[gentoo-hardened] Troubleshooting FIFO pipes with bad security contexts... - gentoo-hardened

From:	Mike Edenfield <kutulu@××××××.org>
To:	gentoo-hardened@l.g.o
Subject:	[gentoo-hardened] Troubleshooting FIFO pipes with bad security contexts...
Date:	Sat, 06 Aug 2011 17:01:53
Message-Id:	`16621515.sN1WQlegbk@platypus`

1

I'm trying to chase down an AVC message coming from procmail. I'm having a 

2

problem figuring out how to research, troubleshoot, or fix bad FIFO pipe 

3

contexts.

4

5

The AVC I get is:

6

7

Aug  6 12:15:52 basement kernel: type=1400 audit(1312647352.712:9623): avc:  

8

denied  { write } for  pid=9816 comm="procmail" path="pipe:[4235]" dev=pipefs 

9

ino=4235 scontext=system_u:system_r:procmail_t 

10

tcontext=system_u:system_r:postfix_master_t tclass=fifo_file

11

12

The problem appears to be that the FIFO objects that postfix's master process 

13

is creating aren't getting the correct security context:

14

15

basement ~ # lsof -Z | grep pipe | grep 4235  

16

master     2069       system_u:system_r:postfix_master_t           root   94r     

17

FIFO                0,7      0t0       4235 pipe

18

master     2069       system_u:system_r:postfix_master_t           root   95w     

19

FIFO                0,7      0t0       4235 pipe

20

qmgr       2074       system_u:system_r:postfix_qmgr_t          postfix   94r     

21

FIFO                0,7      0t0       4235 pipe

22

qmgr       2074       system_u:system_r:postfix_qmgr_t          postfix   95w     

23

FIFO                0,7      0t0       4235 pipe

24

tlsmgr     2178       system_u:system_r:postfix_master_t        postfix   94r     

25

FIFO                0,7      0t0       4235 pipe

26

tlsmgr     2178       system_u:system_r:postfix_master_t        postfix   95w     

27

FIFO                0,7      0t0       4235 pipe

28

pickup     9273       system_u:system_r:postfix_pickup_t        postfix   94r     

29

FIFO                0,7      0t0       4235 pipe

30

pickup     9273       system_u:system_r:postfix_pickup_t        postfix   95w     

31

FIFO                0,7      0t0       4235 pipe

32

33

Procmail doesn't have access to the postfix_master_t domain, but it does have 

34

access to this:

35

36

basement ~ # sesearch --allow -sprocmail_t -cfifo_file 

37

Found 4 semantic av rules:

38

   allow procmail_t postfix_local_t : fifo_file { ioctl read write getattr lock 

39

append open } ; 

40

   allow procmail_t postfix_pipe_t : fifo_file { ioctl read write getattr lock 

41

append open } ; 

42

   allow procmail_t user_home_t : fifo_file { ioctl read write create getattr 

43

setattr lock append unlink link rename open } ; 

44

   allow procmail_t procmail_t : fifo_file { ioctl read write getattr lock 

45

append open } ; 

46

47

So, I'm assuming that postfix's FIFOs ought to be one of those two: 

48

postfix_local_t or postfix_pipe_t. Since procmail's being used here as the local 

49

delivery agent I was guessing postfix_local_t. But I can't figure out where that 

50

is supposed to happen. Is that something postfix is required to do manually, or 

51

should there be a transition rule for it? (sesearch didn't show any trans 

52

rules for either of those types.)

53

54

--Mike

Gentoo Archives: gentoo-hardened

Replies

1	I'm trying to chase down an AVC message coming from procmail. I'm having a
2	problem figuring out how to research, troubleshoot, or fix bad FIFO pipe
3	contexts.
4
5	The AVC I get is:
6
7	Aug 6 12:15:52 basement kernel: type=1400 audit(1312647352.712:9623): avc:
8	denied { write } for pid=9816 comm="procmail" path="pipe:[4235]" dev=pipefs
9	ino=4235 scontext=system_u:system_r:procmail_t
10	tcontext=system_u:system_r:postfix_master_t tclass=fifo_file
11
12	The problem appears to be that the FIFO objects that postfix's master process
13	is creating aren't getting the correct security context:
14
15	basement ~ # lsof -Z \| grep pipe \| grep 4235
16	master 2069 system_u:system_r:postfix_master_t root 94r
17	FIFO 0,7 0t0 4235 pipe
18	master 2069 system_u:system_r:postfix_master_t root 95w
19	FIFO 0,7 0t0 4235 pipe
20	qmgr 2074 system_u:system_r:postfix_qmgr_t postfix 94r
21	FIFO 0,7 0t0 4235 pipe
22	qmgr 2074 system_u:system_r:postfix_qmgr_t postfix 95w
23	FIFO 0,7 0t0 4235 pipe
24	tlsmgr 2178 system_u:system_r:postfix_master_t postfix 94r
25	FIFO 0,7 0t0 4235 pipe
26	tlsmgr 2178 system_u:system_r:postfix_master_t postfix 95w
27	FIFO 0,7 0t0 4235 pipe
28	pickup 9273 system_u:system_r:postfix_pickup_t postfix 94r
29	FIFO 0,7 0t0 4235 pipe
30	pickup 9273 system_u:system_r:postfix_pickup_t postfix 95w
31	FIFO 0,7 0t0 4235 pipe
32
33	Procmail doesn't have access to the postfix_master_t domain, but it does have
34	access to this:
35
36	basement ~ # sesearch --allow -sprocmail_t -cfifo_file
37	Found 4 semantic av rules:
38	allow procmail_t postfix_local_t : fifo_file { ioctl read write getattr lock
39	append open } ;
40	allow procmail_t postfix_pipe_t : fifo_file { ioctl read write getattr lock
41	append open } ;
42	allow procmail_t user_home_t : fifo_file { ioctl read write create getattr
43	setattr lock append unlink link rename open } ;
44	allow procmail_t procmail_t : fifo_file { ioctl read write getattr lock
45	append open } ;
46
47	So, I'm assuming that postfix's FIFOs ought to be one of those two:
48	postfix_local_t or postfix_pipe_t. Since procmail's being used here as the local
49	delivery agent I was guessing postfix_local_t. But I can't figure out where that
50	is supposed to happen. Is that something postfix is required to do manually, or
51	should there be a transition rule for it? (sesearch didn't show any trans
52	rules for either of those types.)
53
54	--Mike