FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 08-25-2011, 08:30 PM
Adi Fairbank
 
Default qmail policy patch

I had some trouble with the policy for the qmail service, as shipped
with CentOS 6. I assume the policy comes from the Fedora project, so
I'm posting here.


It was preventing qmail-inject / qmail-queue / sendmail from search
and write to /var/qmail/queue/, among other issues. I noticed the
problems because crond generated e-mail was not getting delivered,
with an error message like:


CROND[21591]: (root) MAIL (mailed 1290 bytes of output but got
status 0x006f#012)


AVC errors in audit.log were:

type=AVC msg=audit(1314228902.078:112210): avc: denied { search }
for pid=12894 comm="qmail-queue" name="queue" dev=dm-4 ino=655368
scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_ubject_r:qmail_spool_t:s0 tclass=dir
type=AVC msg=audit(1314229501.848:112243): avc: denied { search }
for pid=13193 comm="qmail-queue" name="pid" dev=dm-4 ino=655470
scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_ubject_r:qmail_spool_t:s0 tclass=dir
type=AVC msg=audit(1314239102.056:112926): avc: denied { write }
for pid=946 comm="qmail-queue" name="pid" dev=dm-4 ino=655470
scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_ubject_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1314245701.871:113246): avc: denied { write }
for pid=21283 comm="qmail-queue" name="trigger" dev=dm-4 ino=655365
scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_ubject_r:qmail_spool_t:s0 tclass=fifo_file
type=AVC msg=audit(1314246901.535:113302): avc: denied { read }
for pid=21514 comm="qmail-queue" name="owners" dev=dm-4 ino=655362
scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_ubject_r:var_t:s0 tclass=lnk_file


Attached is a patch to the selinux-policy SRPM (the latest one from
centos6 updates), including spec file diff. Basically, it does the
following:


1. change file context of /var/qmail/owners(/.*)? to qmail_etc_t
2. allow processes of scontext system_mail_t read, write, search
access to files, dirs, and fifos of tcontext qmail_spool_t


Let me know if this policy change poses any security issues or could
be implemented a different way, as I'm rather new to SElinux policy.
I wonder if nobody else is running qmail with selinux in enforcing
mode? Or perhaps they have a different qmail installation than me.
I don't know how the sendmail command could work because qmail-queue
can't access /var/qmail/queue/ which is where qmail stores all its
mail for processing.


Adi

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 08-26-2011, 02:51 PM
Daniel J Walsh
 
Default qmail policy patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/25/2011 04:30 PM, Adi Fairbank wrote:
>
> type=AVC msg=audit(1314228902.078:112210): avc: denied { search }
> for pid=12894 comm="qmail-queue" name="queue" dev=dm-4 ino=655368
> scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:qmail_spool_t:s0 tclass=dir type=AVC
> msg=audit(1314229501.848:112243): avc: denied { search } for
> pid=13193 comm="qmail-queue" name="pid" dev=dm-4 ino=655470
> scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:qmail_spool_t:s0 tclass=dir type=AVC
> msg=audit(1314239102.056:112926): avc: denied { write } for
> pid=946 comm="qmail-queue" name="pid" dev=dm-4 ino=655470
> scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:var_run_t:s0 tclass=dir type=AVC
> msg=audit(1314245701.871:113246): avc: denied { write } for
> pid=21283 comm="qmail-queue" name="trigger" dev=dm-4 ino=655365
> scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:qmail_spool_t:s0 tclass=fifo_file
> type=AVC msg=audit(1314246901.535:113302): avc: denied { read }
> for pid=21514 comm="qmail-queue" name="owners" dev=dm-4 ino=655362
> scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:var_t:s0 tclass=lnk_file


Open a bug for RHEL5.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5XsvEACgkQrlYvE4MpobNhcwCg6Ig22ehYDU ENH5kl6JCTNK8t
gjYAnRv6J0W6/lPsgmjk80NYuBew5RPm
=XDRb
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 09:30 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org