From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sat, 17 Nov 2012 21:58:50 +0100 Subject: [refpolicy] [PATCH v1 4/9] Dontaudit attempts by system_mail_t to use leaked fd or stream sockets In-Reply-To: <1353185935-17421-1-git-send-email-sven.vermeulen@siphos.be> References: <1353185935-17421-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1353185935-17421-5-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com When fail2ban invokes sendmail to send out a mail event, denials such as the following ones occur, but without any consequence on the functioning itself (the mails are sent out correctly, no errors in logs): type=AVC msg=audit(1352348532.580:1313): avc: denied { read write } for pid=28042 comm="sendmail" path="socket:[1480]" dev="sockfs" ino=1480 scontext=system_u:system_r:system_mail_t tcontext=system_u:system_r:fail2ban_t tclass=unix_stream_socket type=AVC msg=audit(1352348532.590:1314): avc: denied { use } for pid=28047 comm="postdrop" path="/dev/null" dev="devtmpfs" ino=3075 scontext=system_u:system_r:postfix_postdrop_t tcontext=system_u:system_r:fail2ban_t tclass=fd It looks like these are due to leaked file descriptors. Signed-off-by: Sven Vermeulen --- mta.te | 1 + postfix.te | 4 ++++ 2 files changed, 5 insertions(+), 0 deletions(-) diff --git a/mta.te b/mta.te index 712dbf5..9edcb31 100644 --- a/mta.te +++ b/mta.te @@ -249,6 +249,7 @@ optional_policy(` ') optional_policy(` + fail2ban_dontaudit_rw_stream_sockets(system_mail_t) fail2ban_append_log(system_mail_t) fail2ban_rw_inherited_tmp_files(system_mail_t) ') diff --git a/postfix.te b/postfix.te index 45ebb39..c0e6ace 100644 --- a/postfix.te +++ b/postfix.te @@ -604,6 +604,10 @@ optional_policy(` ') optional_policy(` + fail2ban_dontaudit_use_fds(postfix_postdrop_t) +') + +optional_policy(` fstools_read_pipes(postfix_postdrop_t) ') -- 1.7.8.6