Gentoo Archives: gentoo-hardened

From: Robert Sharp <selinux@×××××××××××××××.org>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] Ddclient sending emails on a Postfix server
Date: Tue, 06 Dec 2016 11:29:33
Message-Id: 900e2430-48bf-f025-c055-6c95dcf53bc4@sharp.homelinux.org
1 I am running ddclient on my router together with a relaying postfix
2 server. Unfortunately I have configured ddclient to send emails when it
3 has problems and I have had quite a few problems with AVCs as a result.
4 I have figured most of them out now but there is one that I am stuck on.
5
6 It appears that sendmail (postfix variant) calls postdrop to actually
7 deliver the emails, and using the
8 postfix_domtrans_user_mail_handler(ddclient_t)
9 interface fixes most of the AVCs except two, and this is where I am
10 stuck. Here is the ausearch output:
11
12 type=PROCTITLE msg=audit(1481006916.953:34919):
13 proctitle=2F7573722F7362696E2F706F737464726F70002D72
14 type=PATH msg=audit(1481006916.953:34919): item=1
15 name="/lib64/ld-linux-x86-64.so.2" inode=1478356 dev=fd:00 mode=0100755
16 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t nametype=NORMAL
17 type=PATH msg=audit(1481006916.953:34919): item=0
18 name="/usr/sbin/postdrop" inode=818771 dev=fd:00 mode=0102711 ouid=0
19 ogid=208 rdev=00:00 obj=system_u:object_r:postfix_postdrop_exec_t
20 nametype=NORMAL
21 type=CWD msg=audit(1481006916.953:34919): cwd="/var/spool/postfix"
22 type=EXECVE msg=audit(1481006916.953:34919): argc=2
23 a0="/usr/sbin/postdrop" a1="-r"
24 type=SYSCALL msg=audit(1481006916.953:34919): arch=c000003e syscall=59
25 success=yes exit=0 a0=5b97747f30 a1=5b97748d70 a2=5b97747e50 a3=20
26 items=2 ppid=24964 pid=24965 auid=103 uid=103 gid=246 euid=103 suid=103
27 fsuid=103 egid=208 sgid=208 fsgid=208 tty=(none) ses=7 comm="postdrop"
28 exe="/usr/sbin/postdrop" subj=system_u:system_r:postfix_postdrop_t
29 key=(null)
30 type=AVC msg=audit(1481006916.953:34919): avc: denied { read write }
31 for pid=24965 comm="postdrop" path="socket:[2916040]" dev="sockfs"
32 ino=2916040 scontext=system_u:system_r:postfix_postdrop_t
33 tcontext=system_u:system_r:ddclient_t tclass=unix_stream_socket permissive=1
34 ----
35 time->Tue Dec 6 06:48:36 2016
36 type=AVC msg=audit(1481006916.965:34920): avc: denied { getattr } for
37 pid=24965 comm="postdrop" path="socket:[2916040]" dev="sockfs"
38 ino=2916040 scontext=system_u:system_r:postfix_postdrop_t
39 tcontext=system_u:system_r:ddclient_t tclass=unix_stream_socket permissive=1
40
41 The command "postdrop -r" reads a message from stdin and writes a
42 response to stdout. I am guessing these socket permissions are to do
43 with piping stdout back to sendmail (running in ddclient_t), but I would
44 have expected a fifo_file on a pipe rather than a socket? I can always
45 check this with the postfix forum if needed.
46
47 I guess the "wrong" solution would be to require postfix_postdrop_t and
48 allow it to access ddclient_t etc, but that would violate the rules, so
49 either the postdrop interface is wrong or perhaps I should be doing this
50 without a domain transition. That is how I started out and I had a whole
51 lot more AVCs that are fixed by the transition, so I am tending towards
52 the postdrop interface being not quite right?
53
54 Any views would be very much appreciated.
55
56 Best wishes,
57
58 Robert Sharp

Replies

Subject Author
Re: [gentoo-hardened] Ddclient sending emails on a Postfix server Sven Vermeulen <swift@g.o>