On Thu, 2006-06-22 at 20:19 -0500, Marc Schwartz wrote:
On Thu, 2006-06-22 at 14:10 +0100, Paul Howarth wrote:
Marc Schwartz (via MN) wrote:
On Wed, 2006-06-21 at 13:57 -0500, Marc Schwartz (via MN) wrote:
Just to be clear, I should leave or remove the mydcc policy?
Paul,
I am getting errors when building the dcc and razor policies:
dcc.if:23: duplicate definition of dcc_domtrans_cdcc(). Original definition on 23. dcc.if:54: duplicate definition of dcc_run_cdcc(). Original definition on 54. dcc.if:76: duplicate definition of dcc_domtrans_client(). Original definition on 76. dcc.if:107: duplicate definition of dcc_run_client(). Original definition on 107. dcc.if:129: duplicate definition of dcc_domtrans_dbclean(). Original definition on 129. dcc.if:160: duplicate definition of dcc_run_dbclean(). Original definition on 160. dcc.if:181: duplicate definition of dcc_stream_connect_dccifd(). Original definition on 181. razor.if:101: duplicate definition of razor_common_domain_template(). Original definition on 101. razor.if:197: duplicate definition of razor_per_userdomain_template(). Original definition on 197. razor.if:218: duplicate definition of razor_domtrans(). Original definition on 218.
The modules do seem to build and install however.
I do believe that I answered my own question above, in that the dcc policy will not load with the mydcc policy loaded.
Current status:
# semodule -l amavis 1.0.4 clamav 1.0.1 dcc 1.0.0 myclamscan 0.2.0 mypyzor 0.2.1 procmail 0.5.3 pyzor 1.0.1 razor 1.0.0
I suspect that the current FC5 policy includes these interfaces but not the policy modules or file contexts. Can anyone confirm this? Renaming/removing the .if files makes these warnings go away anyway.
Yep. I removed the .if files and all seems well.
I'm going to rename the myclamscan module to myclamav, and merge together the myclamscan policy with some clamav tweaks I did for someone on fedora-list. This will make it easier to eventually merge it into the main policy.
On Wed, 2006-06-21 at 14:56 -0500, Marc Schwartz (via MN) wrote:
Just a quick note that so far, all seems to be well.
No avclist msgs since the change in policies to the above.
Want me back in Enforcing mode?
Hold the presses. Now getting avc's:
type=AVC msg=audit(1150920365.865:1776): avc: denied { execute } for pid=4583 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file type=AVC msg=audit(1150920365.865:1776): avc: denied { execute_no_trans } for pid=4583 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file type=AVC msg=audit(1150920365.865:1776): avc: denied { read } for pid=4583 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
This is spamassassin failing to transition to the pyzor_t domain. The strange thing is is that this should already be allowed by policy.
spamassassin.te has:
optional_policy(` pyzor_domtrans(spamd_t) ')
Anyone got any ideas why this isn't working?
Given that this is causing problems, I'll add it locally for now.
(snip)
/.razor/*
That looks rather dubious.
I initially thought that these files in / were from the initial install.
However, the dates on the log files in that path are current as of last night, when the cron jobs run.
What are the cron jobs doing? We need to find a way of stopping them writing here. There's no way I'm going to add policy to allow this.
The files in /root/.razor appear to be tagged as during the day today, perhaps when cron jobs result in e-mails to root, which are then mapped to my userID by postfix.
It's unfortunate that the mapping takes place later than the razor invocation.
(snip)
On Wed, 2006-06-21 at 21:18 +0100, Paul Howarth wrote: In addition to my prior e-mail with the dcc and razor files, here are the pyzor files:
/.pyzor/*
That looks dubious.
I think that this is the same situation as with razor above.
Probably so.
(snip)
OK. Here are the latest avc's subsequent to the above change and now using the spamc/d approach:
type=AVC msg=audit(1151025305.852:691): avc: denied { execute } for pid=22050 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scon text=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file type=AVC msg=audit(1151025305.852:691): avc: denied { execute_no_trans } for pid=22050 comm="spamd" name="pyzor" dev=hdc7 ino=314 0757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
spamd failing to transition to pyzor again.
(snip)
type=AVC msg=audit(1151025306.136:693): avc: denied { search } for pid=22051 comm="dccproc" name="dcc" dev=dm-1 ino=58510 scontex t=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir type=SYSCALL msg=audit(1151025306.136:693): arch=40000003 syscall=12 success=yes exit=0 a0=bfe79ac2 a1=0 a2=4891eff4 a3=37 items=1 p id=22051 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc"
Failed to transition to dcc type, which will be because dccproc isn't labelled correctly (it's in /usr/local/bin but policy expects it in /usr/bin). Please check in dcc.fc if there are any other programs not in the right place.
Here are the new policy modules. You can get rid of myclamscan now.
:::::::::::::: myclamav.if :::::::::::::: ## <summary>Clamassassin Virus Scanner Wrapper.</summary>
######################################## ## <summary> ## Execute the clamassassin program in the clamassassin domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`clamav_domtrans_clamassassin',` gen_require(` type clamassassin_t, clamassassin_exec_t; ')
corecmd_search_bin($1) domain_auto_trans($1, clamassassin_exec_t, clamassassin_t)
allow $1 clamassassin_t:fd use; allow clamassassin_t $1:fd use; allow clamassassin_t $1:fifo_file rw_file_perms; allow clamassassin_t $1:process sigchld; ')
:::::::::::::: myclamav.fc :::::::::::::: /usr/bin/clamassassin -- gen_context(system_u:object_r:clamassassin_exec_t,s0) /usr/local/bin/clamassassin -- gen_context(system_u:object_r:clamassassin_exec_t,s0)
/var/log/clamav/clamd.* -- gen_context(system_u:object_r:clamd_var_log_t,s0) :::::::::::::: myclamav.te :::::::::::::: policy_module(myclamav, 0.1.1)
require { type clamd_t; type clamscan_t; type clamscan_tmp_t; type freshclam_t; type postfix_local_t; type procmail_t; };
type clamassassin_t; domain_type(clamassassin_t)
type clamassassin_exec_t; domain_entry_file(clamassassin_t,clamassassin_exec_t)
# ======================================== # clamassassin local policy # ========================================
# Transition from unconfined for command-line usage ifdef(`targeted_policy',` clamav_domtrans_clamassassin(unconfined_t) ')
# When clamassassin writes temp files, they're for clamscan to process # so make them clamscan_tmp_t allow clamassassin_t clamscan_tmp_t:dir create_dir_perms; allow clamassassin_t clamscan_tmp_t:file create_file_perms; files_tmp_filetrans(clamassassin_t, clamscan_tmp_t, { file dir })
# clamassassin needs to be able to call clamscan clamav_domtrans_clamscan(clamassassin_t)
# ======================================== # clamd local policy # ========================================
kernel_read_kernel_sysctls(clamd_t)
# ======================================== # clamscan local policy # ========================================
# Allow clamscan output to be piped back into the # postfix local delivery process # (this might now be clamassassin_t) #allow clamscan_t postfix_local_t:fd use; #allow clamscan_t postfix_local_t:fifo_file write;
# ======================================== # freshclam local policy # ========================================
# Allow freshclam to send syslog messages logging_send_syslog_msg(freshclam_t)
# Allow freshclam to read generic kernel sysctls kernel_read_kernel_sysctls(freshclam_t)
:::::::::::::: mydcc.fc :::::::::::::: /usr/local/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0) /usr/local/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0) :::::::::::::: mydcc.te :::::::::::::: policy_module(mydcc, 0.1.5)
require { type spamd_t; }
:::::::::::::: myspamassassin.te :::::::::::::: policy_module(myspamassassin, 0.1.1)
require { type spamd_t; }
# This will be included in FC5 policy when dcc module is included dcc_domtrans_client(spamd_t)
# This is already supposed to be included but doesn't seem to be working pyzor_domtrans(spamd_t)
# This will be included in FC5 policy when razor module is included razor_domtrans(spamd_t)
:::::::::::::: procmail.fc :::::::::::::: /var/log/procmail.log -- gen_context(system_u:object_r:procmail_var_log_t,s0) :::::::::::::: procmail.te :::::::::::::: policy_module(procmail, 0.5.4)
require { type procmail_t; type sendmail_t; };
# temp files type procmail_tmp_t; files_tmp_file(procmail_tmp_t)
# log files type procmail_var_log_t; logging_log_file(procmail_var_log_t)
# Write log to /var/log/procmail.log allow procmail_t procmail_var_log_t:file create_file_perms; allow procmail_t procmail_var_log_t:dir { rw_dir_perms setattr }; logging_log_filetrans(procmail_t,procmail_var_log_t, { file dir })
# Allow programs called from procmail to read/write temp files and dirs allow procmail_t procmail_tmp_t:dir create_dir_perms; allow procmail_t procmail_tmp_t:file create_file_perms; files_type(procmail_tmp_t) files_tmp_filetrans(procmail_t, procmail_tmp_t, { file dir })
# ============================================== # Procmail needs to call sendmail for forwarding # ==============================================
# Read alternatives link (still not in policy) corecmd_read_sbin_symlinks(procmail_t)
# Procmail occasionally signals sendmail, e.g. when it times out during forwarding allow procmail_t sendmail_t:process signal;
# Allow transition to sendmail # This is in selinux-policy-2.2.34-2 onwards # (may need similar code for other MTAs that can replace sendmail) # sendmail_domtrans(procmail_t)
# ============================================== # Procmail needs to be able to call clamassassin # ============================================== clamav_domtrans_clamassassin(procmail_t)
After localing these modules, please do: # restorecon -rv /usr/local/bin
Moving clamassassin into its own domain may cause lots of new AVCs. This is expected...
Paul.