Sendmail & SELinux policies

Sendmail & SELinux policies

[Tanel Kokk]

Hello

I made SELinux policies for sendmail on CentOS (seemed, that 
target-policy contains somekind of incomplete policy for sendmail)

Mostly it seems work fine. however some times I find selinux audit-logs 
from dmesg:

audit(1144310301.564:2): avc:  denied  { getattr } for  pid=11789 
comm="sendmail" name="null" dev=sda2 ino=293212 
scontext=user_u:system_r:sendmail_t tcontext=system_u:object_r:device_t 
tclass=chr_file
audit(1144310301.564:3): avc:  denied  { ioctl } for  pid=11789 
comm="sendmail" name="null" dev=sda2 ino=293212 
scontext=user_u:system_r:sendmail_t tcontext=system_u:object_r:device_t 
tclass=chr_file

audit2allow get:
allow sendmail_t device_t:chr_file { getattr ioctl };

However I have this line in ./src/policy/domains/program/local.te:
allow sendmail_t device_t:chr_file { read write getattr ioctl };

As I understand I already have allowing policy record for this 
situation. Why I still got this denied messages for sendmail_t?


-- 
Tanel Kokk


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Sendmail & SELinux policies

[Stephen Smalley]

On Thu, 2006-04-06 at 12:09 +0300, Tanel Kokk wrote:
> Hello
> 
> I made SELinux policies for sendmail on CentOS (seemed, that 
> target-policy contains somekind of incomplete policy for sendmail)

The upstream example policy has a sendmail policy, but targeted policy
doesn't include it.

> Mostly it seems work fine. however some times I find selinux audit-logs 
> from dmesg:
> 
> audit(1144310301.564:2): avc:  denied  { getattr } for  pid=11789 
> comm="sendmail" name="null" dev=sda2 ino=293212 
> scontext=user_u:system_r:sendmail_t tcontext=system_u:object_r:device_t 
> tclass=chr_file
> audit(1144310301.564:3): avc:  denied  { ioctl } for  pid=11789 
> comm="sendmail" name="null" dev=sda2 ino=293212 
> scontext=user_u:system_r:sendmail_t tcontext=system_u:object_r:device_t 
> tclass=chr_file

This looks suspect, as the null device should be labeled null_device_t,
not just device_t.  ls -Z /dev/null

> audit2allow get:
> allow sendmail_t device_t:chr_file { getattr ioctl };
> 
> However I have this line in ./src/policy/domains/program/local.te:
> allow sendmail_t device_t:chr_file { read write getattr ioctl };
> 
> As I understand I already have allowing policy record for this 
> situation. Why I still got this denied messages for sendmail_t?

First, I don't think you want to allow it (potential access to device
nodes that don't have a specific type).  You want to fix the label
on /dev/null instead.

Not sure why your local rule isn't applied though, unless you just
didn't do a make load after adding it.  You can try doing a make clean
load to be sure it was rebuilt.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Sendmail & SELinux policies

[Tanel Kokk]

Stephen Smalley wrote:
> On Thu, 2006-04-06 at 12:09 +0300, Tanel Kokk wrote:

> This looks suspect, as the null device should be labeled null_device_t,
> not just device_t.  ls -Z /dev/null

Ouch! I have to note, that I have chrooted sendmail environment and 
/sm_chroot/dev/null really has a label device_t. Now fixed to null_device_t.

> 
>> audit2allow get:
>> allow sendmail_t device_t:chr_file { getattr ioctl };
>>
>> However I have this line in ./src/policy/domains/program/local.te:
>> allow sendmail_t device_t:chr_file { read write getattr ioctl };
>>
>> As I understand I already have allowing policy record for this 
>> situation. Why I still got this denied messages for sendmail_t?
> 
> First, I don't think you want to allow it (potential access to device
> nodes that don't have a specific type).  You want to fix the label
> on /dev/null instead.

OK. I'll check my dev files and fix them to appropriate label.

> Not sure why your local rule isn't applied though, unless you just
> didn't do a make load after adding it.  You can try doing a make clean
> load to be sure it was rebuilt.
> 

I allways did 'make relabel' and 'make reload'.

Thanks! I'll look things over.


-- 
Tanel Kokk


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Sendmail & SELinux policies

[Stephen Smalley]

On Thu, 2006-04-06 at 14:49 +0300, Tanel Kokk wrote:
> Stephen Smalley wrote:
> > On Thu, 2006-04-06 at 12:09 +0300, Tanel Kokk wrote:
> 
> > This looks suspect, as the null device should be labeled null_device_t,
> > not just device_t.  ls -Z /dev/null
> 
> Ouch! I have to note, that I have chrooted sendmail environment and 
> /sm_chroot/dev/null really has a label device_t. Now fixed to null_device_t.

Ok.  FYI, setfiles has a -r option for applying it to a chroot'd tree,
contributed by the Hardened Gentoo folks.  As in:
	setfiles -r /path/to/root /etc/selinux/targeted/contexts/files/file_contexts /path/to/root

> > Not sure why your local rule isn't applied though, unless you just
> > didn't do a make load after adding it.  You can try doing a make clean
> > load to be sure it was rebuilt.
> > 
> 
> I allways did 'make relabel' and 'make reload'.

make relabel is only necessary if you altered file contexts (.fc files),
and even then, you can usually just apply setfiles or restorecon
selectively if you know which part of the file tree needs to be updated
to avoid a full relabel.  I'd try a make clean load to be sure it
properly rebuilt.

BTW, a make relabel will likely reset the types on your chroot
environment unless you've added entries for them to your file contexts.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Sendmail & SELinux policies

[Tanel Kokk]

Stephen Smalley wrote:
> On Thu, 2006-04-06 at 14:49 +0300, Tanel Kokk wrote:
>> Stephen Smalley wrote:
>>> On Thu, 2006-04-06 at 12:09 +0300, Tanel Kokk wrote:
>>> This looks suspect, as the null device should be labeled null_device_t,
>>> not just device_t.  ls -Z /dev/null
>> Ouch! I have to note, that I have chrooted sendmail environment and 
>> /sm_chroot/dev/null really has a label device_t. Now fixed to null_device_t.
> 
> Ok.  FYI, setfiles has a -r option for applying it to a chroot'd tree,
> contributed by the Hardened Gentoo folks.  As in:
> 	setfiles -r /path/to/root /etc/selinux/targeted/contexts/files/file_contexts /path/to/root

That's good hind. I didn't know that.

> make relabel is only necessary if you altered file contexts (.fc files),
> and even then, you can usually just apply setfiles or restorecon
> selectively if you know which part of the file tree needs to be updated
> to avoid a full relabel.  I'd try a make clean load to be sure it
> properly rebuilt.
> 
> BTW, a make relabel will likely reset the types on your chroot
> environment unless you've added entries for them to your file contexts.
> 

I have labels for chroot directory, too. Before I have entry:

/sm_chroot/dev(/.*)?       system_u:object_r:device_t

and there wasn't separate labels for specific devise files. Now I added 
right labels for these ones, too.

-- 
Tanel Kokk


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.