Bug 671486 - dspam to be confined
Summary: dspam to be confined
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-21 16:15 UTC by Matěj Cepl
Modified: 2018-04-11 06:51 UTC (History)
4 users (show)

Fixed In Version: dspam-3.9.0-13.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-26 20:37:22 UTC


Attachments (Terms of Use)
output of ausearch -m AVC -ts 16:34 (13.98 KB, text/plain)
2011-01-25 15:45 UTC, Matěj Cepl
no flags Details

Description Matěj Cepl 2011-01-21 16:15:28 UTC
Description of problem:
dspam is a daemon communicating with MTA, it has public facing web frontend, so I think SELinux confinement would be useful.

Version-Release number of selected component (if applicable):
dspam-0:3.9.0-10.fc15.x86_64

How reproducible:
100%

Comment 1 Miroslav Grepl 2011-01-25 14:05:26 UTC
Matej, 
could you try to treat DSPAM with spamd policy? I mean 

execute:

# chcon -t spamd_exec_t /usr/bin/dspam
# chcon -R -t spamd_var_lib_t /var/lib/dspam
# chcon -R -t spamd_log_t /var/log/dspam
# chcon -R -t spamd_var_run_t /var/run/dspam

Test it and run

# ausearch -m avc -ts recent

Thanks.

Comment 2 Matěj Cepl 2011-01-25 15:45:15 UTC
Created attachment 475190 [details]
output of ausearch -m AVC -ts 16:34

Comment 3 Matěj Cepl 2011-01-25 15:46:00 UTC
And this what audit2allow thinks:

[root@luther ~]# ausearch -m AVC -ts 16:34 |audit2allow


#============= httpd_sys_script_t ==============
allow httpd_sys_script_t spamd_var_lib_t:dir { write remove_name search add_name getattr };
allow httpd_sys_script_t spamd_var_lib_t:file { setattr read lock create ioctl write getattr unlink append };

#============= postfix_smtp_t ==============
allow postfix_smtp_t spamd_t:unix_stream_socket connectto;
allow postfix_smtp_t tmp_t:sock_file write;

#============= spamd_t ==============
allow spamd_t port_t:tcp_socket name_connect;
allow spamd_t self:capability net_admin;
allow spamd_t tmp_t:sock_file create;

#============= zarafa_deliver_t ==============
allow zarafa_deliver_t ld_so_cache_t:file { read getattr };
allow zarafa_deliver_t ld_so_t:file read;
allow zarafa_deliver_t lib_t:file execute;

#============= zarafa_gateway_t ==============
allow zarafa_gateway_t reserved_port_t:tcp_socket name_connect;

Comment 4 Matěj Cepl 2011-01-25 15:47:40 UTC
Of course zarafa* AVC denials are subject to bug 574788

Comment 5 Miroslav Grepl 2011-01-26 09:03:33 UTC
Ok, thanks for testing.

I will send you dspam policy.

Comment 6 Miroslav Grepl 2011-01-26 09:33:24 UTC
Looking more into audit.log and I am seeing "dspam.socket" is created in /tmp

path="/tmp/dspam.sock"

I will allow it for now but

"DSPAM" maintainer, 
could it be changed to /var/run/dspam.sock?

Comment 7 Miroslav Grepl 2011-01-26 10:21:53 UTC
I have sent you a new DSPAM policy which contains zarafa fixes and also a policy for the DSPAM cgi script. 

So just run the dspam.sh script to install this policy.

Also please check paths in the dspam.fc file since you test it on RHEL5.

Comment 8 Matěj Cepl 2011-01-26 12:17:11 UTC
(In reply to comment #7)
> I have sent you a new DSPAM policy which contains zarafa fixes and also a
> policy for the DSPAM cgi script. 
> 
> So just run the dspam.sh script to install this policy.
> 
> Also please check paths in the dspam.fc file since you test it on RHEL5.

The only difference (I don't think it is related to RHELishness, but bug 672068) is that I don't have website proper in /usr/share/dspam-web but in /var/www/dspam/, but otherwise it went smoothly, and I will report on the results soon.

Comment 9 Matěj Cepl 2011-01-26 12:17:55 UTC
(In reply to comment #6)
> Looking more into audit.log and I am seeing "dspam.socket" is created in /tmp
> 
> path="/tmp/dspam.sock"
> 
> I will allow it for now but
> 
> "DSPAM" maintainer, 
> could it be changed to /var/run/dspam.sock?

This is actually configurable, I will take a look.

Comment 10 Matěj Cepl 2011-01-26 12:26:11 UTC
(In reply to comment #9)
> This is actually configurable, I will take a look.

I think the only change required is ServerDomainSocketPath variable in /etc/dspam.conf and in /etc/postfix/master.cf

Does it mean, I can just remove these lines in dspam.te

# FIXME
# /tmp/dspam.sock
type dspam_tmp_t;
files_tmp_file(dspam_tmp_t)

or should they be replaced by something else?

Comment 11 Miroslav Grepl 2011-01-26 12:41:53 UTC
(In reply to comment #10)
> (In reply to comment #9)
> > This is actually configurable, I will take a look.
> 
> I think the only change required is ServerDomainSocketPath variable in
> /etc/dspam.conf and in /etc/postfix/master.cf
> 
> Does it mean, I can just remove these lines in dspam.te
> 
> # FIXME
> # /tmp/dspam.sock
> type dspam_tmp_t;
> files_tmp_file(dspam_tmp_t)
> 
> or should they be replaced by something else?

No, you can leave these rules in the policy file.

Comment 12 Nathanael Noblet 2011-01-26 17:54:09 UTC
Hello - as package maintainer I have to profess I don't use the web-ui *or* dspam as a dameon. I agree that the best default place for dspam socket for daemon mode is either /var/run/dspam/dspam.sock or /var/run/dspam.sock.

I'm not sure the best, however I propose to use /var/run/dspam/dspam.sock since /var/run/dspam is 770 & owned by dspam:mail it allows anything running in the mail group access.

Does that sound reasonable?

Comment 13 Daniel Walsh 2011-01-26 18:07:52 UTC
From an SELinux point of view /var/run/dspam/dspam.sock is best.

Comment 14 Fedora Update System 2011-01-26 19:26:47 UTC
dspam-3.9.0-12.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/dspam-3.9.0-12.fc14

Comment 15 Fedora Update System 2011-01-26 19:26:54 UTC
dspam-3.9.0-12.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/dspam-3.9.0-12.el5

Comment 16 Fedora Update System 2011-01-26 21:16:32 UTC
dspam-3.9.0-13.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/dspam-3.9.0-13.fc14

Comment 17 Fedora Update System 2011-01-26 21:18:51 UTC
dspam-3.9.0-13.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/dspam-3.9.0-13.el5

Comment 18 Fedora Update System 2011-01-27 18:24:47 UTC
dspam-3.9.0-13.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update dspam'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/dspam-3.9.0-13.el5

Comment 19 Fedora Update System 2011-02-04 19:51:32 UTC
dspam-3.9.0-13.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2011-02-13 00:18:10 UTC
dspam-3.9.0-13.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.