From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 29 Aug 2008 08:59:40 -0400 Subject: [refpolicy] Debian: postfix & sending mail by unconfined_u In-Reply-To: <20080829111940.GA32593@bobek.pm.i.cz> References: <20080829111940.GA32593@bobek.pm.i.cz> Message-ID: <1220014780.22710.31.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2008-08-29 at 13:19 +0200, V?clav Ovs?k wrote: > Hi, > I have a question please. I'm running Debian Sid with SE Linux > & selinux-policy-default. I have installed postfix. > There are messages while user unconfined_u tries to send mail. > > mail -s hello zito at bobek.localdomain << > results in > > [ 470.026225] type=1401 audit(1219924099.255:7): security_compute_sid: invalid context unconfined_u:unconfined_r:postfix_postdrop_t:s0 for scontext=unconfined_u:unconfined_r:unconfined_mail_t:s0 tcontext=system_u:object_r:postfix_postdrop_exec_t:s0 tclass=process > [ 470.037101] type=1300 audit(1219924099.255:7): arch=40000003 syscall=11 success=yes exit=0 a0=80c7f40 a1=80c8068 a2=80c78e0 a3=80c7f70 items=0 ppid=1868 pid=1869 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=107 sgid=107 fsgid=107 tty=pts1 ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop" subj=unconfined_u:unconfined_r:postfix_postdrop_t:s0 key=(null) > > > unconfined_r lacks some postfix types. > > I was searching trough sources some time, but I could not find out, why > e.g. staff_u (staff_r) is able to use mail without problem, but > unconfined_r needs explicitly allowed types. Probably some attribute. > I found analogy with mta module (mta_per_role_template). > > zito at bobek:~/SELinux/refpolicy-svn$ find . -regextype posix-egrep -name .svn -prune -o -name tmp -prune -o -name .pc -prune -o -type f -regex '.*\.(te|if|fc)' -print|xargs egrep 'mta_per_role_template' > ./policy/modules/services/mta.if:template(`mta_per_role_template',` > ./policy/modules/system/unconfined.te: mta_per_role_template(unconfined, unconfined_t, unconfined_r) > > zito at bobek:~/SELinux/refpolicy-svn$ find . -regextype posix-egrep -name .svn -prune -o -name tmp -prune -o -name .pc -prune -o -type f -regex '.*\.(te|if|fc)' -print|xargs egrep 'postfix_per_role_template' > ./policy/modules/services/postfix.if:template(`postfix_per_role_template',` > > The unconfined user is OK too after adding corresponding > postfix_per_role_template(...) for it (the patch attached). > > Is such a solution right? Yes. I also added qmail_per_role_template() for the same reason. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150