Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Wed, 21 Nov 2012 21:03:00
Message-Id: 1353531514.d7b303c071e9c3857e750c73b15b195528eaa487.SwifT@gentoo
1 commit: d7b303c071e9c3857e750c73b15b195528eaa487
2 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3 AuthorDate: Sat Nov 17 20:58:50 2012 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Wed Nov 21 20:58:34 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d7b303c0
7
8 Dontaudit attempts by system_mail_t to use leaked fd or stream sockets
9
10 When fail2ban invokes sendmail to send out a mail event, denials such as the
11 following ones occur, but without any consequence on the functioning itself (the
12 mails are sent out correctly, no errors in logs):
13
14 type=AVC msg=audit(1352348532.580:1313): avc: denied { read write } for
15 pid=28042 comm="sendmail" path="socket:[1480]" dev="sockfs" ino=1480
16 scontext=system_u:system_r:system_mail_t tcontext=system_u:system_r:fail2ban_t
17 tclass=unix_stream_socket
18 type=AVC msg=audit(1352348532.590:1314): avc: denied { use } for pid=28047
19 comm="postdrop" path="/dev/null" dev="devtmpfs" ino=3075
20 scontext=system_u:system_r:postfix_postdrop_t
21 tcontext=system_u:system_r:fail2ban_t tclass=fd
22
23 It looks like these are due to leaked file descriptors.
24
25 Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
26
27 ---
28 policy/modules/contrib/mta.te | 1 +
29 policy/modules/contrib/postfix.te | 4 ++++
30 2 files changed, 5 insertions(+), 0 deletions(-)
31
32 diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
33 index 712dbf5..9edcb31 100644
34 --- a/policy/modules/contrib/mta.te
35 +++ b/policy/modules/contrib/mta.te
36 @@ -249,6 +249,7 @@ optional_policy(`
37 ')
38
39 optional_policy(`
40 + fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
41 fail2ban_append_log(system_mail_t)
42 fail2ban_rw_inherited_tmp_files(system_mail_t)
43 ')
44
45 diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
46 index dcd7e58..23cf5cd 100644
47 --- a/policy/modules/contrib/postfix.te
48 +++ b/policy/modules/contrib/postfix.te
49 @@ -615,6 +615,10 @@ optional_policy(`
50 ')
51
52 optional_policy(`
53 + fail2ban_dontaudit_use_fds(postfix_postdrop_t)
54 +')
55 +
56 +optional_policy(`
57 fstools_read_pipes(postfix_postdrop_t)
58 ')
Report Message
Find on MARC Find on Google Groups