1 |
I am running ddclient on my router together with a relaying postfix |
2 |
server. Unfortunately I have configured ddclient to send emails when it |
3 |
has problems and I have had quite a few problems with AVCs as a result. |
4 |
I have figured most of them out now but there is one that I am stuck on. |
5 |
|
6 |
It appears that sendmail (postfix variant) calls postdrop to actually |
7 |
deliver the emails, and using the |
8 |
postfix_domtrans_user_mail_handler(ddclient_t) |
9 |
interface fixes most of the AVCs except two, and this is where I am |
10 |
stuck. Here is the ausearch output: |
11 |
|
12 |
type=PROCTITLE msg=audit(1481006916.953:34919): |
13 |
proctitle=2F7573722F7362696E2F706F737464726F70002D72 |
14 |
type=PATH msg=audit(1481006916.953:34919): item=1 |
15 |
name="/lib64/ld-linux-x86-64.so.2" inode=1478356 dev=fd:00 mode=0100755 |
16 |
ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t nametype=NORMAL |
17 |
type=PATH msg=audit(1481006916.953:34919): item=0 |
18 |
name="/usr/sbin/postdrop" inode=818771 dev=fd:00 mode=0102711 ouid=0 |
19 |
ogid=208 rdev=00:00 obj=system_u:object_r:postfix_postdrop_exec_t |
20 |
nametype=NORMAL |
21 |
type=CWD msg=audit(1481006916.953:34919): cwd="/var/spool/postfix" |
22 |
type=EXECVE msg=audit(1481006916.953:34919): argc=2 |
23 |
a0="/usr/sbin/postdrop" a1="-r" |
24 |
type=SYSCALL msg=audit(1481006916.953:34919): arch=c000003e syscall=59 |
25 |
success=yes exit=0 a0=5b97747f30 a1=5b97748d70 a2=5b97747e50 a3=20 |
26 |
items=2 ppid=24964 pid=24965 auid=103 uid=103 gid=246 euid=103 suid=103 |
27 |
fsuid=103 egid=208 sgid=208 fsgid=208 tty=(none) ses=7 comm="postdrop" |
28 |
exe="/usr/sbin/postdrop" subj=system_u:system_r:postfix_postdrop_t |
29 |
key=(null) |
30 |
type=AVC msg=audit(1481006916.953:34919): avc: denied { read write } |
31 |
for pid=24965 comm="postdrop" path="socket:[2916040]" dev="sockfs" |
32 |
ino=2916040 scontext=system_u:system_r:postfix_postdrop_t |
33 |
tcontext=system_u:system_r:ddclient_t tclass=unix_stream_socket permissive=1 |
34 |
---- |
35 |
time->Tue Dec 6 06:48:36 2016 |
36 |
type=AVC msg=audit(1481006916.965:34920): avc: denied { getattr } for |
37 |
pid=24965 comm="postdrop" path="socket:[2916040]" dev="sockfs" |
38 |
ino=2916040 scontext=system_u:system_r:postfix_postdrop_t |
39 |
tcontext=system_u:system_r:ddclient_t tclass=unix_stream_socket permissive=1 |
40 |
|
41 |
The command "postdrop -r" reads a message from stdin and writes a |
42 |
response to stdout. I am guessing these socket permissions are to do |
43 |
with piping stdout back to sendmail (running in ddclient_t), but I would |
44 |
have expected a fifo_file on a pipe rather than a socket? I can always |
45 |
check this with the postfix forum if needed. |
46 |
|
47 |
I guess the "wrong" solution would be to require postfix_postdrop_t and |
48 |
allow it to access ddclient_t etc, but that would violate the rules, so |
49 |
either the postdrop interface is wrong or perhaps I should be doing this |
50 |
without a domain transition. That is how I started out and I had a whole |
51 |
lot more AVCs that are fixed by the transition, so I am tending towards |
52 |
the postdrop interface being not quite right? |
53 |
|
54 |
Any views would be very much appreciated. |
55 |
|
56 |
Best wishes, |
57 |
|
58 |
Robert Sharp |