Bug 869059

Summary: SELinux blocks postfix <-> dspam
Product: Red Hat Enterprise Linux 6 Reporter: Patrick <rh_bugzilla>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.3CC: dwalsh, mmalik, mtruneck
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-190.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 08:31:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
New policy for dspam
none
New Version none

Description Patrick 2012-10-22 22:03:36 UTC 
Description of problem:
On a 6.3 box it is not possible to use dspam as an anti-spam filter with postfix without disabling SELinux.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-155.el6_3.4.noarch
postfix-2.6.6-2.2.el6_1.x86_64
dspam-3.10.2-3.el6.x86_64

How reproducible:
Install 6.3 box with postfix and dspam from EPEL. Configure dspam to listen on socket in /var/run/dspam/dspam.sock, configure postfix to send all external incoming mail to dspam then send an email from an external email address and watch the SELinux AVC deny postfix to write to dspam.sock

Steps to Reproduce:
1. install postfix & dspam and configure both
2. send email
3. postfix gets denied trying to write to dspam.sock
  
Actual results:
Email is not passed on to dspam and then returned to postfix to be delivered.

Expected results:
Email passes on to dspam and is delivered back to postfix.

Additional info:

The SELinux AVC:

type=AVC msg=audit(1350942954.510:468): avc:  denied  { write } for  pid=20768 comm="lmtp" name="dspam.sock" dev=vda2 ino=9935 scontext=unconfined_u:system_r:postfix_smtp_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1350942954.510:468): arch=c000003e syscall=42 success=no exit=-13 a0=c a1=7fffafd48d10 a2=6e a3=7fffafd489c0 items=0 ppid=20760 pid=20768 auid=500 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4 comm="lmtp" exe="/usr/libexec/postfix/lmtp" subj=unconfined_u:system_r:postfix_smtp_t:s0 key=(null)

# ls -Z /var/run | grep dspam
drwxrwx---. dspam  mail   system_u:object_r:var_run_t:s0   dspam

# ls -Z /var/run/dspam
-rw-rw----. dspam mail unconfined_u:object_r:initrc_var_run_t:s0 dspam.pid
srwxrwxrwx. dspam mail unconfined_u:object_r:var_run_t:s0 dspam.sock

The suggested solution is:

# grep 11350942954 /var/log/audit/audit.log | audit2allow -M postfix-dspam && cat postfix-dspam.te

module pf 1.0;

require {
	type var_run_t;
	type postfix_smtp_t;
	class sock_file write;
}

#============= postfix_smtp_t ==============
allow postfix_smtp_t var_run_t:sock_file write;


If you need any other information then please let me know.
Comment 2 Miroslav Grepl 2012-10-23 11:29:49 UTC 
Did you run dspam service by hand? I mean without init service script.
Comment 3 Patrick 2012-10-23 14:38:16 UTC 
Hi Miroslav. Thank you for looking into this. I stopped the dspam service (/sbin/service dspam stop) and then I tried to start dspam manually like this:

# su -s /bin/sh -c "/usr/bin/dspam --debug --nofork --daemon" dspam

But this does not work. I have no idea how to start it as user dspam. 
Any suggestions?

Next I tried to start dspam manually as root:

# /usr/bin/dspam --debug --nofork --daemon

This successfully started dspam as a daemon while staying in the foreground. And the problem went away. Example of a test email that was successfully delivered from postfix to dspam:

Oct 23 16:30:01 zarafa postfix/lmtp[22728]: 60D75E1: to=<patrick>, relay=test.puzzled.xs4all.nl[/var/run/dspam/dspam.sock], delay=513, delays=512/0.03/0/0.32, dsn=2.6.0, status=sent (250 2.6.0 <patrick> Message accepted for delivery)

But strangely enough I still see the following AVC in audit.log:

type=AVC msg=audit(1351003056.014:639): avc:  denied  { write } for  pid=22904 comm="lmtp" name="dspam.sock" dev=vda2 ino=5190 scontext=unconfined_u:system_r:postfix_smtp_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1351003056.014:639): arch=c000003e syscall=42 success=yes exit=0 a0=c a1=7fff23f3a690 a2=6e a3=7fff23f3a340 items=0 ppid=22896 pid=22904 auid=500 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="lmtp" exe="/usr/libexec/postfix/lmtp" subj=unconfined_u:system_r:postfix_smtp_t:s0 key=(null)

Please let me know if you need more information.
Comment 4 Miroslav Grepl 2012-10-31 14:56:53 UTC 
# /usr/bin/dspam --debug --nofork --daemon

is reason why dspam.sock was created with the bad labeling. Basically if you need to debug a daemon you can use runcon tool to make sure a daemon gets a correct process domain type.

# runcon -u system_u -r system_r -t initrc_t -- runcon -t dspam_t -- /usr/bin/dspam --debug --nofork --daemon

But we don' have a policy for dspam in the RHEL6.4. We need to backport it. We have this policy in Fedora for a while so I believe it is safe to backport it.

Milos?
Comment 5 Patrick 2012-11-01 19:00:03 UTC 
Thank you for the fix. I'll give the new selinux-policy a try and report back if I see any problems.
Comment 6 Patrick 2012-11-02 03:56:09 UTC 
Apologies for the OT but I still only see the 177 release release at
http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/

Is that URL the right place where I should find selinux-policy-3.7.19-178.el6?
Comment 7 Miroslav Grepl 2012-11-02 08:48:57 UTC 
It will be updated soon.
Comment 9 Patrick 2012-11-08 21:54:46 UTC 
I noticed the new selinux-policy so I installed it on the 6.3 box:

# yum update selinux-policy-3.7.19-179.el6.noarch.rpm selinux-policy-doc-3.7.19-179.el6.noarch.rpm selinux-policy-targeted-3.7.19-179.el6.noarch.rpm

Then did a relabel:

# touch /.autorelabel
# reboot

Then I tried to start dspam with:

# service dspam start

Result: it did not start and shows the following in /var/log/dspam/dspam.log:

1992: [11/08/2012 21:40:08] Creating local domain socket Permission denied

The following AVCs are reported in audit.log:

type=USER_START msg=audit(1352410808.714:15756): user pid=1989 uid=0 auid=500 ses=3 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="dspam" exe="/sbin/runuser" hostname=? addr=? terminal=pts/2 res=success'

type=CRED_ACQ msg=audit(1352410808.714:15757): user pid=1989 uid=0 auid=500 ses=3 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="dspam" exe="/sbin/runuser" hostname=? addr=? terminal=pts/2 res=success'

type=CRED_DISP msg=audit(1352410808.722:15758): user pid=1989 uid=0 auid=500 ses=3 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="dspam" exe="/sbin/runuser" hostname=? addr=? terminal=pts/2 res=success'

type=USER_END msg=audit(1352410808.722:15759): user pid=1989 uid=0 auid=500 ses=3 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="dspam" exe="/sbin/runuser" hostname=? addr=? terminal=pts/2 res=success'

type=AVC msg=audit(1352410808.726:15760): avc:  denied  { read } for  pid=1992 comm="dspam" name="localtime" dev=vda2 ino=132214 scontext=unconfined_u:system_r:dspam_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file

type=SYSCALL msg=audit(1352410808.726:15760): arch=c000003e syscall=2 success=no exit=-13 a0=3b7ff55aaf a1=0 a2=1b6 a3=2 items=0 ppid=1 pid=1992 auid=500 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=12 sgid=12 fsgid=12 tty=(none) ses=3 comm="dspam" exe="/usr/bin/dspam" subj=unconfined_u:system_r:dspam_t:s0 key=(null)

type=AVC msg=audit(1352410808.758:15761): avc:  denied  { create } for  pid=1992 comm="dspam" name="dspam.sock" scontext=unconfined_u:system_r:dspam_t:s0 tcontext=unconfined_u:object_r:dspam_var_run_t:s0 tclass=sock_file

type=SYSCALL msg=audit(1352410808.758:15761): arch=c000003e syscall=49 success=no exit=-13 a0=17 a1=7fff2e3d9910 a2=1c a3=7fff2e3d9550 items=0 ppid=1 pid=1992 auid=500 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=12 sgid=12 fsgid=12 tty=(none) ses=3 comm="dspam" exe="/usr/bin/dspam" subj=unconfined_u:system_r:dspam_t:s0 key=(null)

The inability to read localtime seems new. I can't remember seeing that one with the older policy.

Here is the label of /var/run/dspam:

# ls -Z /var/run | grep dspam
drwxrwx---. dspam    mail     system_u:object_r:dspam_var_run_t:s0 dspam

Note that /var/run/dspam is empty

I also tried starting dspam as mentioned in comment #4:

# runcon -u system_u -r system_r -t initrc_t -- runcon -t dspam_t -- /usr/bin/dspam --debug --nofork --daemon

No joy. Here are the logs and AVCs:

/var/log/dspam/dspam.log

2141: [11/08/2012 21:50:37] Daemon process starting
2141: [11/08/2012 21:50:37] Creating local domain socket Permission denied
2141: [11/08/2012 21:50:37] Daemon mode failed to start
2141: [11/08/2012 21:50:37] Daemon process exiting

/var/log/audit/audit.log

type=AVC msg=audit(1352411437.666:15768): avc:  denied  { read } for  pid=2141 comm="dspam" name="localtime" dev=vda2 ino=132214 scontext=system_u:system_r:dspam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=file

type=SYSCALL msg=audit(1352411437.666:15768): arch=c000003e syscall=2 success=no exit=-13 a0=3b7ff55aaf a1=0 a2=1b6 a3=2 items=0 ppid=1915 pid=2141 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=pts2 ses=3 comm="dspam" exe="/usr/bin/dspam" subj=system_u:system_r:dspam_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1352411437.699:15769): avc:  denied  { create } for  pid=2141 comm="dspam" name="dspam.sock" scontext=system_u:system_r:dspam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dspam_var_run_t:s0 tclass=sock_file

type=SYSCALL msg=audit(1352411437.699:15769): arch=c000003e syscall=49 success=no exit=-13 a0=17 a1=7fffae6b8fc0 a2=1c a3=7fffae6b8c00 items=0 ppid=1915 pid=2141 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=pts2 ses=3 comm="dspam" exe="/usr/bin/dspam" subj=system_u:system_r:dspam_t:s0-s0:c0.c1023 key=(null)

If you need any other information then please let me know. Thanks.
Comment 10 Miroslav Grepl 2012-11-09 07:50:47 UTC 
Patrick,
thank you for your testing. I added changes to Fedora. Will backport them to RHEL6.
Comment 11 Patrick 2012-11-09 19:07:50 UTC 
Hi Miroslav. Thank you for the quick turn around. Once available I'll give the new selinux-policy package a try and report back.
Comment 13 Patrick 2012-11-15 23:45:46 UTC 
Update on selinux-policy-3.7.19-180.el6 after doing an autorelabel: still several AVC's. Please see below.

FYI setup: postfix forwards incoming email to /var/run/dspam/dspam.sock which checks the email and injects it back into postfix on port 10026.

/etc/postfix/master.cf
10.0.0.186:smtp      inet  n       -       n       -       -       smtpd
   -o content_filter=lmtp:unix:/var/run/dspam/dspam.sock

127.0.0.1:10026 inet    n       -       n       -       -       smtpd
   -o content_filter=
   -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
   -o smtpd_helo_restrictions=
   -o smtpd_client_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o mynetworks=127.0.0.0/8,[::1]/128
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
#
[::1]:10026     inet    n       -       n       -       -       smtpd
   -o content_filter=
   -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
   -o smtpd_helo_restrictions=
   -o smtpd_client_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o mynetworks=127.0.0.0/8,[::1]/128
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128


When I sent an email from a remote host I still see the following AVC's related to dspam:

type=AVC msg=audit(1353020816.581:15481): avc:  denied  { search } for  pid=3137 comm="lmtp" name="dspam" dev=vda2 ino=6089 scontext=unconfined_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:dspam_var_run_t:s0 tclass=dir

type=AVC msg=audit(1353020816.581:15481): avc:  denied  { write } for  pid=3137 comm="lmtp" name="dspam.sock" dev=vda2 ino=318 scontext=unconfined_u:system_r:postfix_smtp_t:s0 tcontext=unconfined_u:object_r:dspam_var_run_t:s0 tclass=sock_file

type=AVC msg=audit(1353020816.581:15481): avc:  denied  { connectto } for  pid=3137 comm="lmtp" path="/var/run/dspam/dspam.sock" scontext=unconfined_u:system_r:postfix_smtp_t:s0 tcontext=unconfined_u:system_r:dspam_t:s0 tclass=unix_stream_socket

type=SYSCALL msg=audit(1353020816.581:15481): arch=c000003e syscall=42 success=yes exit=0 a0=c a1=7fff2b1bdf30 a2=6e a3=7fff2b1bdbe0 items=0 ppid=2972 pid=3137 auid=500 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4 comm="lmtp" exe="/usr/libexec/postfix/lmtp" subj=unconfined_u:system_r:postfix_smtp_t:s0 key=(null)

type=AVC msg=audit(1353020816.598:15482): avc:  denied  { name_connect } for  pid=3138 comm="dspam" dest=10026 scontext=unconfined_u:system_r:dspam_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1353020816.598:15482): arch=c000003e syscall=42 success=yes exit=0 a0=19 a1=7fd36bffb6d0 a2=10 a3=302e373231206f74 items=0 ppid=1 pid=3138 auid=500 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=12 sgid=12 fsgid=12 tty=(none) ses=4 comm="dspam" exe="/usr/bin/dspam" subj=unconfined_u:system_r:dspam_t:s0 key=(null)


# ls -Z /var/run | grep dspam
drwxrwx---. dspam    mail     system_u:object_r:dspam_var_run_t:s0 dspam

# ls -Z /var/run/dspam
-rw-rw----. dspam mail unconfined_u:object_r:dspam_var_run_t:s0 dspam.pid
srwxrwxrwx. dspam mail unconfined_u:object_r:dspam_var_run_t:s0 dspam.sock


The dspam cgi webinterface running on port 8009 generates the following AVC's:

type=AVC msg=audit(1353021690.958:15491): avc:  denied  { search } for  pid=3425 comm="dspam.cgi" name="data" dev=vda2 ino=6087 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_dspam_rw_content_t:s0 tclass=dir

type=SYSCALL msg=audit(1353021690.958:15491): arch=c000003e syscall=2 success=no exit=-2 a0=22a09b0 a1=0 a2=1b6 a3=3b8871dbe0 items=0 ppid=1593 pid=3425 auid=4294967295 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="dspam.cgi" exe="/usr/bin/perl" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)

type=AVC msg=audit(1353022089.310:15492): avc:  denied  { read } for  pid=3487 comm="dspam.cgi" name="patrick.stats" dev=vda2 ino=11947 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_dspam_rw_content_t:s0 tclass=file

type=AVC msg=audit(1353022089.310:15492): avc:  denied  { open } for  pid=3487 comm="dspam.cgi" name="patrick.stats" dev=vda2 ino=11947 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_dspam_rw_content_t:s0 tclass=file

type=SYSCALL msg=audit(1353022089.310:15492): arch=c000003e syscall=2 success=yes exit=3 a0=22a68f0 a1=0 a2=1b6 a3=3b8871dbe0 items=0 ppid=1593 pid=3487 auid=4294967295 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="dspam.cgi" exe="/usr/bin/perl" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)

type=AVC msg=audit(1353022089.310:15493): avc:  denied  { ioctl } for  pid=3487 comm="dspam.cgi" path="/var/lib/dspam/data/example.org/patrick/patrick.stats" dev=vda2 ino=11947 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_dspam_rw_content_t:s0 tclass=file

type=SYSCALL msg=audit(1353022089.310:15493): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fff0c312810 a3=48 items=0 ppid=1593 pid=3487 auid=4294967295 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="dspam.cgi" exe="/usr/bin/perl" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)

type=AVC msg=audit(1353022089.310:15494): avc:  denied  { getattr } for  pid=3487 comm="dspam.cgi" path="/var/lib/dspam/data/example.org/patrick/patrick.stats" dev=vda2 ino=11947 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_dspam_rw_content_t:s0 tclass=file

type=SYSCALL msg=audit(1353022089.310:15494): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=1fc80a0 a2=1fc80a0 a3=0 items=0 ppid=1593 pid=3487 auid=4294967295 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="dspam.cgi" exe="/usr/bin/perl" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)

type=AVC msg=audit(1353022089.310:15495): avc:  denied  { write } for  pid=3487 comm="dspam.cgi" name="patrick" dev=vda2 ino=11944 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_dspam_rw_content_t:s0 tclass=dir

type=AVC msg=audit(1353022089.310:15495): avc:  denied  { add_name } for  pid=3487 comm="dspam.cgi" name="patrick.rstats" scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_dspam_rw_content_t:s0 tclass=dir

type=AVC msg=audit(1353022089.310:15495): avc:  denied  { create } for  pid=3487 comm="dspam.cgi" name="patrick.rstats" scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_dspam_rw_content_t:s0 tclass=file

type=AVC msg=audit(1353022089.310:15495): avc:  denied  { write } for  pid=3487 comm="dspam.cgi" name="patrick.rstats" dev=vda2 ino=5201 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_dspam_rw_content_t:s0 tclass=file

type=SYSCALL msg=audit(1353022089.310:15495): arch=c000003e syscall=2 success=yes exit=3 a0=22a68f0 a1=241 a2=1b6 a3=3b8871dbe0 items=0 ppid=1593 pid=3487 auid=4294967295 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="dspam.cgi" exe="/usr/bin/perl" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)

type=AVC msg=audit(1353022095.410:15496): avc:  denied  { search } for  pid=3574 comm="dspam.cgi" name="dspam" dev=vda2 ino=6061 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:dspam_var_lib_t:s0 tclass=dir

type=SYSCALL msg=audit(1353022095.410:15496): arch=c000003e syscall=2 success=no exit=-2 a0=924d40 a1=0 a2=1b6 a3=3b8871dbe0 items=0 ppid=3424 pid=3574 auid=4294967295 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="dspam.cgi" exe="/usr/bin/perl" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)

type=AVC msg=audit(1353022098.314:15497): avc:  denied  { setattr } for  pid=3599 comm="dspam.cgi" name="patrick.mbox.stamp" dev=vda2 ino=12067 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_dspam_rw_content_t:s0 tclass=file


If you need more information please let me know. Thanks!
Comment 14 Patrick 2012-12-02 14:20:51 UTC 
Quick update after updating to selinux-policy-3.7.19-183.el6.noarch.rpm and selinux-policy-targeted-3.7.19-183.el6.noarch.rpm

When I start dspam I see no AVCs.
When I start postfix (configured to listen on port 10026 for emails injected back into postfix by dspam as found in the default dspam config/manual/howto's) I see the following AVC:

type=AVC msg=audit(1354457385.544:15702): avc:  denied  { name_bind } for  pid=7571 comm="master" src=10026 scontext=unconfined_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1354457385.544:15702): arch=c000003e syscall=49 success=yes exit=0 a0=5b a1=7f34c4d85d30 a2=10 a3=7fff9ea5d22c items=0 ppid=1 pid=7571 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=20 comm="master" exe="/usr/libexec/postfix/master" subj=unconfined_u:system_r:postfix_master_t:s0 key=(null)

Which results in (I thought allow_ypbind=1 is not a good idea?):

# grep "1354457385.544:15702" /var/log/audit/audit.log | audit2allow -m dspam-fix > dspam-fix.te && cat dspam-fix.te

module dspam-fix 1.0;

require {
	type postfix_master_t;
	type port_t;
	class tcp_socket name_bind;
}

#============= postfix_master_t ==============
#!!!! This avc can be allowed using the boolean 'allow_ypbind'

allow postfix_master_t port_t:tcp_socket name_bind;


Next when postfix receives an email I see the following AVCs:

type=AVC msg=audit(1354457653.521:15703): avc:  denied  { search } for  pid=7595 comm="opendkim" name="spool" dev=vda2 ino=473 scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1354457653.521:15703): arch=c000003e syscall=2 success=yes exit=6 a0=1c5d810 a1=441 a2=1b6 a3=0 items=0 ppid=1 pid=7595 auid=500 uid=497 gid=12 euid=497 suid=497 fsuid=497 egid=12 sgid=12 fsgid=12 tty=(none) ses=4 comm="opendkim" exe=2F7573722F7362696E2F6F70656E646B696D202864656C6574656429 subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null)

type=AVC msg=audit(1354457653.684:15704): avc:  denied  { search } for  pid=7600 comm="lmtp" name="dspam" dev=vda2 ino=6089 scontext=unconfined_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:dspam_var_run_t:s0 tclass=dir
type=AVC msg=audit(1354457653.684:15704): avc:  denied  { write } for  pid=7600 comm="lmtp" name="dspam.sock" dev=vda2 ino=320 scontext=unconfined_u:system_r:postfix_smtp_t:s0 tcontext=unconfined_u:object_r:dspam_var_run_t:s0 tclass=sock_file

type=AVC msg=audit(1354457653.684:15704): avc:  denied  { connectto } for  pid=7600 comm="lmtp" path="/var/run/dspam/dspam.sock" scontext=unconfined_u:system_r:postfix_smtp_t:s0 tcontext=unconfined_u:system_r:dspam_t:s0 tclass=unix_stream_socket

type=SYSCALL msg=audit(1354457653.684:15704): arch=c000003e syscall=42 success=yes exit=0 a0=c a1=7fff48c15040 a2=6e a3=7fff48c14cf0 items=0 ppid=7571 pid=7600 auid=500 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=20 comm="lmtp" exe="/usr/libexec/postfix/lmtp" subj=unconfined_u:system_r:postfix_smtp_t:s0 key=(null)

type=AVC msg=audit(1354457653.697:15705): avc:  denied  { name_connect } for  pid=7601 comm="dspam" dest=10026 scontext=unconfined_u:system_r:dspam_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1354457653.697:15705): arch=c000003e syscall=42 success=yes exit=0 a0=19 a1=7f8b4f1e56d0 a2=10 a3=302e373231206f74 items=0 ppid=1 pid=7601 auid=500 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=12 sgid=12 fsgid=12 tty=(none) ses=20 comm="dspam" exe="/usr/bin/dspam" subj=unconfined_u:system_r:dspam_t:s0 key=(null)

Which results in:

# grep "1354457653" /var/log/audit/audit.log | audit2allow -m dspam-fix > dspam-fix.te && cat dspam-fix.te

module dspam-fix 1.0;

require {
	type dspam_var_run_t;
	type dkim_milter_t;
	type dspam_t;
	type var_spool_t;
	type port_t;
	type postfix_smtp_t;
	class sock_file write;
	class unix_stream_socket connectto;
	class dir search;
	class tcp_socket name_connect;
}

#============= dkim_milter_t ==============
allow dkim_milter_t var_spool_t:dir search;

#============= dspam_t ==============
#!!!! This avc can be allowed using the boolean 'allow_ypbind'

allow dspam_t port_t:tcp_socket name_connect;

#============= postfix_smtp_t ==============
allow postfix_smtp_t dspam_t:unix_stream_socket connectto;
allow postfix_smtp_t dspam_var_run_t:dir search;
allow postfix_smtp_t dspam_var_run_t:sock_file write;


The "allow dkim_milter_t var_spool_t:dir search;" is perhaps related to 
https://bugzilla.redhat.com/show_bug.cgi?id=877236#c4

Hope this helps. Please let me know if you need more information. Thanks!
Comment 15 Miroslav Grepl 2012-12-03 09:17:35 UTC 
Is tcp/10026 port used by default in the config file?
Comment 16 Miroslav Grepl 2012-12-03 09:36:43 UTC 
I added fixes to Fedora. Will backport them.
Comment 17 Patrick 2012-12-03 14:33:57 UTC 
(In reply to comment #15)
> Is tcp/10026 port used by default in the config file?

Port 10026 is used by default in the DSPAM documentation how to make DSPAM talk to postfix:

http://dspam.git.sourceforge.net/git/gitweb.cgi?p=dspam/dspam;a=blob_plain;f=doc/postfix.txt;hb=HEAD

---

You'll also need to configure DSPAM to pass the good mail back into Postfix.
Comment out any "TrustedDeliveryAgent" option in dspam.conf and replace it
with the options below. We'll use local TCP port 10026 in our example.

DeliveryHost		127.0.0.1
DeliveryPort		10026
DeliveryIdent		localhost
DeliveryProto		SMTP

This tells DSPAM to deliver using SMTP to port 10026 on the local machine.
We'll configure Postfix to listen on this port for reinjection.

---

But in the default *config* DSPAM uses port 24 which I have never seen used nor mentioned in any HOWTO, mailing list post, guide or blogpost.

http://dspam.git.sourceforge.net/git/gitweb.cgi?p=dspam/dspam;a=blob;f=src/dspam.conf.in;h=233e2e4a403028b2eb9f4715d2af43c6b9ac1e0c;hb=HEAD

---

# If you would like to set up DeliveryHost's on a per-domain basis, use
# the syntax: DeliveryHost.example.org 1.2.3.4
#
#DeliveryHost           127.0.0.1
#DeliveryPort           24
#DeliveryIdent          localhost
#DeliveryProto          LMTP

---
Comment 18 Patrick 2012-12-04 05:26:34 UTC 
Just tried the 184 release and here are the results:

Postfix fails to start up when configured to listen on TCP port 10026 for email from DSPAM. Here is the AVC:

type=AVC msg=audit(1354597916.267:15537): avc:  denied  { name_bind } for  pid=5257 comm="master" src=10026 scontext=unconfined_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:dspam_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1354597916.267:15537): arch=c000003e syscall=49 success=no exit=-13 a0=5b a1=7f843b702d30 a2=10 a3=7fffad896ddc items=0 ppid=1 pid=5257 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=18 comm="master" exe="/usr/libexec/postfix/master" subj=unconfined_u:system_r:postfix_master_t:s0 key=(null)

Which results in:

# grep "1354597916.267:15537" /var/log/audit/audit.log | audit2allow -m pf-ds > pf-ds.te && cat pf-ds.te

module bla 1.0;

require {
	type dspam_port_t;
	type postfix_master_t;
	class tcp_socket name_bind;
}

#============= postfix_master_t ==============
allow postfix_master_t dspam_port_t:tcp_socket name_bind;



Just to be clear, here are the steps an email takes:

0) Postfix listens on port 25, 587 and on TCP port 10026
1) an email is received by Postfix
2) Postfix sends the email to DSPAM via a UNIX domain socket like /var/run/dspam/dspam.sock or via a TCP socket
3) DSPAM receives email and processes it
4) DSPAM reinjects the email back into Postfix by sending it to TCP port 10026
5) Postfix receives the email and further processes it

If you need more information please let me know. Thanks.
Comment 19 Miroslav Grepl 2012-12-04 14:59:13 UTC 
Fixed in selinux-policy-3.7.19-185.el6
Comment 20 Patrick 2012-12-06 17:20:18 UTC 
Hi Miroslav. Just tried the 185 release with the UNIX domain socket config and TCP port 10026 and everything worked as expected and not a single AVC in sight :-) Thank you very much for your efforts!
Comment 22 Patrick 2012-12-19 17:08:43 UTC 
With dspam's main functionality working let's move on to the AVCs caused by the dspam-web subpackage. Dspam-web is the perl based webinterface showing statistics and offers per user and admin management capabilities of dspam behavior.

Installed: 
selinux-policy-3.7.19-187.el6.noarch.rpm
selinux-policy-targeted-3.7.19-187.el6.noarch.rpm


The following AVC is generated when logging into the dspam web interface:

type=AVC msg=audit(1355934358.752:558): avc:  denied  { search } for  pid=7559 comm="dspam.cgi" name="dspam" dev=vda2 ino=6061 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:dspam_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1355934358.752:558): arch=c000003e syscall=2 success=no exit=-13 a0=1033140 a1=0 a2=1b6 a3=3b6131dbe0 items=0 ppid=4549 pid=7559 auid=500 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=20 comm="dspam.cgi" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)

Which results in:

# grep "1355934358.752:558" /var/log/audit/audit.log | audit2allow -m dspam-web > dspam-web.te && cat dspam-web.te

module dspam-web 1.0;

require {
	type httpd_sys_script_t;
	type dspam_var_lib_t;
	class dir search;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t dspam_var_lib_t:dir search;


And this AVC:

type=AVC msg=audit(1355934928.017:586): avc:  denied  { read } for  pid=7912 comm="dspam.cgi" name="patrick.stats" dev=vda2 ino=11947 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_dspam_rw_content_t:s0 tclass=file

Which results in:

# grep "1355934928.017:586" /var/log/audit/audit.log | audit2allow -m dspam-web > dspam-web.te && cat dspam-web.te

module dspam-web 1.0;

require {
	type httpd_sys_script_t;
	type httpd_dspam_rw_content_t;
	class file { read open };
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_dspam_rw_content_t:file { read open };


And this AVC:

type=AVC msg=audit(1355934928.017:586): avc:  denied  { open } for  pid=7912 comm="dspam.cgi" name="patrick.stats" dev=vda2 ino=11947 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_dspam_rw_content_t:s0 tclass=file

Which results in:

# grep "1355934928.017:586" /var/log/audit/audit.log | audit2allow -m dspam-web > dspam-web.te && cat dspam-web.te

module dspam-web 1.0;

require {
	type httpd_sys_script_t;
	type httpd_dspam_rw_content_t;
	class file { read open };
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_dspam_rw_content_t:file { read open };


And this AVC:

type=AVC msg=audit(1355934928.017:587): avc:  denied  { ioctl } for  pid=7912 comm="dspam.cgi" path="/var/lib/dspam/data/mailguard.nl/patrick/patrick.stats" dev=vda2 ino=11947 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_dspam_rw_content_t:s0 tclass=file

Which results in:

# grep "1355934928.017:587" /var/log/audit/audit.log | audit2allow -m dspam-web > dspam-web.te && cat dspam-web.te

module dspam-web 1.0;

require {
	type httpd_sys_script_t;
	type httpd_dspam_rw_content_t;
	class file ioctl;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_dspam_rw_content_t:file ioctl;


AND this AVC:

type=AVC msg=audit(1355934928.017:588): avc:  denied  { getattr } for  pid=7912 comm="dspam.cgi" path="/var/lib/dspam/data/mailguard.nl/patrick/patrick.stats" dev=vda2 ino=11947 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_dspam_rw_content_t:s0 tclass=file

Which results in:

# grep "1355934928.017:588" /var/log/audit/audit.log | audit2allow -m dspam-web > dspam-web.te && cat dspam-web.te

module dspam-web 1.0;

require {
	type httpd_sys_script_t;
	type httpd_dspam_rw_content_t;
	class file getattr;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_dspam_rw_content_t:file getattr;


And this AVC:

type=AVC msg=audit(1355935114.373:589): avc:  denied  { write } for  pid=8017 comm="dspam.cgi" name="patrick.mbox.size" dev=vda2 ino=10013 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_dspam_rw_content_t:s0 tclass=file

Which results in:

# grep "1355935114.373:589" /var/log/audit/audit.log | audit2allow -m dspam-web > dspam-web.te && cat dspam-web.te

module dspam-web 1.0;

require {
	type httpd_sys_script_t;
	type httpd_dspam_rw_content_t;
	class file write;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_dspam_rw_content_t:file write;


And this AVC:

type=AVC msg=audit(1355935114.373:590): avc:  denied  { setattr } for  pid=8017 comm="dspam.cgi" name="patrick.mbox.stamp" dev=vda2 ino=12067 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_dspam_rw_content_t:s0 tclass=file

Which results in:

# grep "1355935114.373:590" /var/log/audit/audit.log | audit2allow -m dspam-web > dspam-web.te && cat dspam-web.te

module dspam-web 1.0;

require {
	type httpd_sys_script_t;
	type httpd_dspam_rw_content_t;
	class file setattr;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_dspam_rw_content_t:file setattr;


And this AVC:

type=AVC msg=audit(1355935277.727:591): avc:  denied  { getattr } for  pid=8097 comm="admin.cgi" path="/var/lib/dspam/system.log" dev=vda2 ino=5326 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:dspam_var_lib_t:s0 tclass=file

Which results in:

# grep "1355935277.727:591" /var/log/audit/audit.log | audit2allow -m dspam-web > dspam-web.te && cat dspam-web.te

module dspam-web 1.0;

require {
	type httpd_sys_script_t;
	type dspam_var_lib_t;
	class file getattr;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t dspam_var_lib_t:file getattr;


And this AVC:

type=AVC msg=audit(1355935277.728:592): avc:  denied  { read } for  pid=8097 comm="admin.cgi" name="system.log" dev=vda2 ino=5326 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:dspam_var_lib_t:s0 tclass=file

Which results in:

# grep "1355935277.728:592" /var/log/audit/audit.log | audit2allow -m dspam-web > dspam-web.te && cat dspam-web.te

module dspam-web 1.0;

require {
	type httpd_sys_script_t;
	type dspam_var_lib_t;
	class file { read open };
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t dspam_var_lib_t:file { read open };


And this AVC:

type=AVC msg=audit(1355935277.728:592): avc:  denied  { read } for  pid=8097 comm="admin.cgi" name="system.log" dev=vda2 ino=5326 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:dspam_var_lib_t:s0 tclass=file

Which results in:

# grep "1355935277.728:592" /var/log/audit/audit.log | audit2allow -m dspam-web > dspam-web.te && cat dspam-web.te

module dspam-web 1.0;

require {
	type httpd_sys_script_t;
	type dspam_var_lib_t;
	class file { read open };
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t dspam_var_lib_t:file { read open };


And this AVC:

type=AVC msg=audit(1355935277.728:592): avc:  denied  { open } for  pid=8097 comm="admin.cgi" name="system.log" dev=vda2 ino=5326 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:dspam_var_lib_t:s0 tclass=file

Which is covered by the previous module description.


And this AVC:

type=AVC msg=audit(1355935277.728:593): avc:  denied  { ioctl } for  pid=8097 comm="admin.cgi" path="/var/lib/dspam/system.log" dev=vda2 ino=5326 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:dspam_var_lib_t:s0 tclass=file

Which results in:

# grep "1355935277.728:593" /var/log/audit/audit.log | audit2allow -m dspam-web > dspam-web.te && cat dspam-web.te

module dspam-web 1.0;

require {
	type httpd_sys_script_t;
	type dspam_var_lib_t;
	class file ioctl;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t dspam_var_lib_t:file ioctl;


And this AVC:

type=AVC msg=audit(1355935277.822:594): avc:  denied  { getattr } for  pid=8103 comm="ps" path="/proc/1" dev=proc ino=7747 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir

Which results in :

# grep "1355935277.822:594" /var/log/audit/audit.log | audit2allow -m dspam-web > dspam-web.te && cat dspam-web.te

module dspam-web 1.0;

require {
	type httpd_sys_script_t;
	type init_t;
	class dir getattr;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t init_t:dir getattr;


And these AVCs:

type=AVC msg=audit(1355935277.823:595): avc:  denied  { search } for  pid=8103 comm="ps" name="1" dev=proc ino=7747 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir
type=AVC msg=audit(1355935277.823:595): avc:  denied  { read } for  pid=8103 comm="ps" name="stat" dev=proc ino=7859 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1355935277.823:595): avc:  denied  { open } for  pid=8103 comm="ps" name="stat" dev=proc ino=7859 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file

Which results in:

# grep "1355935277.823:595" /var/log/audit/audit.log | audit2allow -m dspam-web > dspam-web.te && cat dspam-web.te

module dspam-web 1.0;

require {
	type httpd_sys_script_t;
	type init_t;
	class dir search;
	class file { read open };
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t init_t:dir search;
allow httpd_sys_script_t init_t:file { read open };


And this AVC:

type=AVC msg=audit(1355935277.824:596): avc:  denied  { getattr } for  pid=8103 comm="ps" path="/proc/2" dev=proc ino=7748 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir

Which results in:

# grep "1355935277.824:596" /var/log/audit/audit.log | audit2allow -m dspam-web > dspam-web.te && cat dspam-web.te

module dspam-web 1.0;

require {
	type kernel_t;
	type httpd_sys_script_t;
	class dir getattr;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t kernel_t:dir getattr;


And this AVC:

type=AVC msg=audit(1355935277.934:662): avc:  denied  { lock } for  pid=8107 comm="uptime" path="/var/run/utmp" dev=vda2 ino=18 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

Which results in:

# grep "1355935277.934:662" /var/log/audit/audit.log | audit2allow -m dspam-web > dspam-web.te && cat dspam-web.te

module dspam-web 1.0;

require {
	type initrc_var_run_t;
	type httpd_sys_script_t;
	class file lock;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t initrc_var_run_t:file lock;


And these AVCs:

type=AVC msg=audit(1355935277.944:663): avc:  denied  { write } for  pid=8109 comm="mailq" name="log" dev=devtmpfs ino=10384 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file
type=AVC msg=audit(1355935277.944:663): avc:  denied  { sendto } for  pid=8109 comm="mailq" path="/dev/log" scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1355935277.944:663): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7f8bf9f1e1a0 a2=6e a3=0 items=0 ppid=8108 pid=8109 auid=500 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=20 comm="mailq" exe="/usr/sbin/sendmail.postfix" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)

Which results in:

# grep "1355935277.944:663" /var/log/audit/audit.log | audit2allow -m dspam-web > dspam-web.te && cat dspam-web.te

module dspam-web 1.0;

require {
	type syslogd_t;
	type httpd_sys_script_t;
	type devlog_t;
	class sock_file write;
	class unix_dgram_socket sendto;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t devlog_t:sock_file write;
allow httpd_sys_script_t syslogd_t:unix_dgram_socket sendto;


And this AVC:

type=AVC msg=audit(1355935277.951:664): avc:  denied  { search } for  pid=8109 comm="mailq" name="postfix" dev=vda2 ino=1415 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir


Which results in:

# grep "1355935277.951:664" /var/log/audit/audit.log | audit2allow -m dspam-web > dspam-web.te && cat dspam-web.te

module dspam-web 1.0;

require {
	type httpd_sys_script_t;
	type postfix_spool_t;
	class dir search;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t postfix_spool_t:dir search;


And these AVCs:

type=AVC msg=audit(1355935278.022:665): avc:  denied  { search } for  pid=8109 comm="postqueue" name="public" dev=vda2 ino=1427 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:postfix_public_t:s0 tclass=dir
type=AVC msg=audit(1355935278.022:665): avc:  denied  { write } for  pid=8109 comm="postqueue" name="showq" dev=vda2 ino=4817 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:postfix_public_t:s0 tclass=sock_file
type=AVC msg=audit(1355935278.022:665): avc:  denied  { connectto } for  pid=8109 comm="postqueue" path="/var/spool/postfix/public/showq" scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:system_r:postfix_master_t:s0 tclass=unix_stream_socket

Which results in:

# grep "1355935278.022:665" /var/log/audit/audit.log | audit2allow -m dspam-web > dspam-web.te && cat dspam-web.te

module dspam-web 1.0;

require {
	type httpd_sys_script_t;
	type postfix_public_t;
	type postfix_master_t;
	class sock_file write;
	class unix_stream_socket connectto;
	class dir search;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t postfix_master_t:unix_stream_socket connectto;
allow httpd_sys_script_t postfix_public_t:dir search;
allow httpd_sys_script_t postfix_public_t:sock_file write;


The file layout of dspam-web is as follows:

/etc/httpd/conf.d/dspam-web.conf
/var/www/dspam
/var/www/dspam/admin.cgi
/var/www/dspam/admingraph.cgi
/var/www/dspam/admins
/var/www/dspam/base.css
/var/www/dspam/configure.pl
/var/www/dspam/default.prefs
/var/www/dspam/dspam-logo-small.gif
/var/www/dspam/dspam.cgi
/var/www/dspam/dspam.js
/var/www/dspam/graph.cgi
/var/www/dspam/rgb.txt
/var/www/dspam/rtl.css
/var/www/dspam/templates
/var/www/dspam/templates/cs
/var/www/dspam/templates/cs/nav_admin_error.html
/var/www/dspam/templates/cs/nav_admin_preferences.html
/var/www/dspam/templates/cs/nav_admin_status.html
/var/www/dspam/templates/cs/nav_admin_user.html
/var/www/dspam/templates/cs/nav_alerts.html
/var/www/dspam/templates/cs/nav_analysis.html
/var/www/dspam/templates/cs/nav_error.html
/var/www/dspam/templates/cs/nav_fragment.html
/var/www/dspam/templates/cs/nav_history.html
/var/www/dspam/templates/cs/nav_performance.html
/var/www/dspam/templates/cs/nav_preferences.html
/var/www/dspam/templates/cs/nav_quarantine.html
/var/www/dspam/templates/cs/nav_viewmessage.html
/var/www/dspam/templates/cs/strings.pl
/var/www/dspam/templates/de
/var/www/dspam/templates/de/nav_admin_error.html
/var/www/dspam/templates/de/nav_admin_preferences.html
/var/www/dspam/templates/de/nav_admin_status.html
/var/www/dspam/templates/de/nav_admin_user.html
/var/www/dspam/templates/de/nav_alerts.html
/var/www/dspam/templates/de/nav_analysis.html
/var/www/dspam/templates/de/nav_error.html
/var/www/dspam/templates/de/nav_fragment.html
/var/www/dspam/templates/de/nav_history.html
/var/www/dspam/templates/de/nav_performance.html
/var/www/dspam/templates/de/nav_preferences.html
/var/www/dspam/templates/de/nav_quarantine.html
/var/www/dspam/templates/de/nav_viewmessage.html
/var/www/dspam/templates/de/strings.pl
/var/www/dspam/templates/fr
/var/www/dspam/templates/fr/nav_admin_error.html
/var/www/dspam/templates/fr/nav_admin_preferences.html
/var/www/dspam/templates/fr/nav_admin_status.html
/var/www/dspam/templates/fr/nav_admin_user.html
/var/www/dspam/templates/fr/nav_alerts.html
/var/www/dspam/templates/fr/nav_analysis.html
/var/www/dspam/templates/fr/nav_error.html
/var/www/dspam/templates/fr/nav_fragment.html
/var/www/dspam/templates/fr/nav_history.html
/var/www/dspam/templates/fr/nav_performance.html
/var/www/dspam/templates/fr/nav_preferences.html
/var/www/dspam/templates/fr/nav_quarantine.html
/var/www/dspam/templates/fr/nav_viewmessage.html
/var/www/dspam/templates/fr/strings.pl
/var/www/dspam/templates/he
/var/www/dspam/templates/he/nav_admin_error.html
/var/www/dspam/templates/he/nav_admin_preferences.html
/var/www/dspam/templates/he/nav_admin_status.html
/var/www/dspam/templates/he/nav_admin_user.html
/var/www/dspam/templates/he/nav_alerts.html
/var/www/dspam/templates/he/nav_analysis.html
/var/www/dspam/templates/he/nav_error.html
/var/www/dspam/templates/he/nav_fragment.html
/var/www/dspam/templates/he/nav_history.html
/var/www/dspam/templates/he/nav_performance.html
/var/www/dspam/templates/he/nav_preferences.html
/var/www/dspam/templates/he/nav_quarantine.html
/var/www/dspam/templates/he/nav_viewmessage.html
/var/www/dspam/templates/he/strings.pl
/var/www/dspam/templates/nav_admin_error.html
/var/www/dspam/templates/nav_admin_preferences.html
/var/www/dspam/templates/nav_admin_status.html
/var/www/dspam/templates/nav_admin_user.html
/var/www/dspam/templates/nav_alerts.html
/var/www/dspam/templates/nav_analysis.html
/var/www/dspam/templates/nav_error.html
/var/www/dspam/templates/nav_fragment.html
/var/www/dspam/templates/nav_history.html
/var/www/dspam/templates/nav_performance.html
/var/www/dspam/templates/nav_preferences.html
/var/www/dspam/templates/nav_quarantine.html
/var/www/dspam/templates/nav_viewmessage.html
/var/www/dspam/templates/ro
/var/www/dspam/templates/ro/nav_admin_error.html
/var/www/dspam/templates/ro/nav_admin_preferences.html
/var/www/dspam/templates/ro/nav_admin_status.html
/var/www/dspam/templates/ro/nav_admin_user.html
/var/www/dspam/templates/ro/nav_alerts.html
/var/www/dspam/templates/ro/nav_analysis.html
/var/www/dspam/templates/ro/nav_error.html
/var/www/dspam/templates/ro/nav_fragment.html
/var/www/dspam/templates/ro/nav_history.html
/var/www/dspam/templates/ro/nav_performance.html
/var/www/dspam/templates/ro/nav_preferences.html
/var/www/dspam/templates/ro/nav_quarantine.html
/var/www/dspam/templates/ro/nav_viewmessage.html
/var/www/dspam/templates/ru
/var/www/dspam/templates/ru/nav_admin_error.html
/var/www/dspam/templates/ru/nav_admin_preferences.html
/var/www/dspam/templates/ru/nav_admin_status.html
/var/www/dspam/templates/ru/nav_admin_user.html
/var/www/dspam/templates/ru/nav_alerts.html
/var/www/dspam/templates/ru/nav_analysis.html
/var/www/dspam/templates/ru/nav_error.html
/var/www/dspam/templates/ru/nav_fragment.html
/var/www/dspam/templates/ru/nav_history.html
/var/www/dspam/templates/ru/nav_performance.html
/var/www/dspam/templates/ru/nav_preferences.html
/var/www/dspam/templates/ru/nav_quarantine.html
/var/www/dspam/templates/ru/nav_viewmessage.html
/var/www/dspam/templates/ru/strings.pl
/var/www/dspam/templates/strings.pl


I hope I got all of them. If you need more information please let me know. Thanks!
Comment 23 Daniel Walsh 2012-12-19 17:11:18 UTC 
Looks like dspam.cgi is mislabeled.

/usr/share/dspam-web/dspam\.cgi	--	gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)

Is there a different path?
Comment 24 Patrick 2012-12-19 17:28:41 UTC 
Hi Dan. I'm not sure what you mean with "Is there a different path". FYI: all dspam-web files live under /var/www/dspam:

# rpm -ql dspam-web | grep cgi
/var/www/dspam/admin.cgi
/var/www/dspam/admingraph.cgi
/var/www/dspam/dspam.cgi
/var/www/dspam/graph.cgi

Please let me know if you need more information. Thanks!
Comment 25 Daniel Walsh 2012-12-19 18:04:46 UTC 
# semanage fcontext -a -t httpd_dspam_script_exec_t '/var/www/dspam/.*\.cgi'
# restorecon -R -v /var/www


I will fix the labeling in the policy.
Comment 26 Miroslav Grepl 2012-12-20 10:22:56 UTC 
Patrick,
could you test what Dan suggested?

I would like to see it there is another issue?

Thank you.
Comment 27 Patrick 2012-12-20 12:32:17 UTC 
Executed Dan's instructions resulting in:

# ls -Z /var/www/ | grep dspam
drwxr-xr-x. dspam dspam system_u:object_r:httpd_sys_content_t:s0 dspam
-rw-r--r--. root  root  system_u:object_r:httpd_sys_content_t:s0 dspam-passwd

# ls -Z /var/www/dspam | grep cgi
-rwxr-xr-x. dspam dspam system_u:object_r:httpd_dspam_script_exec_t:s0 admin.cgi
-rwxr-xr-x. dspam dspam system_u:object_r:httpd_dspam_script_exec_t:s0 admingraph.cgi
-rwxr-xr-x. dspam dspam system_u:object_r:httpd_dspam_script_exec_t:s0 dspam.cgi
-rwxr-xr-x. dspam dspam system_u:object_r:httpd_dspam_script_exec_t:s0 graph.cgi

I now see the following AVCs:

type=AVC msg=audit(1356005790.330:946): avc:  denied  { read } for  pid=12919 comm="dspam.cgi" name="templates" dev=vda2 ino=6110 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir

type=AVC msg=audit(1356005790.350:947): avc:  denied  { search } for  pid=12924 comm="dspam_admin" name="lib" dev=vda2 ino=14 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

type=AVC msg=audit(1356005790.350:947): avc:  denied  { write } for  pid=12924 comm="dspam_admin" name="mysql.sock" dev=vda2 ino=501 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:mysqld_var_run_t:s0 tclass=sock_file

type=AVC msg=audit(1356005790.350:947): avc:  denied  { connectto } for  pid=12924 comm="dspam_admin" path="/var/lib/mysql/mysql.sock" scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=unix_stream_socket

type=AVC msg=audit(1356005790.375:948): avc:  denied  { search } for  pid=12919 comm="dspam.cgi" name="dspam" dev=vda2 ino=6061 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:dspam_var_lib_t:s0 tclass=dir

type=AVC msg=audit(1356006002.780:1078): avc:  denied  { write } for  pid=15037 comm="dspam_admin" name="mysql.sock" dev=vda2 ino=501 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:mysqld_var_run_t:s0 tclass=sock_file

type=AVC msg=audit(1356006041.967:1079): avc:  denied  { getattr } for  pid=15114 comm="ps" path="/proc/1109" dev=proc ino=11018 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=dir

type=AVC msg=audit(1356006041.968:1080): avc:  denied  { search } for  pid=15114 comm="ps" name="1109" dev=proc ino=11018 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=dir
type=AVC msg=audit(1356006041.968:1080): avc:  denied  { read } for  pid=15114 comm="ps" name="stat" dev=proc ino=11040 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=file
type=AVC msg=audit(1356006041.968:1080): avc:  denied  { open } for  pid=15114 comm="ps" name="stat" dev=proc ino=11040 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=file

type=AVC msg=audit(1356006041.969:1081): avc:  denied  { getattr } for  pid=15114 comm="ps" path="/proc/1565" dev=proc ino=11804 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:system_r:zarafa_gateway_t:s0 tclass=dir

type=AVC msg=audit(1356006041.970:1082): avc:  denied  { search } for  pid=15114 comm="ps" name="1565" dev=proc ino=11804 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:system_r:zarafa_gateway_t:s0 tclass=dir

type=AVC msg=audit(1356006041.970:1082): avc:  denied  { read } for  pid=15114 comm="ps" name="stat" dev=proc ino=11855 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:system_r:zarafa_gateway_t:s0 tclass=file

type=AVC msg=audit(1356006041.970:1082): avc:  denied  { open } for  pid=15114 comm="ps" name="stat" dev=proc ino=11855 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:system_r:zarafa_gateway_t:s0 tclass=file

type=AVC msg=audit(1356006041.971:1083): avc:  denied  { getattr } for  pid=15114 comm="ps" path="/proc/1578" dev=proc ino=11806 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:system_r:zarafa_ical_t:s0 tclass=dir

type=AVC msg=audit(1356006041.971:1084): avc:  denied  { search } for  pid=15114 comm="ps" name="1578" dev=proc ino=11806 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:system_r:zarafa_ical_t:s0 tclass=dir
type=AVC msg=audit(1356006041.971:1084): avc:  denied  { read } for  pid=15114 comm="ps" name="stat" dev=proc ino=11861 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:system_r:zarafa_ical_t:s0 tclass=file
type=AVC msg=audit(1356006041.971:1084): avc:  denied  { open } for  pid=15114 comm="ps" name="stat" dev=proc ino=11861 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:system_r:zarafa_ical_t:s0 tclass=file

type=AVC msg=audit(1356006041.971:1085): avc:  denied  { getattr } for  pid=15114 comm="ps" path="/proc/1591" dev=proc ino=11808 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:system_r:zarafa_monitor_t:s0 tclass=dir

type=AVC msg=audit(1356006041.972:1086): avc:  denied  { search } for  pid=15114 comm="ps" name="1591" dev=proc ino=11808 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:system_r:zarafa_monitor_t:s0 tclass=dir

type=AVC msg=audit(1356006041.972:1086): avc:  denied  { open } for  pid=15114 comm="ps" name="stat" dev=proc ino=11867 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:system_r:zarafa_monitor_t:s0 tclass=file

type=AVC msg=audit(1356006041.972:1087): avc:  denied  { getattr } for  pid=15114 comm="ps" path="/proc/1603" dev=proc ino=11738 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir

type=AVC msg=audit(1356006041.976:1088): avc:  denied  { search } for  pid=15114 comm="ps" name="1603" dev=proc ino=11738 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir
type=AVC msg=audit(1356006041.976:1088): avc:  denied  { read } for  pid=15114 comm="ps" name="stat" dev=proc ino=11870 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=file
type=AVC msg=audit(1356006041.976:1088): avc:  denied  { open } for  pid=15114 comm="ps" name="stat" dev=proc ino=11870 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=file

type=AVC msg=audit(1356006041.976:1089): avc:  denied  { getattr } for  pid=15114 comm="ps" path="/proc/1617" dev=proc ino=11745 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:system_r:zarafa_spooler_t:s0 tclass=dir

type=AVC msg=audit(1356006041.983:1097): avc:  denied  { getattr } for  pid=15114 comm="ps" path="/proc/7535" dev=proc ino=300408 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:postfix_master_t:s0 tclass=dir

type=AVC msg=audit(1356006041.984:1098): avc:  denied  { search } for  pid=15114 comm="ps" name="7535" dev=proc ino=300408 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:postfix_master_t:s0 tclass=dir
type=AVC msg=audit(1356006041.984:1098): avc:  denied  { read } for  pid=15114 comm="ps" name="stat" dev=proc ino=300478 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:postfix_master_t:s0 tclass=file
type=AVC msg=audit(1356006041.984:1098): avc:  denied  { open } for  pid=15114 comm="ps" name="stat" dev=proc ino=300478 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:postfix_master_t:s0 tclass=file

type=AVC msg=audit(1356006041.984:1099): avc:  denied  { getattr } for  pid=15114 comm="ps" path="/proc/7538" dev=proc ino=300410 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:postfix_qmgr_t:s0 tclass=dir

type=AVC msg=audit(1356006041.984:1100): avc:  denied  { search } for  pid=15114 comm="ps" name="7538" dev=proc ino=300410 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:postfix_qmgr_t:s0 tclass=dir
type=AVC msg=audit(1356006041.984:1100): avc:  denied  { read } for  pid=15114 comm="ps" name="stat" dev=proc ino=300484 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:postfix_qmgr_t:s0 tclass=file
type=AVC msg=audit(1356006041.984:1100): avc:  denied  { open } for  pid=15114 comm="ps" name="stat" dev=proc ino=300484 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:postfix_qmgr_t:s0 tclass=file

type=AVC msg=audit(1356006041.984:1101): avc:  denied  { getattr } for  pid=15114 comm="ps" path="/proc/9337" dev=proc ino=323431 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=dir

type=AVC msg=audit(1356006041.984:1102): avc:  denied  { search } for  pid=15114 comm="ps" name="9337" dev=proc ino=323431 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=dir
type=AVC msg=audit(1356006041.984:1102): avc:  denied  { read } for  pid=15114 comm="ps" name="stat" dev=proc ino=323477 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=file
type=AVC msg=audit(1356006041.984:1102): avc:  denied  { open } for  pid=15114 comm="ps" name="stat" dev=proc ino=323477 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=file

type=AVC msg=audit(1356006041.985:1103): avc:  denied  { getattr } for  pid=15114 comm="ps" path="/proc/12906" dev=proc ino=483801 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:postfix_pickup_t:s0 tclass=dir

type=AVC msg=audit(1356006041.985:1104): avc:  denied  { search } for  pid=15114 comm="ps" name="12906" dev=proc ino=483801 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:postfix_pickup_t:s0 tclass=dir
type=AVC msg=audit(1356006041.985:1104): avc:  denied  { read } for  pid=15114 comm="ps" name="stat" dev=proc ino=483833 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:postfix_pickup_t:s0 tclass=file
type=AVC msg=audit(1356006041.985:1104): avc:  denied  { open } for  pid=15114 comm="ps" name="stat" dev=proc ino=483833 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:postfix_pickup_t:s0 tclass=file

type=AVC msg=audit(1356006041.985:1105): avc:  denied  { read } for  pid=15114 comm="ps" name="stat" dev=proc ino=489678 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:postfix_showq_t:s0 tclass=file
type=AVC msg=audit(1356006041.985:1105): avc:  denied  { open } for  pid=15114 comm="ps" name="stat" dev=proc ino=489678 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:postfix_showq_t:s0 tclass=file

type=AVC msg=audit(1356006041.990:1106): avc:  denied  { read } for  pid=15120 comm="uptime" name="utmp" dev=vda2 ino=18 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1356006041.990:1106): avc:  denied  { open } for  pid=15120 comm="uptime" name="utmp" dev=vda2 ino=18 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

type=AVC msg=audit(1356006041.990:1107): avc:  denied  { lock } for  pid=15120 comm="uptime" path="/var/run/utmp" dev=vda2 ino=18 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

type=AVC msg=audit(1356006042.001:1108): avc:  denied  { write } for  pid=15122 comm="mailq" name="log" dev=devtmpfs ino=10384 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file

type=AVC msg=audit(1356006042.001:1109): avc:  denied  { create } for  pid=15122 comm="mailq" scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tclass=tcp_socket


Please let me know if you need more information. Thanks!
Comment 28 Daniel Walsh 2012-12-20 14:46:32 UTC 
Created attachment 666700 [details]
New policy for dspam

Could you download this file to /tmp and login as root.
Execute

tar -xvf dspam.tgz
make -f /usr/share/selinux/devel/Makefile dspam.pp
semodule -i dspam.pp
restorecon -R -v /var/www/dspam

And try your test again.
Comment 29 Patrick 2012-12-20 15:07:17 UTC 
Hi Dan. Thank you for your feedback. With dspam.pp installed and the restorecon executed I see the following AVCs when accessing the dspam web interface:

type=AVC msg=audit(1356015514.693:1232): avc:  denied  { create } for  pid=16792 comm="mailq" scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tclass=tcp_socket

type=AVC msg=audit(1356015557.321:1233): avc:  denied  { search } for  pid=16813 comm="dspam_stats" name="lib" dev=vda2 ino=14 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

type=AVC msg=audit(1356015697.101:1242): avc:  denied  { getattr } for  pid=17007 comm="ps" path="/dev/tty1" dev=devtmpfs ino=5025 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

type=AVC msg=audit(1356015697.103:1243): avc:  denied  { getattr } for  pid=17007 comm="ps" path="/dev/pts" dev=devpts ino=1 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=dir

type=AVC msg=audit(1356015697.103:1244): avc:  denied  { search } for  pid=17007 comm="ps" name="/" dev=devpts ino=1 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=dir

type=AVC msg=audit(1356015697.115:1245): avc:  denied  { read } for  pid=17013 comm="uptime" name="utmp" dev=vda2 ino=18 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1356015697.115:1245): avc:  denied  { open } for  pid=17013 comm="uptime" name="utmp" dev=vda2 ino=18 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

type=AVC msg=audit(1356015697.116:1246): avc:  denied  { lock } for  pid=17013 comm="uptime" path="/var/run/utmp" dev=vda2 ino=18 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

type=AVC msg=audit(1356015697.131:1247): avc:  denied  { create } for  pid=17015 comm="mailq" scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tclass=netlink_route_socket

type=AVC msg=audit(1356015697.133:1248): avc:  denied  { bind } for  pid=17015 comm="mailq" scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tclass=netlink_route_socket

type=AVC msg=audit(1356015697.133:1249): avc:  denied  { getattr } for  pid=17015 comm="mailq" scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tclass=netlink_route_socket

type=AVC msg=audit(1356015697.133:1250): avc:  denied  { nlmsg_read } for  pid=17015 comm="mailq" scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tclass=netlink_route_socket

type=AVC msg=audit(1356015697.133:1251): avc:  denied  { read } for  pid=17015 comm="mailq" name="resolv.conf" dev=vda2 ino=130643 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file

type=AVC msg=audit(1356015697.133:1251): avc:  denied  { open } for  pid=17015 comm="mailq" name="resolv.conf" dev=vda2 ino=130643 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file

type=AVC msg=audit(1356015697.133:1252): avc:  denied  { getattr } for  pid=17015 comm="mailq" path="/etc/resolv.conf" dev=vda2 ino=130643 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file

type=AVC msg=audit(1356015697.134:1253): avc:  denied  { create } for  pid=17015 comm="mailq" scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tclass=udp_socket

type=AVC msg=audit(1356015697.134:1254): avc:  denied  { connect } for  pid=17015 comm="mailq" scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tclass=udp_socket

type=AVC msg=audit(1356015697.137:1255): avc:  denied  { ioctl } for  pid=17015 comm="mailq" path="socket:[527194]" dev=sockfs ino=527194 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tclass=udp_socket

type=AVC msg=audit(1356015697.137:1256): avc:  denied  { getattr } for  pid=17015 comm="mailq" laddr=127.0.0.1 lport=48321 faddr=127.0.0.1 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tclass=udp_socket

type=AVC msg=audit(1356015697.137:1257): avc:  denied  { search } for  pid=17015 comm="mailq" name="spool" dev=vda2 ino=473 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=AVC msg=audit(1356015697.137:1257): avc:  denied  { search } for  pid=17015 comm="mailq" name="postfix" dev=vda2 ino=1415 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir

type=AVC msg=audit(1356015697.145:1258): avc:  denied  { write } for  pid=17015 comm="postqueue" name="showq" dev=vda2 ino=4817 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:object_r:postfix_public_t:s0 tclass=sock_file
type=AVC msg=audit(1356015697.145:1258): avc:  denied  { connectto } for  pid=17015 comm="postqueue" path="/var/spool/postfix/public/showq" scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:system_r:postfix_master_t:s0 tclass=unix_stream_socket


And one type I have never seen before:

type=ANOM_ABEND msg=audit(1356015582.226:1234): auid=500 uid=501 gid=501 ses=20 subj=unconfined_u:system_r:httpd_dspam_script_t:s0 pid=16876 comm="dspam_admin" sig=11

Please let me know if you need more information. Thanks!
Comment 30 Daniel Walsh 2012-12-20 15:26:35 UTC 
Created attachment 666735 [details]
New Version
Comment 31 Patrick 2012-12-20 16:04:09 UTC 
Rinse and repeat and I now see the following AVCs:

type=ANOM_ABEND msg=audit(1356019143.973:1317): auid=500 uid=501 gid=501 ses=20 subj=unconfined_u:system_r:httpd_dspam_script_t:s0 pid=17815 comm="dspam_admin" sig=11

type=AVC msg=audit(1356019094.865:1307): avc:  denied  { search } for  pid=17691 comm="admin.cgi" name="lib" dev=vda2 ino=14 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

type=AVC msg=audit(1356019094.903:1308): avc:  denied  { getattr } for  pid=17697 comm="ps" path="/dev/tty1" dev=devtmpfs ino=5025 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

type=AVC msg=audit(1356019094.909:1309): avc:  denied  { getattr } for  pid=17697 comm="ps" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:system_r:httpd_dspam_script_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file

type=AVC msg=audit(1356019094.935:1310): avc:  denied  { read } for  pid=17703 comm="mailq" path="pipe:[541592]" dev=pipefs ino=541592 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=fifo_file
type=AVC msg=audit(1356019094.935:1310): avc:  denied  { write } for  pid=17703 comm="mailq" path="pipe:[541594]" dev=pipefs ino=541594 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=fifo_file

type=AVC msg=audit(1356019094.939:1311): avc:  denied  { getattr } for  pid=17703 comm="mailq" path="pipe:[541592]" dev=pipefs ino=541592 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=fifo_file

type=AVC msg=audit(1356019094.950:1312): avc:  denied  { read } for  pid=17703 comm="postqueue" path="pipe:[541592]" dev=pipefs ino=541592 scontext=unconfined_u:system_r:postfix_postqueue_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=fifo_file
type=AVC msg=audit(1356019094.950:1312): avc:  denied  { write } for  pid=17703 comm="postqueue" path="pipe:[541594]" dev=pipefs ino=541594 scontext=unconfined_u:system_r:postfix_postqueue_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=fifo_file

type=AVC msg=audit(1356019094.959:1313): avc:  denied  { getattr } for  pid=17703 comm="postqueue" path="pipe:[541592]" dev=pipefs ino=541592 scontext=unconfined_u:system_r:postfix_postqueue_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=fifo_file
Comment 32 Daniel Walsh 2012-12-20 16:57:13 UTC 
Can you do it one more time, but this time in permissive mode.

# setenforce 0

run test

# setenforce 1
Comment 33 Patrick 2012-12-20 19:24:35 UTC 
SELinux was already in permissive mode (if there is a difference behaviour and/or generated AVCs between permissive and enforcing mode then I was not aware of it). If I put SELinux in enforcing then I don't even get to see the webpage because of:

Dec 20 20:15:48 test setroubleshoot: SELinux is preventing /usr/bin/perl from read access on the directory /var/www/dspam/templates. For complete SELinux messages. run sealert -l 4906b715-dfa0-49b4-826e-e9b5c1b38102

Running sealert above results in:

[snip]
allow this access for now by executing:
# grep dspam.cgi /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

And the contents of mypol.te are:

module mypol 1.0;

require {
	type httpd_dspam_script_t;
	type httpd_sys_content_t;
	class dir read;
}

So when reporting the AVCs in comment 29 and comment 31 SELinux was in permissive mode.
#============= httpd_dspam_script_t ==============
allow httpd_dspam_script_t httpd_sys_content_t:dir read;
Comment 34 Daniel Walsh 2012-12-20 20:25:19 UTC 
Great.  Then I think I have fixed it in F18 policy.  Miroslav needs to back port to get it working on RHEL6.
Comment 35 Miroslav Grepl 2012-12-20 21:44:22 UTC 
Thank you guys for this work.

Added to selinux-policy-3.7.19-189.el6
Comment 36 Patrick 2012-12-20 22:50:18 UTC 
Dan & Miroslav: thank you both for your efforts. Much appreciated. When the 189 policy shows up I'll give it a try and report back if anything is out of the ordinary.
Comment 37 Daniel Walsh 2012-12-21 16:37:50 UTC 
It is out on people.redhat.com/dwalsh/SELinux/RHEL6
Comment 38 Patrick 2012-12-21 18:07:05 UTC 
Thanks Dan. Updated to the 189 release, did a restorecon of /var/www and restarted dspam. With SELinux in enforcing mode I see the following AVCs:

type=AVC msg=audit(1356112937.341:1993): avc:  denied  { read } for  pid=29773 comm="mailq" path="pipe:[858914]" dev=pipefs ino=858914 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=fifo_file
type=AVC msg=audit(1356112937.341:1993): avc:  denied  { write } for  pid=29773 comm="mailq" path="pipe:[858916]" dev=pipefs ino=858916 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=fifo_file

Which results in:

# grep "1356112937.341:1993" /var/log/audit/audit.log | audit2allow -m dspam-web > dspam-web.te && cat dspam-web.te

module dspam-web 1.0;

require {
	type httpd_t;
	type system_mail_t;
	class fifo_file { read write };
}

#============= system_mail_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_can_sendmail'

allow system_mail_t httpd_t:fifo_file { read write };


type=AVC msg=audit(1356112965.552:1994): avc:  denied  { read } for  pid=29902 comm="mailq" path="pipe:[859641]" dev=pipefs ino=859641 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=fifo_file
type=AVC msg=audit(1356112965.552:1994): avc:  denied  { write } for  pid=29902 comm="mailq" path="pipe:[859643]" dev=pipefs ino=859643 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=fifo_file

# grep "1356112965.552:1994" /var/log/audit/audit.log | audit2allow -m dspam-web > dspam-web.te && cat dspam-web.te

module dspam-web 1.0;

require {
	type httpd_t;
	type system_mail_t;
	class fifo_file { read write };
}

#============= system_mail_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_can_sendmail'

allow system_mail_t httpd_t:fifo_file { read write };


Please let me know if you need more information. Thanks!
Comment 39 Daniel Walsh 2012-12-21 18:59:13 UTC 
Yes miroslav missed a couple of changes I made to mta.te that would have dontaudited these.

d1ba9e0660b1699c895c04a2ec9b33e1ac305ceb
Comment 40 Miroslav Grepl 2013-01-03 15:29:05 UTC 
Yes, I missed 

+       apache_dontaudit_rw_fifo_file(user_mail_domain)
+       apache_dontaudit_rw_fifo_file(mta_user_agent)
Comment 43 errata-xmlrpc 2013-02-21 08:31:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html