2008-08-29 11:19:40

by vaclav.ovsik

[permalink] [raw]
Subject: [refpolicy] Debian: postfix & sending mail by unconfined_u

Hi,
I have a question please. I'm running Debian Sid with SE Linux
& selinux-policy-default. I have installed postfix.
There are messages while user unconfined_u tries to send mail.

mail -s hello zito at bobek.localdomain <<<hello

results in

[ 470.026225] type=1401 audit(1219924099.255:7): security_compute_sid: invalid context unconfined_u:unconfined_r:postfix_postdrop_t:s0 for scontext=unconfined_u:unconfined_r:unconfined_mail_t:s0 tcontext=system_u:object_r:postfix_postdrop_exec_t:s0 tclass=process
[ 470.037101] type=1300 audit(1219924099.255:7): arch=40000003 syscall=11 success=yes exit=0 a0=80c7f40 a1=80c8068 a2=80c78e0 a3=80c7f70 items=0 ppid=1868 pid=1869 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=107 sgid=107 fsgid=107 tty=pts1 ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop" subj=unconfined_u:unconfined_r:postfix_postdrop_t:s0 key=(null)


unconfined_r lacks some postfix types.

I was searching trough sources some time, but I could not find out, why
e.g. staff_u (staff_r) is able to use mail without problem, but
unconfined_r needs explicitly allowed types. Probably some attribute.
I found analogy with mta module (mta_per_role_template).

zito at bobek:~/SELinux/refpolicy-svn$ find . -regextype posix-egrep -name .svn -prune -o -name tmp -prune -o -name .pc -prune -o -type f -regex '.*\.(te|if|fc)' -print|xargs egrep 'mta_per_role_template'
./policy/modules/services/mta.if:template(`mta_per_role_template',`
./policy/modules/system/unconfined.te: mta_per_role_template(unconfined, unconfined_t, unconfined_r)

zito@bobek:~/SELinux/refpolicy-svn$ find . -regextype posix-egrep -name .svn -prune -o -name tmp -prune -o -name .pc -prune -o -type f -regex '.*\.(te|if|fc)' -print|xargs egrep 'postfix_per_role_template'
./policy/modules/services/postfix.if:template(`postfix_per_role_template',`

The unconfined user is OK too after adding corresponding
postfix_per_role_template(...) for it (the patch attached).

Is such a solution right?

Thanks
--
Zito
-------------- next part --------------
Index: selinux-policy-src/policy/modules/system/unconfined.te
===================================================================
--- selinux-policy-src.orig/policy/modules/system/unconfined.te 2008-08-29 09:48:10.000000000 +0200
+++ selinux-policy-src/policy/modules/system/unconfined.te 2008-08-29 09:50:07.000000000 +0200
@@ -161,6 +161,7 @@
')

optional_policy(`
+ postfix_per_role_template(unconfined, unconfined_t, unconfined_r)
postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
# cjp: this should probably be removed:
postfix_domtrans_master(unconfined_t)


2008-08-29 12:59:40

by cpebenito

[permalink] [raw]
Subject: [refpolicy] Debian: postfix & sending mail by unconfined_u

On Fri, 2008-08-29 at 13:19 +0200, V?clav Ovs?k wrote:
> Hi,
> I have a question please. I'm running Debian Sid with SE Linux
> & selinux-policy-default. I have installed postfix.
> There are messages while user unconfined_u tries to send mail.
>
> mail -s hello zito at bobek.localdomain <<<hello
>
> results in
>
> [ 470.026225] type=1401 audit(1219924099.255:7): security_compute_sid: invalid context unconfined_u:unconfined_r:postfix_postdrop_t:s0 for scontext=unconfined_u:unconfined_r:unconfined_mail_t:s0 tcontext=system_u:object_r:postfix_postdrop_exec_t:s0 tclass=process
> [ 470.037101] type=1300 audit(1219924099.255:7): arch=40000003 syscall=11 success=yes exit=0 a0=80c7f40 a1=80c8068 a2=80c78e0 a3=80c7f70 items=0 ppid=1868 pid=1869 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=107 sgid=107 fsgid=107 tty=pts1 ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop" subj=unconfined_u:unconfined_r:postfix_postdrop_t:s0 key=(null)
>
>
> unconfined_r lacks some postfix types.
>
> I was searching trough sources some time, but I could not find out, why
> e.g. staff_u (staff_r) is able to use mail without problem, but
> unconfined_r needs explicitly allowed types. Probably some attribute.
> I found analogy with mta module (mta_per_role_template).
>
> zito at bobek:~/SELinux/refpolicy-svn$ find . -regextype posix-egrep -name .svn -prune -o -name tmp -prune -o -name .pc -prune -o -type f -regex '.*\.(te|if|fc)' -print|xargs egrep 'mta_per_role_template'
> ./policy/modules/services/mta.if:template(`mta_per_role_template',`
> ./policy/modules/system/unconfined.te: mta_per_role_template(unconfined, unconfined_t, unconfined_r)
>
> zito at bobek:~/SELinux/refpolicy-svn$ find . -regextype posix-egrep -name .svn -prune -o -name tmp -prune -o -name .pc -prune -o -type f -regex '.*\.(te|if|fc)' -print|xargs egrep 'postfix_per_role_template'
> ./policy/modules/services/postfix.if:template(`postfix_per_role_template',`
>
> The unconfined user is OK too after adding corresponding
> postfix_per_role_template(...) for it (the patch attached).
>
> Is such a solution right?

Yes. I also added qmail_per_role_template() for the same reason.

--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150