[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

qmail policy patch



I had some trouble with the policy for the qmail service, as shipped with CentOS 6. I assume the policy comes from the Fedora project, so I'm posting here.

It was preventing qmail-inject / qmail-queue / sendmail from search and write to /var/qmail/queue/, among other issues. I noticed the problems because crond generated e-mail was not getting delivered, with an error message like:

CROND[21591]: (root) MAIL (mailed 1290 bytes of output but got status 0x006f#012)

AVC errors in audit.log were:

type=AVC msg=audit(1314228902.078:112210): avc: denied { search } for pid=12894 comm="qmail-queue" name="queue" dev=dm-4 ino=655368 scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:qmail_spool_t:s0 tclass=dir type=AVC msg=audit(1314229501.848:112243): avc: denied { search } for pid=13193 comm="qmail-queue" name="pid" dev=dm-4 ino=655470 scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:qmail_spool_t:s0 tclass=dir type=AVC msg=audit(1314239102.056:112926): avc: denied { write } for pid=946 comm="qmail-queue" name="pid" dev=dm-4 ino=655470 scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir type=AVC msg=audit(1314245701.871:113246): avc: denied { write } for pid=21283 comm="qmail-queue" name="trigger" dev=dm-4 ino=655365 scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:qmail_spool_t:s0 tclass=fifo_file type=AVC msg=audit(1314246901.535:113302): avc: denied { read } for pid=21514 comm="qmail-queue" name="owners" dev=dm-4 ino=655362 scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file

Attached is a patch to the selinux-policy SRPM (the latest one from centos6 updates), including spec file diff. Basically, it does the following:

 1. change file context of /var/qmail/owners(/.*)? to qmail_etc_t
2. allow processes of scontext system_mail_t read, write, search access to files, dirs, and fifos of tcontext qmail_spool_t

Let me know if this policy change poses any security issues or could be implemented a different way, as I'm rather new to SElinux policy. I wonder if nobody else is running qmail with selinux in enforcing mode? Or perhaps they have a different qmail installation than me. I don't know how the sendmail command could work because qmail-queue can't access /var/qmail/queue/ which is where qmail stores all its mail for processing.

Adi

Attachment: policy-qmail.patch
Description: Binary data

Attachment: selinux-policy.spec.patch
Description: Binary data

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

Powered by Linux

Google
  Web www.spinics.net