1 |
I'm trying to chase down an AVC message coming from procmail. I'm having a |
2 |
problem figuring out how to research, troubleshoot, or fix bad FIFO pipe |
3 |
contexts. |
4 |
|
5 |
The AVC I get is: |
6 |
|
7 |
Aug 6 12:15:52 basement kernel: type=1400 audit(1312647352.712:9623): avc: |
8 |
denied { write } for pid=9816 comm="procmail" path="pipe:[4235]" dev=pipefs |
9 |
ino=4235 scontext=system_u:system_r:procmail_t |
10 |
tcontext=system_u:system_r:postfix_master_t tclass=fifo_file |
11 |
|
12 |
The problem appears to be that the FIFO objects that postfix's master process |
13 |
is creating aren't getting the correct security context: |
14 |
|
15 |
basement ~ # lsof -Z | grep pipe | grep 4235 |
16 |
master 2069 system_u:system_r:postfix_master_t root 94r |
17 |
FIFO 0,7 0t0 4235 pipe |
18 |
master 2069 system_u:system_r:postfix_master_t root 95w |
19 |
FIFO 0,7 0t0 4235 pipe |
20 |
qmgr 2074 system_u:system_r:postfix_qmgr_t postfix 94r |
21 |
FIFO 0,7 0t0 4235 pipe |
22 |
qmgr 2074 system_u:system_r:postfix_qmgr_t postfix 95w |
23 |
FIFO 0,7 0t0 4235 pipe |
24 |
tlsmgr 2178 system_u:system_r:postfix_master_t postfix 94r |
25 |
FIFO 0,7 0t0 4235 pipe |
26 |
tlsmgr 2178 system_u:system_r:postfix_master_t postfix 95w |
27 |
FIFO 0,7 0t0 4235 pipe |
28 |
pickup 9273 system_u:system_r:postfix_pickup_t postfix 94r |
29 |
FIFO 0,7 0t0 4235 pipe |
30 |
pickup 9273 system_u:system_r:postfix_pickup_t postfix 95w |
31 |
FIFO 0,7 0t0 4235 pipe |
32 |
|
33 |
Procmail doesn't have access to the postfix_master_t domain, but it does have |
34 |
access to this: |
35 |
|
36 |
basement ~ # sesearch --allow -sprocmail_t -cfifo_file |
37 |
Found 4 semantic av rules: |
38 |
allow procmail_t postfix_local_t : fifo_file { ioctl read write getattr lock |
39 |
append open } ; |
40 |
allow procmail_t postfix_pipe_t : fifo_file { ioctl read write getattr lock |
41 |
append open } ; |
42 |
allow procmail_t user_home_t : fifo_file { ioctl read write create getattr |
43 |
setattr lock append unlink link rename open } ; |
44 |
allow procmail_t procmail_t : fifo_file { ioctl read write getattr lock |
45 |
append open } ; |
46 |
|
47 |
So, I'm assuming that postfix's FIFOs ought to be one of those two: |
48 |
postfix_local_t or postfix_pipe_t. Since procmail's being used here as the local |
49 |
delivery agent I was guessing postfix_local_t. But I can't figure out where that |
50 |
is supposed to happen. Is that something postfix is required to do manually, or |
51 |
should there be a transition rule for it? (sesearch didn't show any trans |
52 |
rules for either of those types.) |
53 |
|
54 |
--Mike |