FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 03-19-2008, 11:42 PM
Edward Kuns
 
Default Current status of mailman and clamav selinux

With current policies from RH8 updates, I removed the clamav policy I
had in place to see what current AVCs I receive. All AVCs I receive
regularly are related to mailman.

I get a *lot* of this:

host=kilroy.chi.il.us type=AVC msg=audit(1205972595.706:10245): avc:
denied { read write } for pid=28531 comm="mailman"
path="socket:[3905242]" dev=sockfs ino=3905242
scontext=system_u:system_r:mailman_mail_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket
host=kilroy.chi.il.us type=SYSCALL msg=audit(1205972595.706:10245):
arch=40000003 syscall=11 success=yes exit=0 a0=8845e78 a1=8845f48
a2=88454f8 a3=40 items=0 ppid=28530 pid=28531 auid=4294967295 uid=8
gid=12 euid=8 suid=8 fsuid=8 egid=41 sgid=41 fsgid=41 tty=(none)
comm="mailman" exe="/usr/lib/mailman/mail/mailman"
subj=system_u:system_r:mailman_mail_t:s0 key=(null)

which I suspect is sendmail not closing a socket before it forks
mailman, but I am not certain how to judge, nor how to get sendmail to
address the issue.


The one I get more rarely seems to occur once every time clamav finds a
virus. I get the following collection of AVCs for each virus discovered
by clamav:

type=AVC msg=audit(1205970966.746:10166): avc: denied { append } for
pid=26516 comm="sendmail" path="/var/log/clamd.milter" dev=dm-2
ino=327743 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_ubject_r:clamd_var_log_t:s0 tclass=file
type=AVC msg=audit(1205970966.746:10166): avc: denied { append } for
pid=26516 comm="sendmail" path="/var/log/clamd.milter" dev=dm-2
ino=327743 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_ubject_r:clamd_var_log_t:s0 tclass=file
type=AVC msg=audit(1205970966.746:10166): avc: denied { read write }
for pid=26516 comm="sendmail" path="socket:[3831091]" dev=sockfs
ino=3831091 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:system_r:clamd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1205970966.746:10166): avc: denied { read write }
for pid=26516 comm="sendmail" path="socket:[3855167]" dev=sockfs
ino=3855167 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:system_r:clamd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1205970966.746:10166): avc: denied { read write }
for pid=26516 comm="sendmail"
path="/var/tmp/clamav-00c6b962e3f10e1caad8ced3cff4e084/msg.2Orwhh"
dev=dm-2 ino=32843 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_ubject_r:clamd_tmp_t:s0 tclass=file
host=kilroy.chi.il.us type=SYSCALL msg=audit(1205970966.746:10166):
arch=40000003 syscall=11 success=yes exit=0 a0=89d56d0 a1=89d57a8
a2=89d4b98 a3=40 items=0 ppid=2867 pid=26516 auid=4294967295 uid=492
gid=486 euid=492 suid=492 fsuid=492 egid=51 sgid=51 fsgid=51 tty=(none)
comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:system_mail_t:s0 key=(null)

The setroubleshoot browser message associated with these AVCs is:
"SELinux is preventing sendmail (system_mail_t) "append"
to /var/log/clamd.milter (clamd_var_log_t)." For now I've created a new
myclamav policy from the above AVCs (just the 2nd set listed).

Eddie

--
Eddie Kuns | Home: ekuns at kilroy.chi.il.us
--------------/ URL: http://kilroy.chi.il.us/
"Ah, savory cheese puffs, made inedible by time and fate." -- The Tick

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 03-20-2008, 12:48 PM
Daniel J Walsh
 
Default Current status of mailman and clamav selinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Edward Kuns wrote:
> With current policies from RH8 updates, I removed the clamav policy I
> had in place to see what current AVCs I receive. All AVCs I receive
> regularly are related to mailman.
>
> I get a *lot* of this:
>
> host=kilroy.chi.il.us type=AVC msg=audit(1205972595.706:10245): avc:
> denied { read write } for pid=28531 comm="mailman"
> path="socket:[3905242]" dev=sockfs ino=3905242
> scontext=system_u:system_r:mailman_mail_t:s0
> tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket
> host=kilroy.chi.il.us type=SYSCALL msg=audit(1205972595.706:10245):
> arch=40000003 syscall=11 success=yes exit=0 a0=8845e78 a1=8845f48
> a2=88454f8 a3=40 items=0 ppid=28530 pid=28531 auid=4294967295 uid=8
> gid=12 euid=8 suid=8 fsuid=8 egid=41 sgid=41 fsgid=41 tty=(none)
> comm="mailman" exe="/usr/lib/mailman/mail/mailman"
> subj=system_u:system_r:mailman_mail_t:s0 key=(null)
>
> which I suspect is sendmail not closing a socket before it forks
> mailman, but I am not certain how to judge, nor how to get sendmail to
> address the issue.
>
>
> The one I get more rarely seems to occur once every time clamav finds a
> virus. I get the following collection of AVCs for each virus discovered
> by clamav:
>
> type=AVC msg=audit(1205970966.746:10166): avc: denied { append } for
> pid=26516 comm="sendmail" path="/var/log/clamd.milter" dev=dm-2
> ino=327743 scontext=system_u:system_r:system_mail_t:s0
> tcontext=system_ubject_r:clamd_var_log_t:s0 tclass=file
> type=AVC msg=audit(1205970966.746:10166): avc: denied { append } for
> pid=26516 comm="sendmail" path="/var/log/clamd.milter" dev=dm-2
> ino=327743 scontext=system_u:system_r:system_mail_t:s0
> tcontext=system_ubject_r:clamd_var_log_t:s0 tclass=file
> type=AVC msg=audit(1205970966.746:10166): avc: denied { read write }
> for pid=26516 comm="sendmail" path="socket:[3831091]" dev=sockfs
> ino=3831091 scontext=system_u:system_r:system_mail_t:s0
> tcontext=system_u:system_r:clamd_t:s0 tclass=unix_stream_socket
> type=AVC msg=audit(1205970966.746:10166): avc: denied { read write }
> for pid=26516 comm="sendmail" path="socket:[3855167]" dev=sockfs
> ino=3855167 scontext=system_u:system_r:system_mail_t:s0
> tcontext=system_u:system_r:clamd_t:s0 tclass=unix_stream_socket
> type=AVC msg=audit(1205970966.746:10166): avc: denied { read write }
> for pid=26516 comm="sendmail"
> path="/var/tmp/clamav-00c6b962e3f10e1caad8ced3cff4e084/msg.2Orwhh"
> dev=dm-2 ino=32843 scontext=system_u:system_r:system_mail_t:s0
> tcontext=system_ubject_r:clamd_tmp_t:s0 tclass=file
> host=kilroy.chi.il.us type=SYSCALL msg=audit(1205970966.746:10166):
> arch=40000003 syscall=11 success=yes exit=0 a0=89d56d0 a1=89d57a8
> a2=89d4b98 a3=40 items=0 ppid=2867 pid=26516 auid=4294967295 uid=492
> gid=486 euid=492 suid=492 fsuid=492 egid=51 sgid=51 fsgid=51 tty=(none)
> comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
> subj=system_u:system_r:system_mail_t:s0 key=(null)
>
> The setroubleshoot browser message associated with these AVCs is:
> "SELinux is preventing sendmail (system_mail_t) "append"
> to /var/log/clamd.milter (clamd_var_log_t)." For now I've created a new
> myclamav policy from the above AVCs (just the 2nd set listed).
>
> Eddie
>

I will add append, actually I am just going to allow system_mail_t to
append to all log files. The others all seem to be leaked file descriptors.
audit2allow -i /tmp/t


#============= mailman_mail_t ==============
allow mailman_mail_t sendmail_t:unix_stream_socket { read write };

#============= system_mail_t ==============
allow system_mail_t clamd_t:unix_stream_socket { read write };
allow system_mail_t clamd_tmp_t:file { read write };


I think clamd is leaking.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfiazsACgkQrlYvE4MpobNW7wCePJ7K2OGKrZ cnLr3Xq3zBgB+T
wjkAn3WBi3OcB/FWtl3MamaPxUVgd9Nm
=R9XE
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:16 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org