On Sat, 2006-06-24 at 10:12 +0100, Paul Howarth wrote:
On Thu, 2006-06-22 at 20:19 -0500, Marc Schwartz wrote:
<snip>
I suspect that the current FC5 policy includes these interfaces but not the policy modules or file contexts. Can anyone confirm this? Renaming/removing the .if files makes these warnings go away anyway.
Yep. I removed the .if files and all seems well.
I'm going to rename the myclamscan module to myclamav, and merge together the myclamscan policy with some clamav tweaks I did for someone on fedora-list. This will make it easier to eventually merge it into the main policy.
OK. Makes sense
/.razor/*
That looks rather dubious.
I initially thought that these files in / were from the initial install.
However, the dates on the log files in that path are current as of last night, when the cron jobs run.
What are the cron jobs doing? We need to find a way of stopping them writing here. There's no way I'm going to add policy to allow this.
Here are the key entries:
# Run ClamAV Update every hour 00 * * * * root freshclam --quiet
# Run DCC Update at 1 am 00 01 * * * root /var/dcc/libexec/updatedcc > /dev/null
# Run pyzor update at 1:10 am 10 01 * * * root /usr/bin/pyzor discover > /dev/null
# Run razor update at 1:20 am 20 01 * * * root /usr/bin/razor-admin -discover > /dev/null
updatedcc downloads and builds an updated DCC client each night.
'pyzor discover' updates the pyzor server list.
'razor-admin -discover' does the same for the razor servers.
The files in /root/.razor appear to be tagged as during the day today, perhaps when cron jobs result in e-mails to root, which are then mapped to my userID by postfix.
It's unfortunate that the mapping takes place later than the razor invocation.
(snip)
<snip>
type=AVC msg=audit(1151025306.136:693): avc: denied { search } for pid=22051 comm="dccproc" name="dcc" dev=dm-1 ino=58510 scontex t=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir type=SYSCALL msg=audit(1151025306.136:693): arch=40000003 syscall=12 success=yes exit=0 a0=bfe79ac2 a1=0 a2=4891eff4 a3=37 items=1 p id=22051 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
Failed to transition to dcc type, which will be because dccproc isn't labelled correctly (it's in /usr/local/bin but policy expects it in /usr/bin). Please check in dcc.fc if there are any other programs not in the right place.
These files:
/usr/bin/cdcc /usr/bin/dccproc
are in:
/usr/local/bin/cdcc /usr/local/bin/dccproc
There is no /etc/dcc tree
The files that are listed in /usr/libexec/dcc are in /var/dcc/libexec.
There is no /var/run/dcc tree.
<snip of new policy files>
After localing these modules, please do: # restorecon -rv /usr/local/bin
Done.
Moving clamassassin into its own domain may cause lots of new AVCs. This is expected...
OK.
# semodule -l amavis 1.0.4 clamav 1.0.1 dcc 1.0.0 myclamav 0.1.1 mydcc 0.1.5 mypostfix 0.1.0 mypyzor 0.2.1 myspamassassin 0.1.1 procmail 0.5.4 pyzor 1.0.1 razor 1.0.0
New messages:
type=AVC msg=audit(1151188279.668:1444): avc: denied { read } for pid=6563 comm="dccproc" name=".spamassassin2378EoApLctmp" dev=dm-2 ino=24 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:spamd_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1151188279.668:1444): arch=40000003 syscall=11 success=yes exit=0 a0=a6eece8 a1=9c6f400 a2=a8f8b08 a3=bfec81ac items=2 pid=6563 auid=4294967295 uid=500 gid=0 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0 type=AVC_PATH msg=audit(1151188279.668:1444): path="/tmp/.spamassassin2378EoApLctmp" type=CWD msg=audit(1151188279.668:1444): cwd="/" type=PATH msg=audit(1151188279.668:1444): item=0 name="/usr/local/bin/dccproc" inode=3122809 dev=16:07 mode=0104555 ouid=0 ogid=1 rdev=00:00 obj=system_u:object_r:dcc_client_exec_t:s0 type=PATH msg=audit(1151188279.668:1444): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 type=AVC msg=audit(1151188279.672:1445): avc: denied { getattr } for pid=6563 comm="dccproc" name=".spamassassin2378EoApLctmp" dev=dm-2 ino=24 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:spamd_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1151188279.672:1445): arch=40000003 syscall=197 success=yes exit=0 a0=0 a1=bff9ba98 a2=4891eff4 a3=3 items=0 pid=6563 auid=4294967295 uid=500 gid=0 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0 type=AVC_PATH msg=audit(1151188279.672:1445): path="/tmp/.spamassassin2378EoApLctmp" type=AVC msg=audit(1151188279.672:1446): avc: denied { search } for pid=6563 comm="dccproc" name="dcc" dev=dm-1 ino=58510 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir type=SYSCALL msg=audit(1151188279.672:1446): arch=40000003 syscall=12 success=yes exit=0 a0=bff9abe2 a1=0 a2=4891eff4 a3=37 items=1 pid=6563 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0 type=CWD msg=audit(1151188279.672:1446): cwd="/" type=PATH msg=audit(1151188279.672:1446): item=0 name="/var/dcc" inode=58510 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 type=AVC msg=audit(1151188279.672:1447): avc: denied { read write } for pid=6563 comm="dccproc" name="map" dev=dm-1 ino=59007 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file type=SYSCALL msg=audit(1151188279.672:1447): arch=40000003 syscall=5 success=yes exit=3 a0=80ba6e0 a1=2 a2=180 a3=37 items=1 pid=6563 auid=4294967295 uid=500 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0 type=CWD msg=audit(1151188279.672:1447): cwd="/var/dcc" type=PATH msg=audit(1151188279.672:1447): item=0 name="/var/dcc/map" inode=59007 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 type=AVC msg=audit(1151188279.672:1448): avc: denied { getattr } for pid=6563 comm="dccproc" name="map" dev=dm-1 ino=59007 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file type=SYSCALL msg=audit(1151188279.672:1448): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bff9a9f8 a2=4891eff4 a3=3 items=0 pid=6563 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0 type=AVC_PATH msg=audit(1151188279.672:1448): path="/var/dcc/map" type=AVC msg=audit(1151188279.672:1449): avc: denied { lock } for pid=6563 comm="dccproc" name="map" dev=dm-1 ino=59007 scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file type=SYSCALL msg=audit(1151188279.672:1449): arch=40000003 syscall=221 success=yes exit=0 a0=3 a1=7 a2=bff9bb74 a3=bff9bb74 items=0 pid=6563 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0 type=AVC_PATH msg=audit(1151188279.672:1449): path="/var/dcc/map" type=AVC msg=audit(1151188279.672:1450): avc: denied { node_bind } for pid=6563 comm="dccproc" scontext=system_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1151188279.672:1450): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff9bab0 a2=4891eff4 a3=37 items=0 pid=6563 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:dcc_client_t:s0 type=SOCKADDR msg=audit(1151188279.672:1450): saddr=02000000000000000000000000000000 type=SOCKETCALL msg=audit(1151188279.672:1450): nargs=3 a0=4 a1=bff9bb54 a2=10
Thanks,
Marc