[gentoo-hardened] Troubleshooting FIFO pipes with bad security contexts...

Sat, 06 Aug 2011 10:01:27 -0700 

I'm trying to chase down an AVC message coming from procmail. I'm having a 
problem figuring out how to research, troubleshoot, or fix bad FIFO pipe 
contexts.

The AVC I get is:

Aug  6 12:15:52 basement kernel: type=1400 audit(1312647352.712:9623): avc:  
denied  { write } for  pid=9816 comm="procmail" path="pipe:[4235]" dev=pipefs 
ino=4235 scontext=system_u:system_r:procmail_t 
tcontext=system_u:system_r:postfix_master_t tclass=fifo_file

The problem appears to be that the FIFO objects that postfix's master process 
is creating aren't getting the correct security context:

basement ~ # lsof -Z | grep pipe | grep 4235  
master     2069       system_u:system_r:postfix_master_t           root   94r   
  
FIFO                0,7      0t0       4235 pipe
master     2069       system_u:system_r:postfix_master_t           root   95w   
  
FIFO                0,7      0t0       4235 pipe
qmgr       2074       system_u:system_r:postfix_qmgr_t          postfix   94r   
  
FIFO                0,7      0t0       4235 pipe
qmgr       2074       system_u:system_r:postfix_qmgr_t          postfix   95w   
  
FIFO                0,7      0t0       4235 pipe
tlsmgr     2178       system_u:system_r:postfix_master_t        postfix   94r   
  
FIFO                0,7      0t0       4235 pipe
tlsmgr     2178       system_u:system_r:postfix_master_t        postfix   95w   
  
FIFO                0,7      0t0       4235 pipe
pickup     9273       system_u:system_r:postfix_pickup_t        postfix   94r   
  
FIFO                0,7      0t0       4235 pipe
pickup     9273       system_u:system_r:postfix_pickup_t        postfix   95w   
  
FIFO                0,7      0t0       4235 pipe

Procmail doesn't have access to the postfix_master_t domain, but it does have 
access to this:

basement ~ # sesearch --allow -sprocmail_t -cfifo_file 
Found 4 semantic av rules:
   allow procmail_t postfix_local_t : fifo_file { ioctl read write getattr lock 
append open } ; 
   allow procmail_t postfix_pipe_t : fifo_file { ioctl read write getattr lock 
append open } ; 
   allow procmail_t user_home_t : fifo_file { ioctl read write create getattr 
setattr lock append unlink link rename open } ; 
   allow procmail_t procmail_t : fifo_file { ioctl read write getattr lock 
append open } ; 

So, I'm assuming that postfix's FIFOs ought to be one of those two: 
postfix_local_t or postfix_pipe_t. Since procmail's being used here as the 
local 
delivery agent I was guessing postfix_local_t. But I can't figure out where 
that 
is supposed to happen. Is that something postfix is required to do manually, or 
should there be a transition rule for it? (sesearch didn't show any trans 
rules for either of those types.)

--Mike

Reply via email to