Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Some more (probably) Zarafa-related (http://www.linux-archive.org/fedora-selinux-support/692927-some-more-probably-zarafa-related.html)

Matej Cepl 08-11-2012 10:58 AM

Some more (probably) Zarafa-related
 
Hi,

I have found that I have my server (running RHEL 6 with plenty of EPEL
stuff, most interesting here is probably Zarafa) is still in the
permissive mode. Before switching to enforcing again I run ausearch -m
AVC -ts this-week and got the attached list of AVC denials. I am not
sure what about these, but before I blindly file bugs into bugzilla (or
blindly switch on various booleans), I thought to ask about advice here.


[root@luther selinux-research]# audit2allow <avc-this-week.txt
|grep -v '^#'|grep -v '^s*$'
allow httpd_t postfix_public_t:dir search;
allow httpd_t postfix_public_t:fifo_file { write getattr open };
allow httpd_t postfix_spool_maildrop_t:dir { write remove_name search
add_name };
allow httpd_t postfix_spool_maildrop_t:file { rename write getattr
setattr read create open };

allow httpd_t postfix_spool_t:dir search;
# is httpd_can_sendmail --> off really to blame? Or there is some weird
# interaction between Zarafa webmail and postfix?


allow httpd_t self:process setrlimit;
# this just happened once, and I don't feel well about switching the
httpd_setrlimit boolean on without knowing why it is required.


My booleans related to http:

[root@luther selinux-research]# getsebool -a|grep http
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
[root@luther selinux-research]#

Thanks for any advice,

Matěj
----
time->Wed Aug 8 16:12:52 2012
type=SYSCALL msg=audit(1344435172.521:4670): arch=40000003 syscall=12 success=yes exit=0 a0=1c16c78 a1=0 a2=5ebff4 a3=5ed840 items=0 ppid=7550 pid=24960 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1344435172.521:4670): avc: denied { search } for pid=24960 comm="sendmail" name="postfix" dev=dm-0 ino=1835316 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
----
time->Wed Aug 8 16:12:52 2012
type=SYSCALL msg=audit(1344435172.524:4671): arch=40000003 syscall=75 success=yes exit=0 a0=1 a1=bf96e98c a2=8f1ff4 a3=ffffffff items=0 ppid=7550 pid=24960 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1344435172.524:4671): avc: denied { setrlimit } for pid=24960 comm="sendmail" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process
----
time->Wed Aug 8 16:12:52 2012
type=SYSCALL msg=audit(1344435172.857:4672): arch=40000003 syscall=5 success=yes exit=4 a0=7387d0 a1=80c2 a2=1a4 a3=bfec5498 items=0 ppid=24960 pid=24961 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1344435172.857:4672): avc: denied { read write open } for pid=24961 comm="postdrop" name="858047.24961" dev=dm-0 ino=1836024 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_ t:s0 tclass=file
type=AVC msg=audit(1344435172.857:4672): avc: denied { create } for pid=24961 comm="postdrop" name="858047.24961" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_ t:s0 tclass=file
type=AVC msg=audit(1344435172.857:4672): avc: denied { add_name } for pid=24961 comm="postdrop" name="858047.24961" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_ t:s0 tclass=dir
type=AVC msg=audit(1344435172.857:4672): avc: denied { write } for pid=24961 comm="postdrop" name="maildrop" dev=dm-0 ino=1835325 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_ t:s0 tclass=dir
type=AVC msg=audit(1344435172.857:4672): avc: denied { search } for pid=24961 comm="postdrop" name="maildrop" dev=dm-0 ino=1835325 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_ t:s0 tclass=dir
----
time->Wed Aug 8 16:12:52 2012
type=SYSCALL msg=audit(1344435172.979:4673): arch=40000003 syscall=197 success=yes exit=0 a0=4 a1=bfec53a0 a2=b7867ff4 a3=bfec5498 items=0 ppid=24960 pid=24961 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1344435172.979:4673): avc: denied { getattr } for pid=24961 comm="postdrop" path="/var/spool/postfix/maildrop/858047.24961" dev=dm-0 ino=1836024 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_ t:s0 tclass=file
----
time->Wed Aug 8 16:12:52 2012
type=SYSCALL msg=audit(1344435172.980:4674): arch=40000003 syscall=38 success=yes exit=0 a0=7387d0 a1=738640 a2=1c1ff4 a3=7387d0 items=0 ppid=24960 pid=24961 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1344435172.980:4674): avc: denied { rename } for pid=24961 comm="postdrop" name="858047.24961" dev=dm-0 ino=1836024 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_ t:s0 tclass=file
type=AVC msg=audit(1344435172.980:4674): avc: denied { remove_name } for pid=24961 comm="postdrop" name="858047.24961" dev=dm-0 ino=1836024 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_ t:s0 tclass=dir
----
time->Wed Aug 8 16:12:52 2012
type=SYSCALL msg=audit(1344435172.982:4675): arch=40000003 syscall=94 success=yes exit=0 a0=4 a1=1e4 a2=1c1ff4 a3=0 items=0 ppid=24960 pid=24961 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1344435172.982:4675): avc: denied { setattr } for pid=24961 comm="postdrop" name="EF6B91C03F8" dev=dm-0 ino=1836024 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_ t:s0 tclass=file
----
time->Wed Aug 8 16:12:53 2012
type=SYSCALL msg=audit(1344435173.252:4676): arch=40000003 syscall=195 success=yes exit=0 a0=738938 a1=bfec5370 a2=b7867ff4 a3=738938 items=0 ppid=24960 pid=24961 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1344435173.252:4676): avc: denied { getattr } for pid=24961 comm="postdrop" path="/var/spool/postfix/public/pickup" dev=dm-0 ino=1835251 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_public_t:s0 tclass=fifo_file
type=AVC msg=audit(1344435173.252:4676): avc: denied { search } for pid=24961 comm="postdrop" name="public" dev=dm-0 ino=1835328 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_public_t:s0 tclass=dir
----
time->Wed Aug 8 16:12:53 2012
type=SYSCALL msg=audit(1344435173.252:4677): arch=40000003 syscall=5 success=yes exit=4 a0=738938 a1=8801 a2=0 a3=0 items=0 ppid=24960 pid=24961 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1344435173.252:4677): avc: denied { open } for pid=24961 comm="postdrop" name="pickup" dev=dm-0 ino=1835251 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_public_t:s0 tclass=fifo_file
type=AVC msg=audit(1344435173.252:4677): avc: denied { write } for pid=24961 comm="postdrop" name="pickup" dev=dm-0 ino=1835251 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_public_t:s0 tclass=fifo_file
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 08-13-2012 02:31 PM

Some more (probably) Zarafa-related
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/11/2012 06:58 AM, Matej Cepl wrote:
> Hi,
>
> I have found that I have my server (running RHEL 6 with plenty of EPEL
> stuff, most interesting here is probably Zarafa) is still in the permissive
> mode. Before switching to enforcing again I run ausearch -m AVC -ts
> this-week and got the attached list of AVC denials. I am not sure what
> about these, but before I blindly file bugs into bugzilla (or blindly
> switch on various booleans), I thought to ask about advice here.
>
> [root@luther selinux-research]# audit2allow <avc-this-week.txt |grep -v
> '^#'|grep -v '^s*$' allow httpd_t postfix_public_t:dir search; allow
> httpd_t postfix_public_t:fifo_file { write getattr open }; allow httpd_t
> postfix_spool_maildrop_t:dir { write remove_name search add_name }; allow
> httpd_t postfix_spool_maildrop_t:file { rename write getattr setattr read
> create open }; allow httpd_t postfix_spool_t:dir search; # is
> httpd_can_sendmail --> off really to blame? Or there is some weird #
I do not know, but I would figure these should require httpd_can_sendmail, but
not sure if boolean would provide all of these.
> interaction between Zarafa webmail and postfix?
>
> allow httpd_t self:process setrlimit; # this just happened once, and I
> don't feel well about switching the httpd_setrlimit boolean on without
> knowing why it is required.
>
> My booleans related to http:
>
> [root@luther selinux-research]# getsebool -a|grep http
> allow_httpd_anon_write --> off allow_httpd_mod_auth_ntlm_winbind --> off
> allow_httpd_mod_auth_pam --> off allow_httpd_sys_script_anon_write --> off
> httpd_builtin_scripting --> on httpd_can_check_spam --> off
> httpd_can_network_connect --> off httpd_can_network_connect_cobbler -->
> off httpd_can_network_connect_db --> off httpd_can_network_memcache -->
> off httpd_can_network_relay --> off httpd_can_sendmail --> off
> httpd_dbus_avahi --> on httpd_enable_cgi --> on httpd_enable_ftp_server -->
> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_manage_ipa
> --> off httpd_read_user_content --> off httpd_setrlimit --> off
> httpd_ssi_exec --> off httpd_tmp_exec --> off httpd_tty_comm --> on
> httpd_unified --> on httpd_use_cifs --> off httpd_use_gpg --> off
> httpd_use_nfs --> off httpd_use_openstack --> off [root@luther
> selinux-research]#
>
> Thanks for any advice,
>
> Matěj
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlApD9EACgkQrlYvE4MpobNyrwCfbXYtp1pJB7 8ly//DfuwsK9Ye
7TAAn3YbnEolurqoVr+AhfdkxC7fOfPL
=ecVy
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 09:24 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.