On Thu, 17 Jan 2008 12:51:33 -0500 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Paul Howarth wrote:
Today I've done a bit of a clean-up of the local policy modules I've had in use over the last couple of Fedora releases, removing bits that are no longer needed and consolidating the remaining ones into a single "localmisc" module. The results of this is:
policy_module(localmisc, 0.1.34)
require { attribute mailserver_delivery; type depmod_t; type httpd_t; type load_policy_t; type procmail_t; type procmail_tmp_t; type pptp_t; type restorecon_t; type sendmail_t; type setfiles_t; type soundd_port_t; type squid_t; type useradd_t; type var_t; };
# ======================================== # Things that probably need to go upstream # ========================================
# Milter sockets, why did this work before? #allow sendmail_t initrc_t:unix_stream_socket { read write connectto }; init_stream_connect_script(mailserver_delivery) init_rw_script_stream_sockets(mailserver_delivery)
Already added.
# Allow misc command output to be sent to a pipe, needed for rpm scriptlets # Probably not needed since Fedora 8 #unconfined_rw_pipes(depmod_t) #unconfined_rw_pipes(load_policy_t) #unconfined_rw_pipes(setfiles_t) #unconfined_rw_pipes(useradd_t)
# Allow pptp to manage its own processes allow pptp_t self:process signal;
Added.
# Allow sendmail to read procmail tempfiles for forwarding # (would need a new interface in procmail.if to do this properly) allow sendmail_t procmail_tmp_t:file { read write getattr ioctl };
Added
Policy now has procmail_read_tmp_files(sendmail_t) but this doesn't allow write access by sendmail. Sendmail needs to write into procmail_tmp_t when a procmail recipe pipes a message into a filter and that filter creates a temp file I believe.
I'm getting the AVCs anyway: type=AVC msg=audit(1202162399.034:320138): avc: denied { write } for pid=16452 comm="sendmail" path="/tmp/choplist.16383" dev=dm-1 ino=13 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1202162399.034:320138): arch=40000003 syscall=11 success=yes exit=0 a0=bf8febff a1=84ffe44 a2=bf8fe3a4 a3=84ffe44 items=0 ppid=16384 pid=16452 auid=0 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=51 sgid=51 fsgid=51 tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null) type=AVC msg=audit(1202162401.083:320139): avc: denied { write } for pid=16453 comm="sendmail" path=2F746D702F63686F706C6973742E3136333833202864656C6574656429 dev=dm-1 ino=13 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
Paul.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Paul Howarth wrote:
On Thu, 17 Jan 2008 12:51:33 -0500 Daniel J Walsh dwalsh@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Paul Howarth wrote:
Today I've done a bit of a clean-up of the local policy modules I've had in use over the last couple of Fedora releases, removing bits that are no longer needed and consolidating the remaining ones into a single "localmisc" module. The results of this is:
policy_module(localmisc, 0.1.34)
require { attribute mailserver_delivery; type depmod_t; type httpd_t; type load_policy_t; type procmail_t; type procmail_tmp_t; type pptp_t; type restorecon_t; type sendmail_t; type setfiles_t; type soundd_port_t; type squid_t; type useradd_t; type var_t; };
# ======================================== # Things that probably need to go upstream # ========================================
# Milter sockets, why did this work before? #allow sendmail_t initrc_t:unix_stream_socket { read write connectto }; init_stream_connect_script(mailserver_delivery) init_rw_script_stream_sockets(mailserver_delivery)
Already added.
# Allow misc command output to be sent to a pipe, needed for rpm scriptlets # Probably not needed since Fedora 8 #unconfined_rw_pipes(depmod_t) #unconfined_rw_pipes(load_policy_t) #unconfined_rw_pipes(setfiles_t) #unconfined_rw_pipes(useradd_t)
# Allow pptp to manage its own processes allow pptp_t self:process signal;
Added.
# Allow sendmail to read procmail tempfiles for forwarding # (would need a new interface in procmail.if to do this properly) allow sendmail_t procmail_tmp_t:file { read write getattr ioctl };
Added
Policy now has procmail_read_tmp_files(sendmail_t) but this doesn't allow write access by sendmail. Sendmail needs to write into procmail_tmp_t when a procmail recipe pipes a message into a filter and that filter creates a temp file I believe.
I'm getting the AVCs anyway: type=AVC msg=audit(1202162399.034:320138): avc: denied { write } for pid=16452 comm="sendmail" path="/tmp/choplist.16383" dev=dm-1 ino=13 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1202162399.034:320138): arch=40000003 syscall=11 success=yes exit=0 a0=bf8febff a1=84ffe44 a2=bf8fe3a4 a3=84ffe44 items=0 ppid=16384 pid=16452 auid=0 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=51 sgid=51 fsgid=51 tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null) type=AVC msg=audit(1202162401.083:320139): avc: denied { write } for pid=16453 comm="sendmail" path=2F746D702F63686F706C6973742E3136333833202864656C6574656429 dev=dm-1 ino=13 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file
Paul.
Fixed in selinux-policy-3.0.8-84.fc8
selinux@lists.fedoraproject.org