Postfix with domain keys

Postfix with domain keys

[Martin Spinassi]

Hello list!


I'm a little stuck with selinux and postfix, hope you can give me
feedback with it.

We're trying to add domain keys to a postfix server, but it can't open
ports used by dkim to sign the mail. Here is some output of audit.log:


type=AVC msg=audit(1231242373.605:52): avc:  denied  { name_bind } for
pid=5386 comm="master" src=10026
scontext=root:system_r:postfix_master_t:s0
tcontext=system_u:object_r:postfix_master_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1231242373.605:52): arch=c000003e syscall=49
success=no exit=-13 a0=11 a1=2b06cdbc46d0 a2=10 a3=7fffe2d2f64c items=0
ppid=1 pid=5386 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=3 comm="master" exe="/usr/libexec/postfix/master"
subj=root:system_r:postfix_master_t:s0 key=(null)



I've allready added the port to the postfix_master_t domain with:
# semanage port -a -t postfix_master_t -p tcp 10026


Here is the maillog output:

postfix/postfix-script: starting the Postfix mail system
postfix/master[5386]: fatal: bind 127.0.0.1 port 10026: Permission
denied


It's a RHEL 5.2 and kernel 2.6.18-92.1.22.el5.



Any kind of help is appreciated :)


Cheers


Martín


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Postfix with domain keys

[Stephen Smalley]

On Tue, 2009-01-06 at 10:06 -0200, Martin Spinassi wrote:
> Hello list!
> 
> 
> I'm a little stuck with selinux and postfix, hope you can give me
> feedback with it.
> 
> We're trying to add domain keys to a postfix server, but it can't open
> ports used by dkim to sign the mail. Here is some output of audit.log:
> 
> 
> type=AVC msg=audit(1231242373.605:52): avc:  denied  { name_bind } for
> pid=5386 comm="master" src=10026
> scontext=root:system_r:postfix_master_t:s0
> tcontext=system_u:object_r:postfix_master_t:s0 tclass=tcp_socket
> 
> type=SYSCALL msg=audit(1231242373.605:52): arch=c000003e syscall=49
> success=no exit=-13 a0=11 a1=2b06cdbc46d0 a2=10 a3=7fffe2d2f64c items=0
> ppid=1 pid=5386 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=3 comm="master" exe="/usr/libexec/postfix/master"
> subj=root:system_r:postfix_master_t:s0 key=(null)
> 
> 
> 
> I've allready added the port to the postfix_master_t domain with:
> # semanage port -a -t postfix_master_t -p tcp 10026

postfix_master_t is a domain type, i.e. a type that should only be
associated with postfix master processes.  You don't want to apply it to
the port.  So I'd delete that entry (likewise using semanage).

What denial did you get originally before mapping the port to
postfix_master_t?  Was it just port_t originally?  Looking at a copy of
the reference policy, it looks like postfix_master_t is allowed
name_bind permission for port_t, reserved_port_t, and smtp_port_t.

If you really wanted to lock down this port specifically, you could of
course introduce your own type for it (dkim_port_t?) and allow
postfix_master_t to bind it via a local policy module, and then use
semanage to map the port to that new type.

> Here is the maillog output:
> 
> postfix/postfix-script: starting the Postfix mail system
> postfix/master[5386]: fatal: bind 127.0.0.1 port 10026: Permission
> denied
> 
> 
> It's a RHEL 5.2 and kernel 2.6.18-92.1.22.el5.
> 
> 
> 
> Any kind of help is appreciated :)

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Postfix with domain keys

[Stephen Smalley]

On Tue, 2009-01-06 at 08:23 -0500, Stephen Smalley wrote:
> On Tue, 2009-01-06 at 10:06 -0200, Martin Spinassi wrote:
> > Hello list!
> > 
> > 
> > I'm a little stuck with selinux and postfix, hope you can give me
> > feedback with it.
> > 
> > We're trying to add domain keys to a postfix server, but it can't open
> > ports used by dkim to sign the mail. Here is some output of audit.log:
> > 
> > 
> > type=AVC msg=audit(1231242373.605:52): avc:  denied  { name_bind } for
> > pid=5386 comm="master" src=10026
> > scontext=root:system_r:postfix_master_t:s0
> > tcontext=system_u:object_r:postfix_master_t:s0 tclass=tcp_socket
> > 
> > type=SYSCALL msg=audit(1231242373.605:52): arch=c000003e syscall=49
> > success=no exit=-13 a0=11 a1=2b06cdbc46d0 a2=10 a3=7fffe2d2f64c items=0
> > ppid=1 pid=5386 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=(none) ses=3 comm="master" exe="/usr/libexec/postfix/master"
> > subj=root:system_r:postfix_master_t:s0 key=(null)
> > 
> > 
> > 
> > I've allready added the port to the postfix_master_t domain with:
> > # semanage port -a -t postfix_master_t -p tcp 10026
> 
> postfix_master_t is a domain type, i.e. a type that should only be
> associated with postfix master processes.  You don't want to apply it to
> the port.  So I'd delete that entry (likewise using semanage).
> 
> What denial did you get originally before mapping the port to
> postfix_master_t?  Was it just port_t originally?  Looking at a copy of
> the reference policy, it looks like postfix_master_t is allowed
> name_bind permission for port_t, reserved_port_t, and smtp_port_t.

Oh, actually, the allow rules granting name_bind to port_t and
reserved_port_t are conditional on allow_ypbind and disabled by default.

> 
> If you really wanted to lock down this port specifically, you could of
> course introduce your own type for it (dkim_port_t?) and allow
> postfix_master_t to bind it via a local policy module, and then use
> semanage to map the port to that new type.
> 
> > Here is the maillog output:
> > 
> > postfix/postfix-script: starting the Postfix mail system
> > postfix/master[5386]: fatal: bind 127.0.0.1 port 10026: Permission
> > denied
> > 
> > 
> > It's a RHEL 5.2 and kernel 2.6.18-92.1.22.el5.
> > 
> > 
> > 
> > Any kind of help is appreciated :)
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Postfix with domain keys

[Martin Spinassi]

On Tue, 2009-01-06 at 08:22 -0500, Stephen Smalley wrote:
> On Tue, 2009-01-06 at 10:06 -0200, Martin Spinassi wrote:
> > Hello list!
> > 
> > 
> > I'm a little stuck with selinux and postfix, hope you can give me
> > feedback with it.
> > 
> > We're trying to add domain keys to a postfix server, but it can't open
> > ports used by dkim to sign the mail. Here is some output of audit.log:
> > 
> > 
> > type=AVC msg=audit(1231242373.605:52): avc:  denied  { name_bind } for
> > pid=5386 comm="master" src=10026
> > scontext=root:system_r:postfix_master_t:s0
> > tcontext=system_u:object_r:postfix_master_t:s0 tclass=tcp_socket
> > 
> > type=SYSCALL msg=audit(1231242373.605:52): arch=c000003e syscall=49
> > success=no exit=-13 a0=11 a1=2b06cdbc46d0 a2=10 a3=7fffe2d2f64c items=0
> > ppid=1 pid=5386 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=(none) ses=3 comm="master" exe="/usr/libexec/postfix/master"
> > subj=root:system_r:postfix_master_t:s0 key=(null)
> > 
> > 
> > 
> > I've allready added the port to the postfix_master_t domain with:
> > # semanage port -a -t postfix_master_t -p tcp 10026
> 
> postfix_master_t is a domain type, i.e. a type that should only be
> associated with postfix master processes.  You don't want to apply it to
> the port.  So I'd delete that entry (likewise using semanage).
> 
> What denial did you get originally before mapping the port to
> postfix_master_t?  Was it just port_t originally?  Looking at a copy of
> the reference policy, it looks like postfix_master_t is allowed
> name_bind permission for port_t, reserved_port_t, and smtp_port_t.
> 
> If you really wanted to lock down this port specifically, you could of
> course introduce your own type for it (dkim_port_t?) and allow
> postfix_master_t to bind it via a local policy module, and then use
> semanage to map the port to that new type.


Thanks for the response Stephen.

I don't know if it's the best solution, but it is working now.

Here is what I did (just in case someone else needs it):


As rhel 5 doesn't have selinux-tageted-source package any more, I'd to
see how to resolve it with semanage.

First I removed previous entry for that port (my mistake)

# semanage port -d -t postfix_master_t -p tcp 10026

and then added it to smtp_port_t

# semanage port -a -t smtp_port_t -p tcp 10026


Doing a it's own type (dkim_port_t) would be the best, but need a bit of
practice to do it.


Thanks again for the response, I'll try to do it's own type once I
finish the O'Reilly selinux book ;-)


Cheers

Martín


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Postfix with domain keys

[Martin Spinassi]

On Tue, 2009-01-06 at 08:30 -0500, Stephen Smalley wrote:
> On Tue, 2009-01-06 at 08:23 -0500, Stephen Smalley wrote:
> > On Tue, 2009-01-06 at 10:06 -0200, Martin Spinassi wrote:
> > > Hello list!
> > > 
> > > 
> > > I'm a little stuck with selinux and postfix, hope you can give me
> > > feedback with it.
> > > 
> > > We're trying to add domain keys to a postfix server, but it can't open
> > > ports used by dkim to sign the mail. Here is some output of audit.log:
> > > 
> > > 
> > > type=AVC msg=audit(1231242373.605:52): avc:  denied  { name_bind } for
> > > pid=5386 comm="master" src=10026
> > > scontext=root:system_r:postfix_master_t:s0
> > > tcontext=system_u:object_r:postfix_master_t:s0 tclass=tcp_socket
> > > 
> > > type=SYSCALL msg=audit(1231242373.605:52): arch=c000003e syscall=49
> > > success=no exit=-13 a0=11 a1=2b06cdbc46d0 a2=10 a3=7fffe2d2f64c items=0
> > > ppid=1 pid=5386 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > > fsgid=0 tty=(none) ses=3 comm="master" exe="/usr/libexec/postfix/master"
> > > subj=root:system_r:postfix_master_t:s0 key=(null)
> > > 
> > > 
> > > 
> > > I've allready added the port to the postfix_master_t domain with:
> > > # semanage port -a -t postfix_master_t -p tcp 10026
> > 
> > postfix_master_t is a domain type, i.e. a type that should only be
> > associated with postfix master processes.  You don't want to apply it to
> > the port.  So I'd delete that entry (likewise using semanage).
> > 
> > What denial did you get originally before mapping the port to
> > postfix_master_t?  Was it just port_t originally?  Looking at a copy of
> > the reference policy, it looks like postfix_master_t is allowed
> > name_bind permission for port_t, reserved_port_t, and smtp_port_t.
> 
> Oh, actually, the allow rules granting name_bind to port_t and
> reserved_port_t are conditional on allow_ypbind and disabled by default.
> 

Audit2allow "recommended" to allow transition from postfix_master_t to
port_t and then allow create socket port_t, but I didn't feel it much
secure...what do you think?


Thanks again for your time Stephen.

Cheers.

Martín


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Postfix with domain keys

[Stephen Smalley]

On Tue, 2009-01-06 at 11:55 -0200, Martin Spinassi wrote:
> On Tue, 2009-01-06 at 08:22 -0500, Stephen Smalley wrote:
> > On Tue, 2009-01-06 at 10:06 -0200, Martin Spinassi wrote:
> > > Hello list!
> > > 
> > > 
> > > I'm a little stuck with selinux and postfix, hope you can give me
> > > feedback with it.
> > > 
> > > We're trying to add domain keys to a postfix server, but it can't open
> > > ports used by dkim to sign the mail. Here is some output of audit.log:
> > > 
> > > 
> > > type=AVC msg=audit(1231242373.605:52): avc:  denied  { name_bind } for
> > > pid=5386 comm="master" src=10026
> > > scontext=root:system_r:postfix_master_t:s0
> > > tcontext=system_u:object_r:postfix_master_t:s0 tclass=tcp_socket
> > > 
> > > type=SYSCALL msg=audit(1231242373.605:52): arch=c000003e syscall=49
> > > success=no exit=-13 a0=11 a1=2b06cdbc46d0 a2=10 a3=7fffe2d2f64c items=0
> > > ppid=1 pid=5386 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > > fsgid=0 tty=(none) ses=3 comm="master" exe="/usr/libexec/postfix/master"
> > > subj=root:system_r:postfix_master_t:s0 key=(null)
> > > 
> > > 
> > > 
> > > I've allready added the port to the postfix_master_t domain with:
> > > # semanage port -a -t postfix_master_t -p tcp 10026
> > 
> > postfix_master_t is a domain type, i.e. a type that should only be
> > associated with postfix master processes.  You don't want to apply it to
> > the port.  So I'd delete that entry (likewise using semanage).
> > 
> > What denial did you get originally before mapping the port to
> > postfix_master_t?  Was it just port_t originally?  Looking at a copy of
> > the reference policy, it looks like postfix_master_t is allowed
> > name_bind permission for port_t, reserved_port_t, and smtp_port_t.
> > 
> > If you really wanted to lock down this port specifically, you could of
> > course introduce your own type for it (dkim_port_t?) and allow
> > postfix_master_t to bind it via a local policy module, and then use
> > semanage to map the port to that new type.
> 
> 
> Thanks for the response Stephen.
> 
> I don't know if it's the best solution, but it is working now.
> 
> Here is what I did (just in case someone else needs it):
> 
> 
> As rhel 5 doesn't have selinux-tageted-source package any more, I'd to
> see how to resolve it with semanage.

The old policy -sources package became unnecessary with the introduction
of support for loadable policy modules and semanage, which first
happened in the Fedora Core 5 release.  Instead, you can just create
your own local policy module, build it and install it without needing
the base policy sources at all.

See for example:
http://docs.fedoraproject.org/selinux-faq-fc5/#faq-entry-local.te

(Note to Dan:  I don't see anything comparable in the current Fedora
SELinux FAQ or the Fedora 10 SELinux Guide on how to write a local
policy module, only about using audit2allow.)

> First I removed previous entry for that port (my mistake)
> 
> # semanage port -d -t postfix_master_t -p tcp 10026
> 
> and then added it to smtp_port_t
> 
> # semanage port -a -t smtp_port_t -p tcp 10026
> 
> 
> Doing a it's own type (dkim_port_t) would be the best, but need a bit of
> practice to do it.
> 
> 
> Thanks again for the response, I'll try to do it's own type once I
> finish the O'Reilly selinux book ;-)

I'd recommend looking at something more recent, unless there is a new
edition of that book.  The original edition only described the state of
SELinux circa Fedora Core 2/3 and thus doesn't deal with loadable policy
modules, semanage, or reference policy at all.  The SELinux by Example
book is more recent.  Then there are various online resources, see:
http://selinuxproject.org/page/User_Resources


-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Postfix with domain keys

[Stephen Smalley]

On Tue, 2009-01-06 at 11:58 -0200, Martin Spinassi wrote:
> On Tue, 2009-01-06 at 08:30 -0500, Stephen Smalley wrote:
> > On Tue, 2009-01-06 at 08:23 -0500, Stephen Smalley wrote:
> > > On Tue, 2009-01-06 at 10:06 -0200, Martin Spinassi wrote:
> > > > Hello list!
> > > > 
> > > > 
> > > > I'm a little stuck with selinux and postfix, hope you can give me
> > > > feedback with it.
> > > > 
> > > > We're trying to add domain keys to a postfix server, but it can't open
> > > > ports used by dkim to sign the mail. Here is some output of audit.log:
> > > > 
> > > > 
> > > > type=AVC msg=audit(1231242373.605:52): avc:  denied  { name_bind } for
> > > > pid=5386 comm="master" src=10026
> > > > scontext=root:system_r:postfix_master_t:s0
> > > > tcontext=system_u:object_r:postfix_master_t:s0 tclass=tcp_socket
> > > > 
> > > > type=SYSCALL msg=audit(1231242373.605:52): arch=c000003e syscall=49
> > > > success=no exit=-13 a0=11 a1=2b06cdbc46d0 a2=10 a3=7fffe2d2f64c items=0
> > > > ppid=1 pid=5386 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > > > fsgid=0 tty=(none) ses=3 comm="master" exe="/usr/libexec/postfix/master"
> > > > subj=root:system_r:postfix_master_t:s0 key=(null)
> > > > 
> > > > 
> > > > 
> > > > I've allready added the port to the postfix_master_t domain with:
> > > > # semanage port -a -t postfix_master_t -p tcp 10026
> > > 
> > > postfix_master_t is a domain type, i.e. a type that should only be
> > > associated with postfix master processes.  You don't want to apply it to
> > > the port.  So I'd delete that entry (likewise using semanage).
> > > 
> > > What denial did you get originally before mapping the port to
> > > postfix_master_t?  Was it just port_t originally?  Looking at a copy of
> > > the reference policy, it looks like postfix_master_t is allowed
> > > name_bind permission for port_t, reserved_port_t, and smtp_port_t.
> > 
> > Oh, actually, the allow rules granting name_bind to port_t and
> > reserved_port_t are conditional on allow_ypbind and disabled by default.
> > 
> 
> Audit2allow "recommended" to allow transition from postfix_master_t to
> port_t and then allow create socket port_t, but I didn't feel it much
> secure...what do you think?

I'm not sure I quite follow the above, as a transition usually means
that we are changing from one context to another, and there is no
transition in the above situation, just an attempt to bind to a given
port.

The actual verbatim output of audit2allow would likely be more useful.
Without any semanage entries, I would have expected it to be something
like:
	module mypostfix 1.0;
	require {
		type postfix_master_t;
		type port_t;
		class tcp_socket name_bind;
	}
	allow postfix_master_t port_t:tcp_socket name_bind;

See for example:
http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385
http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Postfix with domain keys

[Stephen Smalley]

On Tue, 2009-01-06 at 12:58 -0200, Martin Spinassi wrote:
> On Tue, 2009-01-06 at 09:13 -0500, Stephen Smalley wrote:
> [snip]
> > > 
> > > Audit2allow "recommended" to allow transition from postfix_master_t to
> > > port_t and then allow create socket port_t, but I didn't feel it much
> > > secure...what do you think?
> > 
> > I'm not sure I quite follow the above, as a transition usually means
> > that we are changing from one context to another, and there is no
> > transition in the above situation, just an attempt to bind to a given
> > port.
> > 
> > The actual verbatim output of audit2allow would likely be more useful.
> > Without any semanage entries, I would have expected it to be something
> > like:
> > 	module mypostfix 1.0;
> > 	require {
> > 		type postfix_master_t;
> > 		type port_t;
> > 		class tcp_socket name_bind;
> > 	}
> > 	allow postfix_master_t port_t:tcp_socket name_bind;
> > 
> > See for example:
> > http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385
> > http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html
> > 
> 
> Correct me if I'm wrong, but allowing this will accept the domain use
> any tcp socket, and call me paranoid, but it could allow postfix
> something like a reverse telnet or something. Is it right? (I've already
> warned you that I'm a complete rookie, so it could be a ridiculous
> response).

It allows the domain to bind to any port that is not otherwise mapped to
a specific type by the policy and thus defaults to port_t.  Well-defined
ports like telnet (23) are mapped to specific types like telnetd_port_t
by policy, and the reserved port range is covered by default mappings to
reserved_port_t or hi_reserved_port_t if there is no specific match.

As I said, the above policy module is what I would expect it to generate
if you were to run it on avc denials generated without any specific
semanage port assignment for the 10026 port and thus defaulting to
port_t.  If you instead define your own port type and map the 10026 port
to that type, then the allow rule could be specific to your new port
type.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Postfix with domain keys

[Martin Spinassi]

On Tue, 2009-01-06 at 09:13 -0500, Stephen Smalley wrote:
[snip]
> > 
> > Audit2allow "recommended" to allow transition from postfix_master_t to
> > port_t and then allow create socket port_t, but I didn't feel it much
> > secure...what do you think?
> 
> I'm not sure I quite follow the above, as a transition usually means
> that we are changing from one context to another, and there is no
> transition in the above situation, just an attempt to bind to a given
> port.
> 
> The actual verbatim output of audit2allow would likely be more useful.
> Without any semanage entries, I would have expected it to be something
> like:
> 	module mypostfix 1.0;
> 	require {
> 		type postfix_master_t;
> 		type port_t;
> 		class tcp_socket name_bind;
> 	}
> 	allow postfix_master_t port_t:tcp_socket name_bind;
> 
> See for example:
> http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385
> http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html
> 

Correct me if I'm wrong, but allowing this will accept the domain use
any tcp socket, and call me paranoid, but it could allow postfix
something like a reverse telnet or something. Is it right? (I've already
warned you that I'm a complete rookie, so it could be a ridiculous
response).


Thanks Stephen.


Martín


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Postfix with domain keys

[Martin Spinassi]

On Tue, 2009-01-06 at 09:53 -0500, Stephen Smalley wrote:
[snip]
> > > 	module mypostfix 1.0;
> > > 	require {
> > > 		type postfix_master_t;
> > > 		type port_t;
> > > 		class tcp_socket name_bind;
> > > 	}
> > > 	allow postfix_master_t port_t:tcp_socket name_bind;
> > > 
> > > See for example:
> > > http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385
> > > http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html
> > > 
> > 
> > Correct me if I'm wrong, but allowing this will accept the domain use
> > any tcp socket, and call me paranoid, but it could allow postfix
> > something like a reverse telnet or something. Is it right? (I've already
> > warned you that I'm a complete rookie, so it could be a ridiculous
> > response).
> 
> It allows the domain to bind to any port that is not otherwise mapped to
> a specific type by the policy and thus defaults to port_t.  Well-defined
> ports like telnet (23) are mapped to specific types like telnetd_port_t
> by policy, and the reserved port range is covered by default mappings to
> reserved_port_t or hi_reserved_port_t if there is no specific match.
> 
> As I said, the above policy module is what I would expect it to generate
> if you were to run it on avc denials generated without any specific
> semanage port assignment for the 10026 port and thus defaulting to
> port_t.  If you instead define your own port type and map the 10026 port
> to that type, then the allow rule could be specific to your new port
> type.

Thank you very much for clear it!

I'll be checking those links and then try that module.


I really really appreciate your help.


Cheers


Martín


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Postfix with domain keys

[Russell Coker]

On Tuesday 06 January 2009 23:06, Martin Spinassi <martins.listz@gmail.com> 
wrote:
> We're trying to add domain keys to a postfix server, but it can't open
> ports used by dkim to sign the mail. Here is some output of audit.log:

What do you mean?  How are you using DKIM signatures?

I am using DKIM on my Postfix server, for the Debian SE Linux policy I have a 
domain dkim_t used for the dkim-filter program (the Milter that is used for 
signing and checking signatures - known outside Debian as dkim-milter).

Ancient versions of Postfix used to require a configuration where the mail was 
forwarded to a different port where a daemon then forwarded it back - it was 
really ugly in every possible way and didn't scale.  Among other things it 
caused a proliferation of Received lines which sometimes triggered mail loop 
detection and exposed details of the configuration to the world when sending 
mail.

http://www.postfix.org/MILTER_README.html

Using a Milter is the best way to do it on a recent version of Postfix.  It 
requires Postfix version 2.3 or newer (which means the vast majority of 
Postfix servers are new enough).

> I've allready added the port to the postfix_master_t domain with:
> # semanage port -a -t postfix_master_t -p tcp 10026

Generally the best thing to do in such situations is to examine the context 
used for a similar port, the command "semanage port -l|grep 25" shows that 
smtp_port_t is used.  While I don't recommend doing what you are doing, using 
the type smtp_port_t is probably going to give a better result than any other 
pre-existing type.

> It's a RHEL 5.2 and kernel 2.6.18-92.1.22.el5.

I have some CentOS 5.2 servers running Postfix with a milter for DKIM (as part 
of the work required to provide the real service).  The milter in question is 
a proprietary system to prevent Phishing email (you can contact me off-list 
if you want to participate in the beta program).

But I'm sure that dkim-milter would also work well on CentOS 5.2 and RHEL 5.2 
with Postfix.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Postfix with domain keys

[Martin Spinassi]

On Wed, 2009-01-07 at 09:24 +1100, Russell Coker wrote:
> On Tuesday 06 January 2009 23:06, Martin Spinassi <martins.listz@gmail.com> 
> wrote:
> > We're trying to add domain keys to a postfix server, but it can't open
> > ports used by dkim to sign the mail. Here is some output of audit.log:
> 
> What do you mean?  How are you using DKIM signatures?
> 
> I am using DKIM on my Postfix server, for the Debian SE Linux policy I have a 
> domain dkim_t used for the dkim-filter program (the Milter that is used for 
> signing and checking signatures - known outside Debian as dkim-milter).
> 
> Ancient versions of Postfix used to require a configuration where the mail was 
> forwarded to a different port where a daemon then forwarded it back - it was 
> really ugly in every possible way and didn't scale.  Among other things it 
> caused a proliferation of Received lines which sometimes triggered mail loop 
> detection and exposed details of the configuration to the world when sending 
> mail.
> 
> http://www.postfix.org/MILTER_README.html
> 
> Using a Milter is the best way to do it on a recent version of Postfix.  It 
> requires Postfix version 2.3 or newer (which means the vast majority of 
> Postfix servers are new enough).
> 
> > I've allready added the port to the postfix_master_t domain with:
> > # semanage port -a -t postfix_master_t -p tcp 10026
> 
> Generally the best thing to do in such situations is to examine the context 
> used for a similar port, the command "semanage port -l|grep 25" shows that 
> smtp_port_t is used.  While I don't recommend doing what you are doing, using 
> the type smtp_port_t is probably going to give a better result than any other 
> pre-existing type.
> 
> > It's a RHEL 5.2 and kernel 2.6.18-92.1.22.el5.
> 
> I have some CentOS 5.2 servers running Postfix with a milter for DKIM (as part 
> of the work required to provide the real service).  The milter in question is 
> a proprietary system to prevent Phishing email (you can contact me off-list 
> if you want to participate in the beta program).
> 
> But I'm sure that dkim-milter would also work well on CentOS 5.2 and RHEL 5.2 
> with Postfix.

Thanks for the advice Rusell.

I've finally done it with dkproxy ( http://dkimproxy.sourceforge.net/ ).
Yes, the mail require forward to localhost, sign and then back to queue.
I'll read about milter, may be it worth the effort to change it ;)

About selinux, I solved it (not very gracefully):

# semanage port -d -t postfix_master_t -p tcp 10026

and then added it to smtp_port_t

# semanage port -a -t smtp_port_t -p tcp 10026

Stephen Smalley gave me some hints to make a dkim type, and make it a
little securer. I'll give it a shot, but I need to understand a little
more about selinux before trying it.


Thanks again for the help.


Cheers.


Martín




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.