Package: selinux-basics
Version: 0.3.5
Severity: normal
File: /usr/sbin/postfix-nochroot
Tags: patch
Hi,
I installed Rsyslog as this is the default syslog daemon now. Postfix
from version 2.5.5-1.1 (07 Sep 2008) provides Rsyslog configuration
snippet with additional socket /var/spool/postfix/dev/log, so chrooted
Postfix can do logging even in the case syslog daemon is restarted.
(Please, look into /usr/share/doc/postfix/README.Debian for details).
This is problem for SE Linux:
Nov 3 16:02:24 sid kernel: [ 3056.301851] type=1400 audit(1225724544.685:18):
avc: denied { search } for pid=1574 comm="rsyslogd" name="spool" dev=hda2
ino=82087 scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Nov 3 16:02:24 sid kernel: [ 3056.306114] type=1400 audit(1225724544.685:18):
avc: denied { search } for pid=1574 comm="rsyslogd" name="postfix" dev=hda2
ino=82089 scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
Nov 3 16:02:24 sid kernel: [ 3056.310092] type=1400 audit(1225724544.685:18):
avc: denied { write } for pid=1574 comm="rsyslogd" name="dev" dev=hda2
ino=84254 scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
Nov 3 16:02:24 sid kernel: [ 3056.313944] type=1400 audit(1225724544.685:18):
avc: denied { remove_name } for pid=1574 comm="rsyslogd" name="log" dev=hda2
ino=82043 scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
Nov 3 16:02:24 sid kernel: [ 3056.317603] type=1400 audit(1225724544.685:18):
avc: denied { unlink } for pid=1574 comm="rsyslogd" name="log" dev=hda2
ino=82043 scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:postfix_spool_t:s0 tclass=sock_file
Nov 3 16:02:24 sid kernel: [ 3056.321174] type=1300 audit(1225724544.685:18):
arch=40000003 syscall=10 success=yes exit=0 a0=87d1d70 a1=0 a2=b7e097f0 a3=1
items=0 ppid=1 pid=1574 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd"
exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null)
Nov 3 16:02:24 sid kernel: Kernel logging (proc) stopped.
I prepared modification in /usr/sbin/postfix-nochroot, so it moves out
this configuration (renames it to *.bak, only *.conf files Rsyslog
loads), restarts Rsyslog if socket really exists and removes dev chroot
directory. Postfix provided with a debconf question for doing chroot
environment would be much more appropriate and I try to make some
activity in this direction (report a bug with something) - but probably
not acceptable for Lenny :(.
Best Regards
--
Zito
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages selinux-basics depends on:
ii checkpolicy 2.0.16-2 SELinux policy compiler
ii policycoreutils 2.0.49-6 SELinux core policy utilities
ii python 2.5.2-3 An interactive high-level object-o
ii selinux-utils 2.0.65-5 SELinux utility programs
Versions of packages selinux-basics recommends:
ii selinux-policy-default 2:0.0.20080702-14 Strict and Targeted variants of th
ii setools 3.3.5.ds-5 tools for Security Enhanced Linux
Versions of packages selinux-basics suggests:
pn logcheck <none> (no description available)
pn syslog-summary <none> (no description available)
-- no debconf information
--- postfix-nochroot.orig 2008-10-30 18:53:14.000000000 +0100
+++ postfix-nochroot 2008-11-03 16:17:39.000000000 +0100
@@ -8,6 +8,10 @@
use strict;
my $file = "/etc/postfix/master.cf";
+my $rsyslog_postfix_conf = "/etc/rsyslog.d/postfix.conf";
+my $rsyslog_postfix_sock = "/var/spool/postfix/dev/log";
+
+my $rsyslog_initrc = "/etc/init.d/rsyslog";
if(-e "$file.bak")
{
@@ -49,9 +53,61 @@
{
system("$script stop");
}
-system("rm -rf /var/spool/postfix/etc /var/spool/postfix/lib
/var/spool/postfix/usr");
+rsyslog_postfix_socket_disable();
+mysystem('rm', '-rf', qw(
+ /var/spool/postfix/dev
+ /var/spool/postfix/etc
+ /var/spool/postfix/lib
+ /var/spool/postfix/usr
+ ));
if($status =~ /postfix is running/)
{
system("$script start");
}
+exit(0);
+
+sub rsyslog_postfix_socket_disable
+{
+ if ( -f $rsyslog_postfix_conf )
+ {
+ my $from = $rsyslog_postfix_conf;
+ my $to = $rsyslog_postfix_conf . '.bak';
+ rename($from, $to)
+ or die qq|$0: can't rename("$from", "$to"): $!\n|;
+ }
+ if ( -S $rsyslog_postfix_sock && -x $rsyslog_initrc )
+ {
+ mysystem($rsyslog_initrc, 'restart');
+ }
+}
+
+sub mysystem
+{
+ system(@_);
+ if ( $? != 0 )
+ {
+ print STDERR "$0: exec(" . join(',', map(qq|"$_"|, @_)) . ") ";
+ }
+ if ($? == -1)
+ {
+ mysystem_error([EMAIL PROTECTED], "failed: $!");
+ }
+ elsif ($? & 127)
+ {
+ mysystem_error([EMAIL PROTECTED], "child died with signal %d, %s
coredump",
+ ($? & 127), ($? & 128) ? 'with' : 'without');
+ }
+ elsif ( $? )
+ {
+ mysystem_error([EMAIL PROTECTED], "child exited with value %d", $? >>
8);
+ }
+ return $?;
+}
+
+sub mysystem_error
+{
+ my ($args, $fmt, @fmtargs) = @_;
+ print STDERR "$0: exec(", join(',', map(qq|"$_"|, @$args)),
+ ") ", sprintf($fmt, @fmtargs), "\n";
+}
