1 |
commit: d7b303c071e9c3857e750c73b15b195528eaa487 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Sat Nov 17 20:58:50 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Wed Nov 21 20:58:34 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d7b303c0 |
7 |
|
8 |
Dontaudit attempts by system_mail_t to use leaked fd or stream sockets |
9 |
|
10 |
When fail2ban invokes sendmail to send out a mail event, denials such as the |
11 |
following ones occur, but without any consequence on the functioning itself (the |
12 |
mails are sent out correctly, no errors in logs): |
13 |
|
14 |
type=AVC msg=audit(1352348532.580:1313): avc: denied { read write } for |
15 |
pid=28042 comm="sendmail" path="socket:[1480]" dev="sockfs" ino=1480 |
16 |
scontext=system_u:system_r:system_mail_t tcontext=system_u:system_r:fail2ban_t |
17 |
tclass=unix_stream_socket |
18 |
type=AVC msg=audit(1352348532.590:1314): avc: denied { use } for pid=28047 |
19 |
comm="postdrop" path="/dev/null" dev="devtmpfs" ino=3075 |
20 |
scontext=system_u:system_r:postfix_postdrop_t |
21 |
tcontext=system_u:system_r:fail2ban_t tclass=fd |
22 |
|
23 |
It looks like these are due to leaked file descriptors. |
24 |
|
25 |
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> |
26 |
|
27 |
--- |
28 |
policy/modules/contrib/mta.te | 1 + |
29 |
policy/modules/contrib/postfix.te | 4 ++++ |
30 |
2 files changed, 5 insertions(+), 0 deletions(-) |
31 |
|
32 |
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te |
33 |
index 712dbf5..9edcb31 100644 |
34 |
--- a/policy/modules/contrib/mta.te |
35 |
+++ b/policy/modules/contrib/mta.te |
36 |
@@ -249,6 +249,7 @@ optional_policy(` |
37 |
') |
38 |
|
39 |
optional_policy(` |
40 |
+ fail2ban_dontaudit_rw_stream_sockets(system_mail_t) |
41 |
fail2ban_append_log(system_mail_t) |
42 |
fail2ban_rw_inherited_tmp_files(system_mail_t) |
43 |
') |
44 |
|
45 |
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te |
46 |
index dcd7e58..23cf5cd 100644 |
47 |
--- a/policy/modules/contrib/postfix.te |
48 |
+++ b/policy/modules/contrib/postfix.te |
49 |
@@ -615,6 +615,10 @@ optional_policy(` |
50 |
') |
51 |
|
52 |
optional_policy(` |
53 |
+ fail2ban_dontaudit_use_fds(postfix_postdrop_t) |
54 |
+') |
55 |
+ |
56 |
+optional_policy(` |
57 |
fstools_read_pipes(postfix_postdrop_t) |
58 |
') |