Bug 477315 - SELinux prevents Postfix from using python-policyd-spf to check SPF records
SELinux prevents Postfix from using python-policyd-spf to check SPF records
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-20 07:57 EST by Anthony Messina
Modified: 2009-03-03 04:16 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-03 04:16:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Anthony Messina 2008-12-20 07:57:18 EST
After upgrading to F10, I now have the following denials in my audit log:

Source Context:    unconfined_u:system_r:postfix_master_t:s0
  Target Context:    system_u:object_r:inaddr_any_node_t:s0
  Target Objects:    None [ udp_socket ]
  Source:    policyd-spf
  Source Path:    /usr/bin/python
  Port:    44918
  Host:    XXXX
  Source RPM Packages:    python-2.5.2-1.fc10
  Target RPM Packages:  
  Policy RPM:    selinux-policy-3.5.13-34.fc10
  Selinux Enabled:    True
  Policy Type:    targeted
  MLS Enabled:    True
  Enforcing Mode:    Permissive
  Plugin Name:    catchall_boolean
  Host Name:    XXXX
  Platform:    Linux XXXX 2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35 EST 2008 x86_64 x86_64
  Alert Count:    14
  First Seen:    Sat Dec 20 04:48:51 2008
  Last Seen:    Sat Dec 20 06:35:53 2008
  Local ID:    b83d7b37-d99a-4a5d-804a-e19415ff6dcd
  Line Numbers:  
  Raw Audit Messages :

node=XXXX type=AVC msg=audit(1229776553.564:2099): avc: denied { node_bind } for pid=20950 comm="policyd-spf" src=44918 scontext=unconfined_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=udp_socket 
node=chicago.messinet.com type=SYSCALL msg=audit(1229776553.564:2099): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=7fffdf509cb0 a2=10 a3=0 items=0 ppid=20592 pid=20950 auid=4294967295 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="policyd-spf" exe="/usr/bin/python" subj=unconfined_u:system_r:postfix_master_t:s0 key=(null) 


Source Context:    unconfined_u:system_r:postfix_master_t:s0
  Target Context:    system_u:object_r:port_t:s0
  Target Objects:    None [ udp_socket ]
  Source:    policyd-spf
  Source Path:    /usr/bin/python
  Port:    7494
  Host:    XXXX
  Source RPM Packages:    python-2.5.2-1.fc10
  Target RPM Packages:  
  Policy RPM:    selinux-policy-3.5.13-34.fc10
  Selinux Enabled:    True
  Policy Type:    targeted
  MLS Enabled:    True
  Enforcing Mode:    Permissive
  Plugin Name:    bind_ports
  Host Name:    XXXX
  Platform:    Linux XXXX 2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35 EST 2008 x86_64 x86_64
  Alert Count:    48
  First Seen:    Fri Dec 19 23:43:50 2008
  Last Seen:    Sat Dec 20 06:35:53 2008
  Local ID:    f63540c7-a1b0-4938-88c0-1e62d1b51a68
  Line Numbers:  
  Raw Audit Messages :

node=XXXX type=AVC msg=audit(1229776553.566:2100): avc: denied { name_bind } for pid=20950 comm="policyd-spf" src=7494 scontext=unconfined_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket 
node=chicago.messinet.com type=SYSCALL msg=audit(1229776553.566:2100): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=7fffdf509cb0 a2=10 a3=0 items=0 ppid=20592 pid=20950 auid=4294967295 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="policyd-spf" exe="/usr/bin/python" subj=unconfined_u:system_r:postfix_master_t:s0 key=(null) 


Source Context:    unconfined_u:system_r:postfix_master_t:s0
  Target Context:    system_u:object_r:inaddr_any_node_t:s0
  Target Objects:    None [ udp_socket ]
  Source:    policyd-spf
  Source Path:    /usr/bin/python
  Port:    52013
  Host:    XXXX
  Source RPM Packages:    python-2.5.2-1.fc10
  Target RPM Packages:  
  Policy RPM:    selinux-policy-3.5.13-34.fc10
  Selinux Enabled:    True
  Policy Type:    targeted
  MLS Enabled:    True
  Enforcing Mode:    Permissive
  Plugin Name:    catchall_boolean
  Host Name:    XXXX
  Platform:    Linux XXXX 2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35 EST 2008 x86_64 x86_64
  Alert Count:    13
  First Seen:    Sat Dec 20 04:48:51 2008
  Last Seen:    Sat Dec 20 06:34:36 2008
  Local ID:    b83d7b37-d99a-4a5d-804a-e19415ff6dcd
  Line Numbers:  
  Raw Audit Messages :

node=XXXX type=AVC msg=audit(1229776476.330:2077): avc: denied { node_bind } for pid=20950 comm="policyd-spf" src=52013 scontext=unconfined_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=udp_socket 
node=chicago.messinet.com type=SYSCALL msg=audit(1229776476.330:2077): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=7fffdf509cb0 a2=10 a3=0 items=0 ppid=20592 pid=20950 auid=4294967295 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="policyd-spf" exe="/usr/bin/python" subj=unconfined_u:system_r:postfix_master_t:s0 key=(null) 


It seems that the python policyd for checking SPF records is using any random port to check SPF records.

I am using permissive more for now.  I did not see this in Fedora 9.  Also, I see, using semanage: postfix_policyd_port_t         tcp      10031, but I'm not sure if this is something I'll need to configure python-policyd-spf to use.
Comment 1 Daniel Walsh 2008-12-22 10:52:54 EST
Fixed in selinux-policy-3.5.13-36.fc10
Comment 2 Anthony Messina 2009-01-02 07:12:44 EST
Using selinux-policy-targeted-3.5.13-37.fc10.noarch (from koji), this issue is resolved.
Comment 3 Dave Oksner 2009-01-13 14:06:32 EST
This appears to be a problem on RedHat EL5 as well.  Latest version of that is 2.4.6-137.1.el5_2.  Should this bug be modified to include EL5 or should a new bug be created?
Comment 4 Anthony Messina 2009-01-21 11:06:34 EST
Hmmm, now I get this alert only occaisionally, where I used to get it with each and every email that was processed.

Currently using selinux-policy-targeted-3.5.13-38.fc10.noarch
Summary:

SELinux is preventing the policyd-spf (postfix_master_t) from binding to port
32755.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied the policyd-spf from binding to a network port 32755 which
does not have an SELinux type associated with it. If policyd-spf is supposed to
be allowed to listen on this port, you can use the semanage command to add this
port to a port type that postfix_master_t can bind to. semanage port -l will
list all port types. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy
package. If policyd-spf is not supposed to bind to this port, this could signal
a intrusion attempt. If this system is running as an NIS Client, turning on the
allow_ypbind boolean, may fix the problem. setsebool -P allow_ypbind=1.

Allowing Access:

If you want to allow policyd-spf to bind to this port semanage port -a -t
PORT_TYPE -p PROTOCOL 32755 Where PORT_TYPE is a type that postfix_master_t can
bind and PROTOCOL is udp or tcp.

Additional Information:

Source Context                system_u:system_r:postfix_master_t:s0
Target Context                system_u:object_r:port_t:s0
Target Objects                None [ tcp_socket ]
Source                        policyd-spf
Source Path                   /usr/bin/python
Port                          32755
Host                          xxxx
Source RPM Packages           python-2.5.2-1.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-38.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   bind_ports
Host Name                     xxxx
Platform                      Linux xxxx
                              2.6.27.9-159.fc10.x86_64 #1 SMP Tue Dec 16
                              14:47:52 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 21 Jan 2009 09:46:40 AM CST
Last Seen                     Wed 21 Jan 2009 09:46:40 AM CST
Local ID                      d5285362-6e06-481f-88d9-9d3c5567d383
Line Numbers                  

Raw Audit Messages            

node=xxxx type=AVC msg=audit(1232552800.626:40858): avc:  denied  { name_bind } for  pid=12922 comm="policyd-spf" src=32755 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

node=xxxx type=SYSCALL msg=audit(1232552800.626:40858): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=7fff6b6cce70 a2=10 a3=0 items=0 ppid=12921 pid=12922 auid=4294967295 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="policyd-spf" exe="/usr/bin/python" subj=system_u:system_r:postfix_master_t:s0 key=(null)
Comment 5 Daniel Walsh 2009-01-21 11:22:57 EST
Dave Oksner

Could you check with the 5.3 policy

http://people.redhat.com/dwalsh/SELinux/RHEL5

This is the preview of 5.3 which should be coming out soon.

Anthony?

policyd-spf is attempting to listen on tcp port 32755
 for in coming connections.  Do you have any idea what this is doing?
Comment 6 Anthony Messina 2009-01-21 11:45:48 EST
(In reply to comment #5)
> Dave Oksner
> 
> Could you check with the 5.3 policy
> 
> http://people.redhat.com/dwalsh/SELinux/RHEL5
> 
> This is the preview of 5.3 which should be coming out soon.

I'm using Fedora 10, will the packages there apply to Fedora 10?  If I do install those packages, will a newer Fedora 10 policy overwrite them when it becomes available in the repos, or would I need to maintain that manually?

> Anthony?
> 
> policyd-spf is attempting to listen on tcp port 32755
>  for in coming connections.  Do you have any idea what this is doing?

It's supposed to initiate a DNS request to find out if SPF records are defined in DNS for a given mailserver that is attempting to send mail to my domain. Specifically, though, I don't know what this particular request was doing.  Also, like in my Comment #4, this only happens occasionally now, not for every incoming mail like the original report.

I do have it configured per the directions for Postfix (master.cf):

# Python Sender Policy Framework (SPF) policy daemon
policyd-spf unix -      n       n       -       0       spawn
  user=nobody argv=/usr/bin/policyd-spf
Comment 7 Anthony Messina 2009-01-21 11:47:39 EST
(In reply to comment #6)
> (In reply to comment #5)
> > Dave Oksner
> > 
> > Could you check with the 5.3 policy
> > 
> > http://people.redhat.com/dwalsh/SELinux/RHEL5
> > 
> > This is the preview of 5.3 which should be coming out soon.
> 
> I'm using Fedora 10, will the packages there apply to Fedora 10?  If I do
> install those packages, will a newer Fedora 10 policy overwrite them when it
> becomes available in the repos, or would I need to maintain that manually?
> 

Sorry, I just realized that part of Comment #5 was for Dave.
Comment 8 Dave Oksner 2009-01-21 13:01:27 EST
I installed selinux-policy-2.4.6-203.el5 and selinux-policy-targeted-2.4.6-203.el5 and it appears to have fixed the problem with policyd-spf.  I'm no longer seeing any errors like that.  However, it may have introduced a new problem.  This machine doesn't do local delivery, so I don't have to worry about it not being able to access the /home file system, but it might be a problem for others.  Thanks for the help and let me know if I can provide any additional information.

====================================================

SELinux is preventing smtpd (postfix_smtpd_t) "getattr" to /home (home_root_t).

Additional Information:

Source Context                system_u:system_r:postfix_smtpd_t
Target Context                system_u:object_r:home_root_t
Target Objects                /home [ dir ]
Source                        smtpd
Source Path                   /usr/libexec/postfix/smtpd
Port                          <Unknown>
Host                          XXXX
Source RPM Packages           postfix-2.3.3-2.1.el5_2
Target RPM Packages           filesystem-2.4.0-1
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     XXXX
Platform                      Linux XXXX 2.6.18-92.1.22.el5
                              #1 SMP Fri Dec 5 09:28:22 EST 2008 x86_64 x86_64
Alert Count                   322
First Seen                    Wed Jan 21 09:46:25 2009
Last Seen                     Wed Jan 21 09:56:37 2009
Local ID                      bbd4fb4d-e1d6-4a63-aa14-0883f7282587
Line Numbers                  

Raw Audit Messages

host=XXXX type=AVC msg=audit(1232560597.575:313): avc:  denied  { getattr } for  pid=11211 comm="smtpd" path="/home" dev=dm-1 ino=2 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

host=XXXX type=SYSCALL msg=audit(1232560597.575:313): arch=c000003e syscall=4 success=no exit=-13 a0=7fff7dcd2b69 a1=7fff7dcd2f50 a2=7fff7dcd2f50 a3=0 items=0 ppid=8880 pid=11211 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
Comment 9 Daniel Walsh 2009-01-21 15:00:11 EST
Anthony reading up on this a little further looks like policyd-spf can cause a large transfer on certain sites.

http://www.gossamer-threads.com/lists/spf/help/34338

Might be opening up a back chanel for the dns data to return?
Comment 10 Anthony Messina 2009-01-21 17:39:20 EST
Would it be worth having Scott Kitterman <scott@kitterman.com> take a look at this as he is the maintainer of the postfix-policyd-spf-python software?  He might be able to give a definitive answer as to whether or not this tcp port business should be allowed within the context of SELinux.
Comment 11 Daniel Walsh 2009-01-26 11:47:08 EST
yes
Comment 12 Anthony Messina 2009-01-26 22:32:44 EST
Ok, quoting the reply I got from Scott:

"I'm guessing that's related to random source port binding in python-dns.  
The policy server itself doesn't open any ports, but it uses python-spf, 
which uses python-dns.  I don't know what version you have, but the current 
one (IIRC 2.3.3) does do source port randomization.

If that's what this is, it's needed.

Scott K"
Comment 13 Daniel Walsh 2009-01-27 15:31:25 EST
Miroslav, then I guess you will need to add.


corenet_tcp_bind_all_unreserved_ports(postfix_master_t)
Comment 14 Miroslav Grepl 2009-03-03 04:16:06 EST
Fixed in selinux-policy-3.5.13-46.fc10

Note You need to log in before you can comment on or make changes to this bug.