[gentoo-hardened] Policy Help regarding Postfix and amavisd-new =)

[gentoo-hardened] Policy Help regarding Postfix and amavisd-new =)

[Zack Gilburd]

[-- Attachment #1.1: body text --]
[-- Type: text/plain, Size: 2014 bytes --]

Hey, everyone =)

First of all, I would like to say that I just installed SELinux /late/ last 
night, so I don't have that much of an understand about what exactly I need 
to do to fix my problems.

The first, and most important, problem I am having occurs when I am in 
permissive mode.  I have attached the relevant /var/log/kern.log segments and 
put them up on my website -- the URL is 
<http://tehunlose.com/tmp/sehelp.txt>.  The reason why I say it is the most 
important is because, with the errors provided and while the amavisd.log says 
that everything is happening okay, I am not quite sure that amavisd is able 
to do what it *needs* to do (SpamAssassin filtering and clamav/clamd 
fitlering).

The second problem I am having occurs when I enter enforcing mode.  I have  a 
proftpd daemon running.  When I enter into enforcing mode, my users can no 
longer authenticate sucessfully, although they can telnet in.  If/when they 
telnet in during enforce mode, their username is accepted but their correct 
password is rejected.  The users are able to SSH in, though, so I am guessing 
it's a a problem with my policies.

The third problem also occurs during enforce mode.  When I try to send mail to 
myself through telnet (for debugging purposes, I'm not that oldschool ;)), 
everything *appears* to go through correctly.  However, I never receive the 
mail.  I notice no evidence of a problem in any of my log files.  In fact, 
that brings me to my fourth problem.

When I enter enforcing mode, all of my log files stop flowing -- all of them.  
kern.log, messages, etc., they all just... stop.  I am guessing that the log 
files can not be written under my current policies, but that is just my 
haphazard guess.

Also, in enforcing mode, I can no longer scp to or from my SELinux box.

For my policy, I am currently using pebenito's base-policy for the June 26th, 
2003.

Thank you :)
-- 
Zack Gilburd
 http://tehunlose.com
  GnuPG Key ID: A79A45668240AB6C

[-- Attachment #1.2: sehelp.txt --]
[-- Type: text/plain, Size: 5258 bytes --]

Jun 27 09:09:04 cerebellum avc:  denied  { write } for  pid=11899 exe=/usr/lib/postfix/smtpd path=/log dev=00:07 ino=916 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=sock_file
Jun 27 09:09:04 cerebellum 
Jun 27 09:09:04 cerebellum avc:  denied  { append } for  pid=6866 exe=/usr/sbin/metalog path=/var/log/mail/current dev=03:03 ino=749 scontext=root:staff_r:staff_t tcontext=root:object_r:var_log_t tclass=file
Jun 27 09:09:04 cerebellum 
Jun 27 09:09:04 cerebellum avc:  denied  { ioctl } for  pid=11690 exe=/usr/bin/perl path=socket:[51609] dev=00:00 ino=51609 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket
Jun 27 09:09:04 cerebellum 
Jun 27 09:09:04 cerebellum avc:  denied  { write } for  pid=11690 exe=/usr/bin/perl path=socket:[51609] dev=00:00 ino=51609 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket
Jun 27 09:09:04 cerebellum 
Jun 27 09:09:04 cerebellum avc:  denied  { read } for  pid=11690 exe=/usr/bin/perl path=socket:[51609] dev=00:00 ino=51609 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket
Jun 27 09:09:04 cerebellum 
Jun 27 09:09:04 cerebellum avc:  denied  { setattr } for  pid=11690 exe=/usr/bin/perl path=/amavis-20030627T090004-11690/email.txt dev=00:0e ino=51139 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmpfs_t tclass=file
Jun 27 09:09:04 cerebellum 
Jun 27 09:09:04 cerebellum avc:  denied  { write } for  pid=11690 exe=/usr/bin/perl path=/amavis-20030627T090004-11690/email.txt dev=00:0e ino=51139 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmpfs_t tclass=file
Jun 27 09:09:04 cerebellum 
Jun 27 09:09:04 cerebellum avc:  denied  { read } for  pid=11690 exe=/usr/bin/perl path=/amavis-20030627T090004-11690/email.txt dev=00:0e ino=51139 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmpfs_t tclass=file
Jun 27 09:09:04 cerebellum 
Jun 27 09:09:04 cerebellum avc:  denied  { write } for  pid=11690 exe=/usr/bin/perl path=/amavis-20030627T090004-11690/parts dev=00:0e ino=51140 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmpfs_t tclass=dir
Jun 27 09:09:04 cerebellum 
Jun 27 09:09:04 cerebellum avc:  denied  { add_name } for  pid=11690 exe=/usr/bin/perl path=/amavis-20030627T090004-11690/parts/part-00001 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmpfs_t tclass=dir
Jun 27 09:09:04 cerebellum 
Jun 27 09:09:04 cerebellum avc:  denied  { create } for  pid=11690 exe=/usr/bin/perl path=/amavis-20030627T090004-11690/parts/part-00001 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmpfs_t tclass=file
Jun 27 09:09:04 cerebellum 
Jun 27 09:09:04 cerebellum avc:  denied  { ioctl } for  pid=11690 exe=/usr/bin/perl path=/amavis-20030627T090004-11690/parts/part-00001 dev=00:0e ino=51611 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmpfs_t tclass=file
Jun 27 09:09:04 cerebellum 
Jun 27 09:09:04 cerebellum avc:  denied  { read } for  pid=11906 exe=/usr/sbin/clamd path=/amavis-20030627T090004-11690/parts dev=00:0e ino=51140 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmpfs_t tclass=dir
Jun 27 09:09:04 cerebellum 
Jun 27 09:09:04 cerebellum avc:  denied  { getattr } for  pid=11690 exe=/usr/bin/perl path=socket:[51609] dev=00:00 ino=51609 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket
Jun 27 09:09:04 cerebellum 
Jun 27 09:09:04 cerebellum avc:  denied  { read } for  pid=11690 exe=/usr/bin/perl path=/var/amavis/.razor dev=03:03 ino=326209 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:var_t tclass=dir
Jun 27 09:09:04 cerebellum 
Jun 27 09:09:04 cerebellum avc:  denied  { write } for  pid=11690 exe=/usr/bin/perl path=/var/amavis/.spamassassin dev=03:03 ino=326197 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:var_t tclass=dir
Jun 27 09:09:04 cerebellum 
Jun 27 09:09:04 cerebellum avc:  denied  { add_name } for  pid=11690 exe=/usr/bin/perl path=/var/amavis/.spamassassin/auto-whitelist.lock.cerebellum.11690 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:var_t tclass=dir
Jun 27 09:09:04 cerebellum 
Jun 27 09:09:04 cerebellum avc:  denied  { remove_name } for  pid=11690 exe=/usr/bin/perl path=/var/amavis/.spamassassin/auto-whitelist.lock.cerebellum.11690 dev=03:03 ino=7054 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:var_t tclass=dir
Jun 27 09:09:04 cerebellum 
Jun 27 09:09:04 cerebellum avc:  denied  { remove_name } for  pid=11690 exe=/usr/bin/perl path=/sa.11690.qAmOpP dev=00:0e ino=51618 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmpfs_t tclass=dir
Jun 27 09:09:04 cerebellum 
Jun 27 09:09:04 cerebellum avc:  denied  { unlink } for  pid=11690 exe=/usr/bin/perl path=/sa.11690.qAmOpP dev=00:0e ino=51618 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tmpfs_t tclass=file
Jun 27 09:09:04 cerebellum 
Jun 27 09:09:04 cerebellum avc:  denied  { setattr } for  pid=11690 exe=/usr/bin/perl path=/var/amavis/amavisd.lock dev=03:03 ino=326198 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:var_t tclass=file

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-hardened] Policy Help regarding Postfix and amavisd-new =)

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 2494 bytes --]

On Fri, 2003-06-27 at 11:35, Zack Gilburd wrote:
> <http://tehunlose.com/tmp/sehelp.txt>.  The reason why I say it is the most 
> important is because, with the errors provided and while the amavisd.log says 
> that everything is happening okay, I am not quite sure that amavisd is able 
> to do what it *needs* to do (SpamAssassin filtering and clamav/clamd 
> fitlering).

There needs to be a policy for postfix, spamassasin and clam{av,d}. 
We'll soon be working on policies for common daemons.

> The second problem I am having occurs when I enter enforcing mode.  I have  a 
> proftpd daemon running.  When I enter into enforcing mode, my users can no 
> longer authenticate sucessfully, although they can telnet in.  If/when they 
> telnet in during enforce mode, their username is accepted but their correct 
> password is rejected.  The users are able to SSH in, though, so I am guessing 
> it's a a problem with my policies.

Proftpd will also need its own policy.  It's probably running in
initrc_t right now, and when it goes to authenticate someone, its being
denied.

> The third problem also occurs during enforce mode.  When I try to send mail to 
> myself through telnet (for debugging purposes, I'm not that oldschool ;)), 
> everything *appears* to go through correctly.  However, I never receive the 
> mail.  I notice no evidence of a problem in any of my log files.  In fact, 
> that brings me to my fourth problem.

This is related to the missing postfix policy.

> When I enter enforcing mode, all of my log files stop flowing -- all of them.  
> kern.log, messages, etc., they all just... stop.  I am guessing that the log 
> files can not be written under my current policies, but that is just my 
> haphazard guess.

The syslog is most likely not running in the correct context.

> Also, in enforcing mode, I can no longer scp to or from my SELinux box.

Most likely a mislabeled home dir; logging in as staff_r, when your home
dir is still user_home_(dir_)t.  See file_contexts/staff.fc (in the
policy dir) to see how to fix this.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer, SELinux
Hardened Gentoo Linux
 
"Engineering does not require science. Science helps
a lot, but people built perfectly good brick walls
long before they knew why cement works."-Alan Cox

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]