Bug 685429 - milter module does not define any policy for TCP connections
Summary: milter module does not define any policy for TCP connections
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-15 13:41 UTC by Lubos Stanek
Modified: 2011-03-22 18:53 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.9.7-37.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-03-21 11:24:32 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Lubos Stanek 2011-03-15 13:41:43 UTC
Description of problem:
There is no policy for TCP connections from the milters in the milter module. At least two milters use TCP connections.
I have not found any advice or comment regarding milter TCP connections except packaging notes in clamav.

clamav-milter can communicate with the clamd server via a TCP socket. And it seems to be the preferred way for Fedora according to the packager's notes.
The connection is blocked on localhost by SELinux:
type=AVC msg=audit(1298921074.999:229): avc:  denied  { name_connect } for  pid=20406 comm="clamav-milter" dest=3310 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:clamd_port_t:s0 tclass=tcp_socket

milter-greylist can synchronize lists among multiple MX servers (the peer option). Again there is no policy for the sync connection and the connection is blocked by SELinux:
type=AVC msg=audit(1298996484.455:768): avc:  denied  { name_bind } for  pid=15967 comm="milter-greylist" src=5252 scontext=system_u:system_r:greylist_milter_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

I think that the milters' TCP communication support should be included in some form.

P.S.: I do not need any help for making it work.

Version-Release number of selected component (if applicable):
selinux-policy-3.9.7-31.fc14.noarch
clamav-milter-0.97-1400.f14..i686
milter-greylist-4.2.6-1400.fc14.i686


How reproducible:
Install the mentioned milter. Configure ClamdSocket or peer depending on the installed milter. Start the milter.

Actual results:
SELinux emits AVCs, milters cannot communicate.

Expected results:
Milters can use at least the default configuration and communicate.

Comment 1 Miroslav Grepl 2011-03-15 13:56:26 UTC
We have this in F15. I am fixing it in F14 policy.

Thank you.

Comment 2 Miroslav Grepl 2011-03-18 12:34:40 UTC
Fixed in selinux-policy-3.9.7-34.fc14

Comment 3 Fedora Update System 2011-03-18 15:08:03 UTC
selinux-policy-3.9.7-34.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-34.fc14

Comment 4 Lubos Stanek 2011-03-18 17:01:15 UTC
Thanks for working on the issue.

The clamav-milter case is fixed.

milter-greylist works both as a server and a client in the peer mode. The list is synchronized among all MX servers (multi-MX).

type=AVC msg=audit(1300464048.285:103): avc:  denied  { listen } for  pid=11719 comm="milter-greylist" lport=5252 scontext=system_u:system_r:greylist_milter_t:s0 tcontext=system_u:system_r:greylist_milter_t:s0 tclass=tcp_socket

Probably this rule should be added:
corenet_tcp_sendrecv_movaz_ssc_port(greylist_milter_t)

Comment 5 Daniel Walsh 2011-03-18 18:45:36 UTC
Miroslav you need this line from F15

allow greylist_milter_t self:tcp_socket create_stream_socket_perms;

Comment 6 Fedora Update System 2011-03-21 08:46:00 UTC
selinux-policy-3.9.7-37.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-37.fc14

Comment 7 Lubos Stanek 2011-03-21 11:24:32 UTC
The issue is fixed by the last policy (selinux-policy-3.9.7-37.fc14).
Thanks for your work.

Comment 8 Daniel Walsh 2011-03-21 21:51:24 UTC
Please update karma

Comment 9 Fedora Update System 2011-03-22 18:51:37 UTC
selinux-policy-3.9.7-37.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.