From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 14 Nov 2012 19:05:00 +0100 Subject: [refpolicy] [PATCH 4/5] Dontaudit attempts by system_mail_t to use leaked fd or stream sockets In-Reply-To: <1352566218-17772-5-git-send-email-sven.vermeulen@siphos.be> References: <1352566218-17772-1-git-send-email-sven.vermeulen@siphos.be> <1352566218-17772-5-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1352916300.3654.2.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, 2012-11-10 at 17:50 +0100, Sven Vermeulen wrote: > When fail2ban invokes sendmail to send out a mail event, denials such as the > following ones occur, but without any consequence on the functioning itself (the > mails are sent out correctly, no errors in logs): > > type=AVC msg=audit(1352348532.580:1313): avc: denied { read write } for > pid=28042 comm="sendmail" path="socket:[1480]" dev="sockfs" ino=1480 > scontext=system_u:system_r:system_mail_t tcontext=system_u:system_r:fail2ban_t > tclass=unix_stream_socket > type=AVC msg=audit(1352348532.590:1314): avc: denied { use } for pid=28047 > comm="postdrop" path="/dev/null" dev="devtmpfs" ino=3075 > scontext=system_u:system_r:postfix_postdrop_t > tcontext=system_u:system_r:fail2ban_t tclass=fd > > It looks like these are due to leaked file descriptors. > > Signed-off-by: Sven Vermeulen > --- > mta.te | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) > > diff --git a/mta.te b/mta.te > index 712dbf5..11e7363 100644 > --- a/mta.te > +++ b/mta.te > @@ -250,6 +250,8 @@ optional_policy(` > > optional_policy(` > fail2ban_append_log(system_mail_t) > + fail2ban_dontaudit_use_fds(system_mail_t) The fd use; is for postfix_postdrop_t and not system_mail_t as per above avc denials > + fail2ban_dontaudit_rw_stream_sockets(system_mail_t) > fail2ban_rw_inherited_tmp_files(system_mail_t) > ') >