Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Sven Vermeulen <swift@g.o>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] Ddclient sending emails on a Postfix server
Date: Tue, 13 Dec 2016 01:11:25
Message-Id: 20161212200324.GA4424@gentoo.org
In Reply to: [gentoo-hardened] Ddclient sending emails on a Postfix server by Robert Sharp
1 On Tue, Dec 06, 2016 at 11:29:21AM +0000, Robert Sharp wrote:
2 > I am running ddclient on my router together with a relaying postfix
3 > server. Unfortunately I have configured ddclient to send emails when it
4 > has problems and I have had quite a few problems with AVCs as a result.
5 > I have figured most of them out now but there is one that I am stuck
6 > on.
7 >
8 > It appears that sendmail (postfix variant) calls postdrop to actually
9 > deliver the emails, and using the
10 > postfix_domtrans_user_mail_handler(ddclient_t)
11 > interface fixes most of the AVCs except two, and this is where I am
12 > stuck. Here is the ausearch output:
13 >
14 [...]
15 > type=AVC msg=audit(1481006916.953:34919): avc: denied { read write }
16 > for pid=24965 comm="postdrop" path="socket:[2916040]" dev="sockfs"
17 > ino=2916040 scontext=system_u:system_r:postfix_postdrop_t
18 > tcontext=system_u:system_r:ddclient_t tclass=unix_stream_socket
19 > permissive=1
20 > ----
21 > time->Tue Dec 6 06:48:36 2016
22 > type=AVC msg=audit(1481006916.965:34920): avc: denied { getattr }
23 > for pid=24965 comm="postdrop" path="socket:[2916040]" dev="sockfs"
24 > ino=2916040 scontext=system_u:system_r:postfix_postdrop_t
25 > tcontext=system_u:system_r:ddclient_t tclass=unix_stream_socket
26 > permissive=1
27 >
28 > The command "postdrop -r" reads a message from stdin and writes a
29 > response to stdout. I am guessing these socket permissions are to do
30 > with piping stdout back to sendmail (running in ddclient_t), but I
31 > would have expected a fifo_file on a pipe rather than a socket? I can
32 > always check this with the postfix forum if needed.
33
34 It's been a while that I did some Postfix work, which might be necessary to
35 debug this properly. The socket is owned by ddclient, is it possible that
36 "postdrop -r" input and/or output is redirected to a ddclient socket? From a
37 quick Google ddclient is shown as a Perl client, so some code scanning might
38 help to find out what the socket is about.
39
40 If so, then you might need to grant access (but might want to grant it only
41 to sock_file).
42
43 Wkr,
44 Sven Vermeulen

Replies

Subject Author
Re: [gentoo-hardened] Ddclient sending emails on a Postfix server Robert Sharp <selinux@×××××××××××××××.org>
Report Message
Find on MARC Find on Google Groups