FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 01-10-2009, 04:22 AM
Richard Chapman
 
Default Denials from spamc and webalizer on Centos 5.2

After some trouble getting the file-system relabelled - which was
eventually solved by Daniel's suggestion to change to a 5.3 preview
release of the policy packages - I now have (only) a couple of
intractable denials.



One seems to be related to procmail running spamc. The other seems to
be webalizer being denied access to squid logs. Here is some
representative troubledhooter output:











Summary


SELinux is preventing spamc
(procmail_t) "execute" to ./spamc (spamc_exec_t).


Detailed Description


[SELinux is
in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested
by spamc. It is not expected that this access is required by spamc and
this access may signal an intrusion attempt. It is also possible that
the specific version or configuration of the application is causing it
to require additional access.




Allowing Access


Sometimes labeling problems can
cause SELinux denials. You could try to restore the default system file
context for ./spamc,

restorecon -v './spamc'


If this does not work, there is
currently no automatic way to allow this access. Instead, you can
generate a local policy module to allow this access - see FAQ
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report
against this package.




Additional Information











Source Context:**
system_u:system_rrocmail_t


Target Context:**
system_ubject_r:spamc_exec_t


Target Objects:**
./spamc [ file ]


Source:**
spamc


Source Path:**
/usr/bin/spamc


Port:**
<Unknown>


Host:**
C5.aardvark.com.au


Source RPM Packages:**
spamassassin-3.2.4-1.el5


Target RPM Packages:**





Policy RPM:**
selinux-policy-2.4.6-203.el5


Selinux Enabled:**
True


Policy Type:**
targeted


MLS Enabled:**
True


Enforcing Mode:**
Permissive


Plugin Name:**
catchall_file


Host Name:**
C5.aardvark.com.au


Platform:**
Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue
Dec 16 11:57:43 EST 2008 x86_64 x86_64


Alert Count:**
199


First Seen:**
Wed Jan 7 21:12:56 2009


Last Seen:**
Sat Jan 10 13:50:07 2009


Local ID:**
72201679-d161-4d2d-8423-44b1b65a211f


Line Numbers:**







Raw Audit Messages
:



host=C5.aardvark.com.au
type=AVC msg=audit(1231563007.814:8005): avc: denied { execute } for
pid=16474 comm="procmail" name="spamc" dev=dm-0 ino=31336954
scontext=system_u:system_rrocmail_t:s0
tcontext=system_ubject_r:spamc_exec_t:s0 tclass=file


host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005):
avc: denied { execute } for pid=16474 comm="procmail" name="spamc"
dev=dm-0 ino=31336954 scontext=system_u:system_rrocmail_t:s0
tcontext=system_ubject_r:spamc_exec_t:s0 tclass=file


host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005):
avc: denied { execute_no_trans } for pid=16474 comm="procmail"
path="/usr/bin/spamc" dev=dm-0 ino=31336954
scontext=system_u:system_rrocmail_t:s0
tcontext=system_ubject_r:spamc_exec_t:s0 tclass=file


host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005):
avc: denied { execute_no_trans } for pid=16474 comm="procmail"
path="/usr/bin/spamc" dev=dm-0 ino=31336954
scontext=system_u:system_rrocmail_t:s0
tcontext=system_ubject_r:spamc_exec_t:s0 tclass=file


host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005):
avc: denied { read } for pid=16474 comm="procmail"
path="/usr/bin/spamc" dev=dm-0 ino=31336954
scontext=system_u:system_rrocmail_t:s0
tcontext=system_ubject_r:spamc_exec_t:s0 tclass=file


host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005):
avc: denied { read } for pid=16474 comm="procmail"
path="/usr/bin/spamc" dev=dm-0 ino=31336954
scontext=system_u:system_rrocmail_t:s0
tcontext=system_ubject_r:spamc_exec_t:s0 tclass=file


host=C5.aardvark.com.au type=SYSCALL
msg=audit(1231563007.814:8005): arch=c000003e syscall=59 success=yes
exit=0 a0=196772e0 a1=196792a0 a2=196791f0 a3=8 items=0 ppid=16473
pid=16474 auid=4294967295 uid=500 gid=501 euid=500 suid=500 fsuid=500
egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="spamc"
exe="/usr/bin/spamc" subj=system_u:system_rrocmail_t:s0 key=(null)


host=C5.aardvark.com.au type=SYSCALL
msg=audit(1231563007.814:8005): arch=c000003e syscall=59 success=yes
exit=0 a0=196772e0 a1=196792a0 a2=196791f0 a3=8 items=0 ppid=16473
pid=16474 auid=4294967295 uid=500 gid=501 euid=500 suid=500 fsuid=500
egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="spamc"
exe="/usr/bin/spamc" subj=system_u:system_rrocmail_t:s0 key=(null)























Summary


SELinux is preventing webalizer
(webalizer_t) "search" to ./webalizer (bin_t).


Detailed Description


[SELinux is
in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested
by webalizer. It is not expected that this access is required by
webalizer and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application
is causing it to require additional access.




Allowing Access


Sometimes labeling problems can
cause SELinux denials. You could try to restore the default system file
context for ./webalizer,

restorecon -v './webalizer'


If this does not work, there is
currently no automatic way to allow this access. Instead, you can
generate a local policy module to allow this access - see FAQ
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report
against this package.




Additional Information











Source Context:**
root:system_r:webalizer_t:SystemLow-SystemHigh


Target Context:**
system_ubject_r:bin_t


Target Objects:**
./webalizer [ dir ]


Source:**
webalizer


Source Path:**
/usr/bin/webalizer


Port:**
<Unknown>


Host:**
C5.aardvark.com.au


Source RPM Packages:**
webalizer-2.01_10-30.1


Target RPM Packages:**





Policy RPM:**
selinux-policy-2.4.6-203.el5


Selinux Enabled:**
True


Policy Type:**
targeted


MLS Enabled:**
True


Enforcing Mode:**
Permissive


Plugin Name:**
catchall_file


Host Name:**
C5.aardvark.com.au


Platform:**
Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue
Dec 16 11:57:43 EST 2008 x86_64 x86_64


Alert Count:**
119


First Seen:**
Wed Jan 7 22:00:02 2009


Last Seen:**
Sat Jan 10 14:00:01 2009


Local ID:**
fd879861-abb1-4e67-a190-0a721c66dc0e


Line Numbers:**







Raw Audit Messages
:



host=C5.aardvark.com.au
type=AVC msg=audit(1231563601.389:8027): avc: denied { search } for
pid=16510 comm="webalizer" name="webalizer" dev=dm-0 ino=32479105
scontext=root:system_r:webalizer_t:s0-s0:c0.c1023
tcontext=system_ubject_r:bin_t:s0 tclass=dir


host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027):
avc: denied { search } for pid=16510 comm="webalizer" name="webalizer"
dev=dm-0 ino=32479105 scontext=root:system_r:webalizer_t:s0-s0:c0.c1023
tcontext=system_ubject_r:bin_t:s0 tclass=dir


host=C5.aardvark.com.au type=SYSCALL
msg=audit(1231563601.389:8027): arch=c000003e syscall=4 success=no
exit=-2 a0=4171ee a1=7fff7d310db0 a2=7fff7d310db0 a3=21000 items=0
ppid=16509 pid=16510 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=730 comm="webalizer"
exe="/usr/bin/webalizer" subj=root:system_r:webalizer_t:s0-s0:c0.c1023
key=(null)


host=C5.aardvark.com.au type=SYSCALL
msg=audit(1231563601.389:8027): arch=c000003e syscall=4 success=no
exit=-2 a0=4171ee a1=7fff7d310db0 a2=7fff7d310db0 a3=21000 items=0
ppid=16509 pid=16510 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=730 comm="webalizer"
exe="/usr/bin/webalizer" subj=root:system_r:webalizer_t:s0-s0:c0.c1023
key=(null)












I didn't think I was doing anything unusual here - so I am surprised
these aren't covered by standard policy. Am I don't something strange -
and if so - do I need to write my own local policy. Is there a more
standard way to run spamc and/.or webalizer which will prevent these
denials?



Thanks



Richard.






--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-10-2009, 10:14 AM
Murray McAllister
 
Default Denials from spamc and webalizer on Centos 5.2

Richard Chapman wrote:
After some trouble getting the file-system relabelled - which was
eventually solved by Daniel's suggestion to change to a 5.3 preview
release of the policy packages - I now have (only) a couple of
intractable denials.


One seems to be related to procmail running spamc. The other seems to be
webalizer being denied access to squid logs. Here is some representative
troubledhooter output:


Summary
SELinux is preventing spamc (procmail_t) "execute" to ./spamc
(spamc_exec_t).

Detailed Description
[SELinux is in permissive mode, the operation would have been denied but
was permitted due to permissive mode.]


SELinux denied access requested by spamc. It is not expected that this
access is required by spamc and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the application is causing it to require additional access.


Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for ./spamc,


restorecon -v './spamc'

If this does not work, there is currently no automatic way to allow this
access. Instead, you can generate a local policy module to allow this
access - see FAQ
<http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can
disable SELinux protection altogether. Disabling SELinux protection is
not recommended. Please file a bug report
<http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this package.


Additional Information

Source Context: system_u:system_rrocmail_t
Target Context: system_ubject_r:spamc_exec_t
Target Objects: ./spamc [ file ]
Source: spamc
Source Path: /usr/bin/spamc
Port: <Unknown>
Host: C5.aardvark.com.au
Source RPM Packages: spamassassin-3.2.4-1.el5
Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-203.el5
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: catchall_file
Host Name: C5.aardvark.com.au
Platform: Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec
16 11:57:43 EST 2008 x86_64 x86_64

Alert Count: 199
First Seen: Wed Jan 7 21:12:56 2009
Last Seen: Sat Jan 10 13:50:07 2009
Local ID: 72201679-d161-4d2d-8423-44b1b65a211f
Line Numbers:

Fedora 10 has a rule that looks like it would resolve this issue:

$ sesearch --allow -s procmail_t -t spamc_exec_t
WARNING: This policy contained disabled aliases; they have been removed.
Found 1 semantic av rules:
allow procmail_t spamc_exec_t : file { ioctl read getattr execute } ;

selinux-policy-3.5.13-38.fc10.noarch
selinux-policy-targeted-3.5.13-38.fc10.noarch

Do you have this rule when running the 5.3 preview packages? I am not
sure about your webalizer issue...


Raw Audit Messages :

host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
denied { execute } for pid=16474 comm="procmail" name="spamc" dev=dm-0
ino=31336954 scontext=system_u:system_rrocmail_t:s0
tcontext=system_ubject_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
denied { execute } for pid=16474 comm="procmail" name="spamc" dev=dm-0
ino=31336954 scontext=system_u:system_rrocmail_t:s0
tcontext=system_ubject_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
denied { execute_no_trans } for pid=16474 comm="procmail"
path="/usr/bin/spamc" dev=dm-0 ino=31336954
scontext=system_u:system_rrocmail_t:s0
tcontext=system_ubject_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
denied { execute_no_trans } for pid=16474 comm="procmail"
path="/usr/bin/spamc" dev=dm-0 ino=31336954
scontext=system_u:system_rrocmail_t:s0
tcontext=system_ubject_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
denied { read } for pid=16474 comm="procmail" path="/usr/bin/spamc"
dev=dm-0 ino=31336954 scontext=system_u:system_rrocmail_t:s0
tcontext=system_ubject_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
denied { read } for pid=16474 comm="procmail" path="/usr/bin/spamc"
dev=dm-0 ino=31336954 scontext=system_u:system_rrocmail_t:s0
tcontext=system_ubject_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563007.814:8005):
arch=c000003e syscall=59 success=yes exit=0 a0=196772e0 a1=196792a0
a2=196791f0 a3=8 items=0 ppid=16473 pid=16474 auid=4294967295 uid=500
gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501
tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc"
subj=system_u:system_rrocmail_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563007.814:8005):
arch=c000003e syscall=59 success=yes exit=0 a0=196772e0 a1=196792a0
a2=196791f0 a3=8 items=0 ppid=16473 pid=16474 auid=4294967295 uid=500
gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501
tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc"
subj=system_u:system_rrocmail_t:s0 key=(null)





Summary
SELinux is preventing webalizer (webalizer_t) "search" to ./webalizer
(bin_t).

Detailed Description
[SELinux is in permissive mode, the operation would have been denied but
was permitted due to permissive mode.]


SELinux denied access requested by webalizer. It is not expected that
this access is required by webalizer and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional
access.


Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for ./webalizer,


restorecon -v './webalizer'

If this does not work, there is currently no automatic way to allow this
access. Instead, you can generate a local policy module to allow this
access - see FAQ
<http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can
disable SELinux protection altogether. Disabling SELinux protection is
not recommended. Please file a bug report
<http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this package.


Additional Information

Source Context: root:system_r:webalizer_t:SystemLow-SystemHigh
Target Context: system_ubject_r:bin_t
Target Objects: ./webalizer [ dir ]
Source: webalizer
Source Path: /usr/bin/webalizer
Port: <Unknown>
Host: C5.aardvark.com.au
Source RPM Packages: webalizer-2.01_10-30.1
Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-203.el5
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: catchall_file
Host Name: C5.aardvark.com.au
Platform: Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec
16 11:57:43 EST 2008 x86_64 x86_64

Alert Count: 119
First Seen: Wed Jan 7 22:00:02 2009
Last Seen: Sat Jan 10 14:00:01 2009
Local ID: fd879861-abb1-4e67-a190-0a721c66dc0e
Line Numbers:

Raw Audit Messages :

host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027): avc:
denied { search } for pid=16510 comm="webalizer" name="webalizer"
dev=dm-0 ino=32479105 scontext=root:system_r:webalizer_t:s0-s0:c0.c1023
tcontext=system_ubject_r:bin_t:s0 tclass=dir
host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027): avc:
denied { search } for pid=16510 comm="webalizer" name="webalizer"
dev=dm-0 ino=32479105 scontext=root:system_r:webalizer_t:s0-s0:c0.c1023
tcontext=system_ubject_r:bin_t:s0 tclass=dir
host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563601.389:8027):
arch=c000003e syscall=4 success=no exit=-2 a0=4171ee a1=7fff7d310db0
a2=7fff7d310db0 a3=21000 items=0 ppid=16509 pid=16510 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=730
comm="webalizer" exe="/usr/bin/webalizer"
subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563601.389:8027):
arch=c000003e syscall=4 success=no exit=-2 a0=4171ee a1=7fff7d310db0
a2=7fff7d310db0 a3=21000 items=0 ppid=16509 pid=16510 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=730
comm="webalizer" exe="/usr/bin/webalizer"
subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)




I didn't think I was doing anything unusual here - so I am surprised
these aren't covered by standard policy. Am I don't something strange -
and if so - do I need to write my own local policy. Is there a more
standard way to run spamc and/.or webalizer which will prevent these
denials?


Thanks

Richard.


------------------------------------------------------------------------

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-11-2009, 01:24 AM
Richard Chapman
 
Default Denials from spamc and webalizer on Centos 5.2

Thanks Murray... It looks to me like Centos 5.2 and/or the 5.3 preview
policy release doesn;'t have that rule:


--------
[root@C5 ~]# sesearch --allow -s procmail_t -t spamc_exec_t

[root@C5 ~]#
--------

Can you advise me the easiest and/or best way to add this rule to to my
system?


Richard



Murray McAllister wrote:

Richard Chapman wrote:
After some trouble getting the file-system relabelled - which was
eventually solved by Daniel's suggestion to change to a 5.3 preview
release of the policy packages - I now have (only) a couple of
intractable denials.


One seems to be related to procmail running spamc. The other seems to
be webalizer being denied access to squid logs. Here is some
representative troubledhooter output:


Summary
SELinux is preventing spamc (procmail_t) "execute" to ./spamc
(spamc_exec_t).

Detailed Description
[SELinux is in permissive mode, the operation would have been denied
but was permitted due to permissive mode.]


SELinux denied access requested by spamc. It is not expected that
this access is required by spamc and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional
access.


Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try
to restore the default system file context for ./spamc,


restorecon -v './spamc'

If this does not work, there is currently no automatic way to allow
this access. Instead, you can generate a local policy module to allow
this access - see FAQ
<http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can
disable SELinux protection altogether. Disabling SELinux protection
is not recommended. Please file a bug report
<http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this
package.


Additional Information

Source Context: system_u:system_rrocmail_t
Target Context: system_ubject_r:spamc_exec_t
Target Objects: ./spamc [ file ]
Source: spamc
Source Path: /usr/bin/spamc
Port: <Unknown>
Host: C5.aardvark.com.au
Source RPM Packages: spamassassin-3.2.4-1.el5
Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-203.el5

Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: catchall_file
Host Name: C5.aardvark.com.au
Platform: Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP
Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64

Alert Count: 199
First Seen: Wed Jan 7 21:12:56 2009
Last Seen: Sat Jan 10 13:50:07 2009
Local ID: 72201679-d161-4d2d-8423-44b1b65a211f
Line Numbers:

Fedora 10 has a rule that looks like it would resolve this issue:

$ sesearch --allow -s procmail_t -t spamc_exec_t
WARNING: This policy contained disabled aliases; they have been removed.
Found 1 semantic av rules:
allow procmail_t spamc_exec_t : file { ioctl read getattr execute } ;

selinux-policy-3.5.13-38.fc10.noarch
selinux-policy-targeted-3.5.13-38.fc10.noarch

Do you have this rule when running the 5.3 preview packages? I am not
sure about your webalizer issue...


Raw Audit Messages :

host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
denied { execute } for pid=16474 comm="procmail" name="spamc"
dev=dm-0 ino=31336954 scontext=system_u:system_rrocmail_t:s0
tcontext=system_ubject_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
denied { execute } for pid=16474 comm="procmail" name="spamc"
dev=dm-0 ino=31336954 scontext=system_u:system_rrocmail_t:s0
tcontext=system_ubject_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
denied { execute_no_trans } for pid=16474 comm="procmail"
path="/usr/bin/spamc" dev=dm-0 ino=31336954
scontext=system_u:system_rrocmail_t:s0
tcontext=system_ubject_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
denied { execute_no_trans } for pid=16474 comm="procmail"
path="/usr/bin/spamc" dev=dm-0 ino=31336954
scontext=system_u:system_rrocmail_t:s0
tcontext=system_ubject_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
denied { read } for pid=16474 comm="procmail" path="/usr/bin/spamc"
dev=dm-0 ino=31336954 scontext=system_u:system_rrocmail_t:s0
tcontext=system_ubject_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc:
denied { read } for pid=16474 comm="procmail" path="/usr/bin/spamc"
dev=dm-0 ino=31336954 scontext=system_u:system_rrocmail_t:s0
tcontext=system_ubject_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563007.814:8005):
arch=c000003e syscall=59 success=yes exit=0 a0=196772e0 a1=196792a0
a2=196791f0 a3=8 items=0 ppid=16473 pid=16474 auid=4294967295 uid=500
gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501
tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc"
subj=system_u:system_rrocmail_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563007.814:8005):
arch=c000003e syscall=59 success=yes exit=0 a0=196772e0 a1=196792a0
a2=196791f0 a3=8 items=0 ppid=16473 pid=16474 auid=4294967295 uid=500
gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501
tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc"
subj=system_u:system_rrocmail_t:s0 key=(null)





Summary
SELinux is preventing webalizer (webalizer_t) "search" to ./webalizer
(bin_t).

Detailed Description
[SELinux is in permissive mode, the operation would have been denied
but was permitted due to permissive mode.]


SELinux denied access requested by webalizer. It is not expected that
this access is required by webalizer and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional
access.


Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try
to restore the default system file context for ./webalizer,


restorecon -v './webalizer'

If this does not work, there is currently no automatic way to allow
this access. Instead, you can generate a local policy module to allow
this access - see FAQ
<http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can
disable SELinux protection altogether. Disabling SELinux protection
is not recommended. Please file a bug report
<http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this
package.


Additional Information

Source Context: root:system_r:webalizer_t:SystemLow-SystemHigh
Target Context: system_ubject_r:bin_t
Target Objects: ./webalizer [ dir ]
Source: webalizer
Source Path: /usr/bin/webalizer
Port: <Unknown>
Host: C5.aardvark.com.au
Source RPM Packages: webalizer-2.01_10-30.1
Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-203.el5

Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: catchall_file
Host Name: C5.aardvark.com.au
Platform: Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP
Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64

Alert Count: 119
First Seen: Wed Jan 7 22:00:02 2009
Last Seen: Sat Jan 10 14:00:01 2009
Local ID: fd879861-abb1-4e67-a190-0a721c66dc0e
Line Numbers:


Raw Audit Messages :

host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027): avc:
denied { search } for pid=16510 comm="webalizer" name="webalizer"
dev=dm-0 ino=32479105
scontext=root:system_r:webalizer_t:s0-s0:c0.c1023
tcontext=system_ubject_r:bin_t:s0 tclass=dir
host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027): avc:
denied { search } for pid=16510 comm="webalizer" name="webalizer"
dev=dm-0 ino=32479105
scontext=root:system_r:webalizer_t:s0-s0:c0.c1023
tcontext=system_ubject_r:bin_t:s0 tclass=dir
host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563601.389:8027):
arch=c000003e syscall=4 success=no exit=-2 a0=4171ee a1=7fff7d310db0
a2=7fff7d310db0 a3=21000 items=0 ppid=16509 pid=16510 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=730
comm="webalizer" exe="/usr/bin/webalizer"
subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563601.389:8027):
arch=c000003e syscall=4 success=no exit=-2 a0=4171ee a1=7fff7d310db0
a2=7fff7d310db0 a3=21000 items=0 ppid=16509 pid=16510 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=730
comm="webalizer" exe="/usr/bin/webalizer"
subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)




I didn't think I was doing anything unusual here - so I am surprised
these aren't covered by standard policy. Am I don't something strange
- and if so - do I need to write my own local policy. Is there a more
standard way to run spamc and/.or webalizer which will prevent these
denials?


Thanks

Richard.


------------------------------------------------------------------------

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-12-2009, 11:44 AM
"domg472 g472"
 
Default Denials from spamc and webalizer on Centos 5.2

Hello,

With regard to procmail, i think your policy is missing a domain
transition to spamassassin.

A custom policy looking something like the following may or may not
fix that issue:

mkdir ~/myprocmail; cd ~/myprocmail;
echo "policy_module(myprocmail, 0.0.1)" > myprocmail.te;
echo "require { type procmail_t; }" >> myprocmail.te;
echo "optional_policy(`" >> myprocmail.te;
echo "spamassassin_domtrans_spamc(procmail_t)" >> myprocmail.te;
echo "')" >> myprocmail.te;

make -f /usr/share/selinux/devel/Makefile
/usr/sbin/semodule -i myprocmail.pp

With regard to webalizer it looks like webalizer is searching
something in a "bin" directory.
If you want you can allow this.

mkdir ~/mywebalizer; cd ~mywebalizer;
echo "policy_module(mywebalizer, 0.0.1)" > mywebalizer.te;
echo "require { type webalizer_t; }" >> mywebalizer.te;
echo "corecmd_search_bin(webalizer_t)" >> mywebalizer.te;

make -f /usr/share/selinux/devel/Makefile
/usr/sbin/semodule -i mywebalizer.pp

It may be that both procmail and webalizer domains need more access
after this, but you will notice that if this is the case.

P.s. You may or may not need to escape some of the characters in my example.

Hth,
Dominick

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-12-2009, 03:56 PM
Daniel J Walsh
 
Default Denials from spamc and webalizer on Centos 5.2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

domg472 g472 wrote:
> Hello,
>
> With regard to procmail, i think your policy is missing a domain
> transition to spamassassin.
>
> A custom policy looking something like the following may or may not
> fix that issue:
>
> mkdir ~/myprocmail; cd ~/myprocmail;
> echo "policy_module(myprocmail, 0.0.1)" > myprocmail.te;
> echo "require { type procmail_t; }" >> myprocmail.te;
> echo "optional_policy(`" >> myprocmail.te;
> echo "spamassassin_domtrans_spamc(procmail_t)" >> myprocmail.te;
> echo "')" >> myprocmail.te;
>
> make -f /usr/share/selinux/devel/Makefile
> /usr/sbin/semodule -i myprocmail.pp
>
> With regard to webalizer it looks like webalizer is searching
> something in a "bin" directory.
> If you want you can allow this.
>
> mkdir ~/mywebalizer; cd ~mywebalizer;
> echo "policy_module(mywebalizer, 0.0.1)" > mywebalizer.te;
> echo "require { type webalizer_t; }" >> mywebalizer.te;
> echo "corecmd_search_bin(webalizer_t)" >> mywebalizer.te;
>
> make -f /usr/share/selinux/devel/Makefile
> /usr/sbin/semodule -i mywebalizer.pp
>
> It may be that both procmail and webalizer domains need more access
> after this, but you will notice that if this is the case.
>
> P.s. You may or may not need to escape some of the characters in my example.
>
> Hth,
> Dominick
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Fedora 10 and Rawhide have a domtrans to spamc, but RHEL5 looks like it
only able to execute spamc without a transition.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklrdkEACgkQrlYvE4MpobNI8ACfRAv7WPFed5 YrOQT15aFHIdlZ
tusAn0jeucaL0XurCwzab9hChLT/eEA/
=k4Pd
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-26-2009, 07:52 AM
Richard Chapman
 
Default Denials from spamc and webalizer on Centos 5.2

Hi Dominick

It has taken me a while to decide to go ahead with your suggestion
below... (I think I was hoping the problem would go away...:-)) and it
looks like I am heading in the right direction - but there is a little
more work to do.


There seemed to be a problem with the quotes in the line:

echo "optional_policy(`" >> myprocmail.te;

but I edited the .te file - and the make worked fine - after I installed
the selinux-policy-devel package. Here is myprocmail.te:


policy_module(myprocmail, 0.0.1)
require { type procmail_t; }
optional_policy(`spamassassin_domtrans_spamc(procm ail_t)')

I installed the policy file using teh GUI Selinux Administration tool.

I think we have got rid of the procmail error - but now we have a new
error. (see below). I'm guessing I need another line or two in my
myprocmail.te file. Can you tell me what it is I need? I'm pretty sure
this is a new error - which might suggest that there is something wrong
with the above policy file??


I haven't tried the webalizer changes yet. I have turned webalizer off
for the time being.


Many thanks

Richard.


Summary
SELinux is preventing the semodule from using potentially mislabeled
files
(/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session).


Detailed Description
[SELinux is in permissive mode, the operation would have been denied but
was permitted due to permissive mode.]


SELinux has denied semodule access to potentially mislabeled file(s)
(/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session).
This means that SELinux will not allow semodule to use these files. It
is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem
is that the files end up with the wrong file context which confined
applications are not allowed to access.


Allowing Access
If you want semodule to access this files, you need to relabel them
using restorecon -v
'/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session'.
You might want to relabel the entire directory using restorecon -R -v
'/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01'.

Additional Information

Source Context: system_u:system_r:semanage_t
Target Context: user_ubject_r:user_home_t
Target Objects:
/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session
[ file ]

Source: semodule
Source Path: /usr/sbin/semodule
Port: <Unknown>
Host: C5.aardvark.com.au
Source RPM Packages: policycoreutils-1.33.12-14.el5
Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-203.el5
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: home_tmp_bad_labels
Host Name: C5.aardvark.com.au
Platform: Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec
16 11:57:43 EST 2008 x86_64 x86_64

Alert Count: 1
First Seen: Sun Jan 25 14:38:32 2009
Last Seen: Sun Jan 25 14:38:32 2009
Local ID: 5d6e1851-5dc3-49a1-b758-5b33327cdf8f
Line Numbers:

Raw Audit Messages :

host=C5.aardvark.com.au type=AVC msg=audit(1232861912.353:38467): avc:
denied { append } for pid=23410 comm="semodule"
path="/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session"
dev=dm-0 ino=29294829 scontext=system_u:system_r:semanage_t:s0
tcontext=user_ubject_r:user_home_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1232861912.353:38467): avc:
denied { append } for pid=23410 comm="semodule"
path="/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session"
dev=dm-0 ino=29294829 scontext=system_u:system_r:semanage_t:s0
tcontext=user_ubject_r:user_home_t:s0 tclass=file
host=C5.aardvark.com.au type=SYSCALL msg=audit(1232861912.353:38467):
arch=c000003e syscall=59 success=yes exit=0 a0=34ab410 a1=34ab7b0
a2=34aa660 a3=3 items=0 ppid=23404 pid=23410 auid=102 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3534 comm="semodule"
exe="/usr/sbin/semodule" subj=system_u:system_r:semanage_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1232861912.353:38467):
arch=c000003e syscall=59 success=yes exit=0 a0=34ab410 a1=34ab7b0
a2=34aa660 a3=3 items=0 ppid=23404 pid=23410 auid=102 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3534 comm="semodule"
exe="/usr/sbin/semodule" subj=system_u:system_r:semanage_t:s0 key=(null)



domg472 g472 wrote:

Hello,

With regard to procmail, i think your policy is missing a domain
transition to spamassassin.

A custom policy looking something like the following may or may not
fix that issue:

mkdir ~/myprocmail; cd ~/myprocmail;
echo "policy_module(myprocmail, 0.0.1)" > myprocmail.te;
echo "require { type procmail_t; }" >> myprocmail.te;
echo "optional_policy(`" >> myprocmail.te;
echo "spamassassin_domtrans_spamc(procmail_t)" >> myprocmail.te;
echo "')" >> myprocmail.te;

make -f /usr/share/selinux/devel/Makefile
/usr/sbin/semodule -i myprocmail.pp

With regard to webalizer it looks like webalizer is searching
something in a "bin" directory.
If you want you can allow this.

mkdir ~/mywebalizer; cd ~mywebalizer;
echo "policy_module(mywebalizer, 0.0.1)" > mywebalizer.te;
echo "require { type webalizer_t; }" >> mywebalizer.te;
echo "corecmd_search_bin(webalizer_t)" >> mywebalizer.te;

make -f /usr/share/selinux/devel/Makefile
/usr/sbin/semodule -i mywebalizer.pp

It may be that both procmail and webalizer domains need more access
after this, but you will notice that if this is the case.

P.s. You may or may not need to escape some of the characters in my example.

Hth,
Dominick




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-26-2009, 08:27 AM
Richard Chapman
 
Default Denials from spamc and webalizer on Centos 5.2

Sorry Dominick - I pasted the wrong error into this email. I've pasted
the right one below.


Richard Chapman wrote:

Hi Dominick

It has taken me a while to decide to go ahead with your suggestion
below... (I think I was hoping the problem would go away...:-)) and it
looks like I am heading in the right direction - but there is a little
more work to do.


There seemed to be a problem with the quotes in the line:

echo "optional_policy(`" >> myprocmail.te;

but I edited the .te file - and the make worked fine - after I
installed the selinux-policy-devel package. Here is myprocmail.te:


policy_module(myprocmail, 0.0.1)
require { type procmail_t; }
optional_policy(`spamassassin_domtrans_spamc(procm ail_t)')

I installed the policy file using teh GUI Selinux Administration tool.

I think we have got rid of the procmail error - but now we have a new
error. (see below). I'm guessing I need another line or two in my
myprocmail.te file. Can you tell me what it is I need? I'm pretty sure
this is a new error - which might suggest that there is something
wrong with the above policy file??


I haven't tried the webalizer changes yet. I have turned webalizer off
for the time being.


Many thanks

Richard.

Summary
SELinux is preventing spamc (spamc_t) "write" to pipe (postfix_local_t).
Detailed Description
[SELinux is in permissive mode, the operation would have been denied
but was permitted due to permissive mode.]


SELinux denied access requested by spamc. It is not expected that this
access is required by spamc and this access may signal an intrusion
attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional
access.


Allowing Access
You can generate a local policy module to allow this access - see FAQ
<http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can
disable SELinux protection altogether. Disabling SELinux protection is
not recommended. Please file a bug report
<http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this package.

Additional Information

Source Context: system_u:system_r:spamc_t
Target Context: system_u:system_rostfix_local_t
Target Objects: pipe [ fifo_file ]
Source: spamc
Source Path: /usr/bin/spamc
Port: <Unknown>
Host: C5.aardvark.com.au
Source RPM Packages: spamassassin-3.2.4-1.el5
Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-203.el5
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: catchall
Host Name: C5.aardvark.com.au
Platform: Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue
Dec 16 11:57:43 EST 2008 x86_64 x86_64

Alert Count: 8
First Seen: Mon Jan 26 14:24:43 2009
Last Seen: Mon Jan 26 17:10:19 2009
Local ID: 8cff6375-1acd-4f86-bb7f-7c99129a9a2b
Line Numbers:

Raw Audit Messages :

host=C5.aardvark.com.au type=AVC msg=audit(1232957419.466:2987): avc:
denied { write } for pid=17103 comm="spamc" path="pipe:[224027]"
dev=pipefs ino=224027 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_rostfix_local_t:s0 tclass=fifo_file
host=C5.aardvark.com.au type=AVC msg=audit(1232957419.466:2987): avc:
denied { write } for pid=17103 comm="spamc" path="pipe:[224027]"
dev=pipefs ino=224027 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_rostfix_local_t:s0 tclass=fifo_file
host=C5.aardvark.com.au type=SYSCALL msg=audit(1232957419.466:2987):
arch=c000003e syscall=59 success=yes exit=0 a0=ac072e0 a1=ac09310
a2=ac09260 a3=8 items=0 ppid=17102 pid=17103 auid=4294967295 uid=500
gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501
tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc"
subj=system_u:system_r:spamc_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1232957419.466:2987):
arch=c000003e syscall=59 success=yes exit=0 a0=ac072e0 a1=ac09310
a2=ac09260 a3=8 items=0 ppid=17102 pid=17103 auid=4294967295 uid=500
gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501
tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc"
subj=system_u:system_r:spamc_t:s0 key=(null)




domg472 g472 wrote:

Hello,

With regard to procmail, i think your policy is missing a domain
transition to spamassassin.

A custom policy looking something like the following may or may not
fix that issue:

mkdir ~/myprocmail; cd ~/myprocmail;
echo "policy_module(myprocmail, 0.0.1)" > myprocmail.te;
echo "require { type procmail_t; }" >> myprocmail.te;
echo "optional_policy(`" >> myprocmail.te;
echo "spamassassin_domtrans_spamc(procmail_t)" >> myprocmail.te;
echo "')" >> myprocmail.te;

make -f /usr/share/selinux/devel/Makefile
/usr/sbin/semodule -i myprocmail.pp

With regard to webalizer it looks like webalizer is searching
something in a "bin" directory.
If you want you can allow this.

mkdir ~/mywebalizer; cd ~mywebalizer;
echo "policy_module(mywebalizer, 0.0.1)" > mywebalizer.te;
echo "require { type webalizer_t; }" >> mywebalizer.te;
echo "corecmd_search_bin(webalizer_t)" >> mywebalizer.te;

make -f /usr/share/selinux/devel/Makefile
/usr/sbin/semodule -i mywebalizer.pp

It may be that both procmail and webalizer domains need more access
after this, but you will notice that if this is the case.

P.s. You may or may not need to escape some of the characters in my
example.


Hth,
Dominick




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list



--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 12:51 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org