Bug 671486
Summary: | dspam to be confined | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | rawhide | CC: | dwalsh, mcepl, mgrepl, nathanael | ||||
Target Milestone: | --- | Keywords: | Reopened, SELinux | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | dspam-3.9.0-13.el5 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2011-05-26 20:37:22 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Matěj Cepl
2011-01-21 16:15:28 UTC
Matej, could you try to treat DSPAM with spamd policy? I mean execute: # chcon -t spamd_exec_t /usr/bin/dspam # chcon -R -t spamd_var_lib_t /var/lib/dspam # chcon -R -t spamd_log_t /var/log/dspam # chcon -R -t spamd_var_run_t /var/run/dspam Test it and run # ausearch -m avc -ts recent Thanks. Created attachment 475190 [details]
output of ausearch -m AVC -ts 16:34
And this what audit2allow thinks: [root@luther ~]# ausearch -m AVC -ts 16:34 |audit2allow #============= httpd_sys_script_t ============== allow httpd_sys_script_t spamd_var_lib_t:dir { write remove_name search add_name getattr }; allow httpd_sys_script_t spamd_var_lib_t:file { setattr read lock create ioctl write getattr unlink append }; #============= postfix_smtp_t ============== allow postfix_smtp_t spamd_t:unix_stream_socket connectto; allow postfix_smtp_t tmp_t:sock_file write; #============= spamd_t ============== allow spamd_t port_t:tcp_socket name_connect; allow spamd_t self:capability net_admin; allow spamd_t tmp_t:sock_file create; #============= zarafa_deliver_t ============== allow zarafa_deliver_t ld_so_cache_t:file { read getattr }; allow zarafa_deliver_t ld_so_t:file read; allow zarafa_deliver_t lib_t:file execute; #============= zarafa_gateway_t ============== allow zarafa_gateway_t reserved_port_t:tcp_socket name_connect; Of course zarafa* AVC denials are subject to bug 574788 Ok, thanks for testing. I will send you dspam policy. Looking more into audit.log and I am seeing "dspam.socket" is created in /tmp path="/tmp/dspam.sock" I will allow it for now but "DSPAM" maintainer, could it be changed to /var/run/dspam.sock? I have sent you a new DSPAM policy which contains zarafa fixes and also a policy for the DSPAM cgi script. So just run the dspam.sh script to install this policy. Also please check paths in the dspam.fc file since you test it on RHEL5. (In reply to comment #7) > I have sent you a new DSPAM policy which contains zarafa fixes and also a > policy for the DSPAM cgi script. > > So just run the dspam.sh script to install this policy. > > Also please check paths in the dspam.fc file since you test it on RHEL5. The only difference (I don't think it is related to RHELishness, but bug 672068) is that I don't have website proper in /usr/share/dspam-web but in /var/www/dspam/, but otherwise it went smoothly, and I will report on the results soon. (In reply to comment #6) > Looking more into audit.log and I am seeing "dspam.socket" is created in /tmp > > path="/tmp/dspam.sock" > > I will allow it for now but > > "DSPAM" maintainer, > could it be changed to /var/run/dspam.sock? This is actually configurable, I will take a look. (In reply to comment #9) > This is actually configurable, I will take a look. I think the only change required is ServerDomainSocketPath variable in /etc/dspam.conf and in /etc/postfix/master.cf Does it mean, I can just remove these lines in dspam.te # FIXME # /tmp/dspam.sock type dspam_tmp_t; files_tmp_file(dspam_tmp_t) or should they be replaced by something else? (In reply to comment #10) > (In reply to comment #9) > > This is actually configurable, I will take a look. > > I think the only change required is ServerDomainSocketPath variable in > /etc/dspam.conf and in /etc/postfix/master.cf > > Does it mean, I can just remove these lines in dspam.te > > # FIXME > # /tmp/dspam.sock > type dspam_tmp_t; > files_tmp_file(dspam_tmp_t) > > or should they be replaced by something else? No, you can leave these rules in the policy file. Hello - as package maintainer I have to profess I don't use the web-ui *or* dspam as a dameon. I agree that the best default place for dspam socket for daemon mode is either /var/run/dspam/dspam.sock or /var/run/dspam.sock. I'm not sure the best, however I propose to use /var/run/dspam/dspam.sock since /var/run/dspam is 770 & owned by dspam:mail it allows anything running in the mail group access. Does that sound reasonable? From an SELinux point of view /var/run/dspam/dspam.sock is best. dspam-3.9.0-12.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/dspam-3.9.0-12.fc14 dspam-3.9.0-12.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/dspam-3.9.0-12.el5 dspam-3.9.0-13.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/dspam-3.9.0-13.fc14 dspam-3.9.0-13.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/dspam-3.9.0-13.el5 dspam-3.9.0-13.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update dspam'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/dspam-3.9.0-13.el5 dspam-3.9.0-13.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. dspam-3.9.0-13.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. |