000003 syscall=5 success=no exit=-13 a0=80bd524 a1=8002 a2=0 a3=8002 items=0 ppid=3984 pid=4332 auid=143 uid=493 gid=492 euid=0 suid=0 fsuid=0 egid=492 sgid=492 fsgid=492 tty=(none) ses=1 comm="dccproc" exe="/usr/local/bin/dccproc" subj=unconfined_u:system_r:dcc_client_t:s0 key=(null) type=AVC msg=audit(1244452113.411:275): avc: denied { write } for pid=4332 comm="dccproc" name="dcc" dev=dm-0 ino=139280 scontext=unconfined_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir type=SYSCALL msg=audit(1244452399.324:448): arch=40000003 syscall=5 success=no exit=-13 a0=80bdbc4 a1=8042 a2=1b6 a3=8042 items=0 ppid=4432 pid=4435 auid=143 uid=493 gid=492 euid=0 suid=0 fsuid=0 egid=492 sgid=492 fsgid=492 tty=(none) ses=1 comm="dccproc" exe="/usr/local/bin/dccproc" subj=unconfined_u:system_r:dcc_client_t:s0 key=(null) type=AVC msg=audit(1244452399.324:448): avc: denied { add_name } for pid=4435 comm="dccproc" name="whitelist.dccx" scontext=unconfined_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir type=SYSCALL msg=audit(1244452399.327:449): arch=40000003 syscall=197 success=no exit=-13 a0=0 a1=bfe40558 a2=27fff4 a3=280420 items=0 ppid=4432 pid=4435 auid=143 uid=493 gid=492 euid=493 suid=0 fsuid=493 egid=492 sgid=492 fsgid=492 tty=(none) ses=1 comm="dccproc" exe="/usr/local/bin/dccproc" subj=unconfined_u:system_r:dcc_client_t:s0 key=(null) type=AVC msg=audit(1244452399.327:449): avc: denied { getattr } for pid=4435 comm="dccproc" path="/var/spool/amavisd/tmp/.spamassassin4432uT2xTOtmp" dev=dm-0 ino=156070 scontext=unconfined_u:system_r:dcc_client_t:s0 tcontext=unconfined_u:object_r:amavis_spool_t:s0 tclass=file type=SYSCALL msg=audit(1244453674.406:579): arch=40000003 syscall=5 success=no exit=-13 a0=80bdbc4 a1=8042 a2=1b6 a3=8042 items=0 ppid=5076 pid=5089 auid=143 uid=493 gid=492 euid=0 suid=0 fsuid=0 egid=492 sgid=492 fsgid=492 tty=(none) ses=1 comm="dccproc" exe="/usr/local/bin/dccproc" subj=unconfined_u:system_r:dcc_client_t:s0 key=(null) type=AVC msg=audit(1244453674.406:579): avc: denied { create } for pid=5089 comm="dccproc" name="whitelist.dccx" scontext=unconfined_u:system_r:dcc_client_t:s0 tcontext=unconfined_u:object_r:dcc_var_t:s0 tclass=file type=SYSCALL msg=audit(1244453925.860:590): arch=40000003 syscall=5 success=no exit=-13 a0=80bdbc4 a1=8042 a2=1b6 a3=8042 items=0 ppid=5158 pid=5161 auid=143 uid=493 gid=492 euid=0 suid=0 fsuid=0 egid=492 sgid=492 fsgid=492 tty=(none) ses=1 comm="dccproc" exe="/usr/local/bin/dccproc" subj=unconfined_u:system_r:dcc_client_t:s0 key=(null) type=AVC msg=audit(1244453925.860:590): avc: denied { write } for pid=5161 comm="dccproc" name="whitelist.dccx" dev=dm-0 ino=139782 scontext=unconfined_u:system_r:dcc_client_t:s0 tcontext=unconfined_u:object_r type=SYSCALL msg=audit(1244454011.843:628): arch=40000003 syscall=5 success=no exit=-13 a0=80bd524 a1=8002 a2=0 a3=8002 items=0 ppid=5162 pid=5280 auid=143 uid=493 gid=492 euid=0 suid=0 fsuid=0 egid=492 sgid=492 fsgid=492 tty=(none) ses=1 comm="dccproc" exe="/usr/local/bin/dccproc" subj=unconfined_u:system_r:dcc_client_t:s0 key=(null) type=AVC msg=audit(1244454011.843:628): avc: denied { write } for pid=5280 comm="dccproc" name="whitelist.dccw" dev=dm-0 ino=139352 scontext=unconfined_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=file However I'm still seeing these: time->Mon Jun 8 09:42:41 2009 type=AVC msg=audit(1244454161.196:646): avc: denied { getattr } for pid=5333 comm="pyzor" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:spamc_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem ---- time->Mon Jun 8 09:42:41 2009 type=AVC msg=audit(1244454161.612:656): avc: denied { getattr } for pid=5334 comm="dccproc" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem ---- time->Mon Jun 8 09:50:05 2009 type=AVC msg=audit(1244454605.600:665): avc: denied { getattr } for pid=5424 comm="file" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem ---- time->Mon Jun 8 09:50:11 2009 type=AVC msg=audit(1244454611.915:666): avc: denied { getattr } for pid=5426 comm="pyzor" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:spamc_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem ---- time->Mon Jun 8 09:51:37 2009 type=AVC msg=audit(1244454697.635:667): avc: denied { getattr } for pid=5446 comm="file" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem ---- time->Mon Jun 8 09:51:42 2009 type=AVC msg=audit(1244454702.250:669): avc: denied { getattr } for pid=5449 comm="dccproc" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem ---- time->Mon Jun 8 09:51:41 2009 type=AVC msg=audit(1244454701.895:668): avc: denied { getattr } for pid=5448 comm="pyzor" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:spamc_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem (which is what you were after) correction; I had these in there but have since reverted.. to using dcc_var_t semanage fcontext -a -t amavis_spool_t /var/dcc semanage fcontext -a -t amavis_spool_t '/var/dcc(/.*)?' Ok, I've tracked down some of this (I think)... running spamassassin -t -e on a message that triggers the above when run thru amavisd reveals: 18992 execve("/usr/bin/spamassassin", ["spamassassin", "-t", "-e"], [/* 49 vars */]) = 0 18992 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7f5a6c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 18992 read(3, "#!/usr/bin/perl -T -w\n\neval 'exec"..., 4096) = 4096 18992 read(7, " build a new perl executable whic"..., 4096) = 4096 18993 execve("/usr/bin/pyzor", ["/usr/bin/pyzor", "check"], [/* 47 vars */]) = 0 18993 set_thread_area({entry_number:-1 -> 6, base_addr:0xb807e6c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 18994 execve("/usr/local/bin/dccproc", ["/usr/local/bin/dccproc", "-H", "-x", "0", "-a", "68.142.199.252", "-R", "-w", "whitelist"], [/* 47 vars */]) = 0 18994 set_thread_area({entry_number:-1 -> 6, base_addr:0xb80cb6c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 so I'm assuming that selinux is preventing the getattr on "/" from the above exec paths. However this doesn't appear to be preventing pyzor and dcc from working; I have lots of evidence that they are ok as they show up in /var/log/maillog and in quarantined messages. amavisd also likes to exec /usr/bin/file and (from inspection of source) /usr/bin/altermime to determine attachment types, which is probably related to the selinux "file" mention. Ok what is the bottom line. Looks like we need to add optional_policy(` amavis_read_spool_files(dcc_client_t) ') fs_getattr_xattr_fs(spamc_t) fs_getattr_xattr_fs(amavis_t) fs_getattr_xattr_fs(dcc_client_t) manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) Fixed in selinux-policy-3.5.13-64.fc10 This message is a reminder that Fedora 10 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 10. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '10'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 10's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 10 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Closing as current release |