Package: selinux-policy-default
Version: 2:2.20140421-7
Severity: normal
Dear Maintainer,
Postfix is configured as satellite host.
After some time, /var/log/audit/audit.log contains lots of AVC messages.
# grep postfix /var/log/audit/audit.log|grep AVC|cut -d' ' -f'7-'|sed -e 's/
permissive=1$//' -e 's/=unconfined_u:unconfined_r:/=u:u:/g'|sed -e
's/=system_u:system_r:/=s:s:/g' -e 's/for pid=[0-9]* //' -e 's/ino=[0-9]* //'
-e 's/pipe:\[[0-9]*\]/pipe:\[XXX\]/'|sort|uniq -c
2 { connectto } comm="postdrop" path="/var/spool/postfix/public/pickup"
scontext=s:s:postfix_postdrop_t:s0-s0:c0.c1023 tcontext=s:s:postfix_master_t:s0
tclass=unix_stream_socket
1 { getattr } comm="lsof" path="socket:[18785013]" dev="sockfs"
scontext=s:s:system_cronjob_t:s0-s0:c0.c1023 tcontext=s:s:postfix_master_t:s0
tclass=tcp_socket
1 { getattr } comm="lsof" path="socket:[18787006]" dev="sockfs"
scontext=s:s:system_cronjob_t:s0-s0:c0.c1023 tcontext=s:s:postfix_master_t:s0
tclass=unix_dgram_socket
1 { getattr } comm="lsof" path="socket:[18850823]" dev="sockfs"
scontext=s:s:system_cronjob_t:s0-s0:c0.c1023 tcontext=s:s:postfix_master_t:s0
tclass=unix_stream_socket
1 { getattr } comm="lsof" path="socket:[18850886]" dev="sockfs"
scontext=s:s:system_cronjob_t:s0-s0:c0.c1023 tcontext=s:s:postfix_qmgr_t:s0
tclass=unix_dgram_socket
1 { getattr } comm="lsof" path="socket:[65454640]" dev="sockfs"
scontext=s:s:system_cronjob_t:s0-s0:c0.c1023 tcontext=s:s:postfix_pickup_t:s0
tclass=unix_dgram_socket
1 { getattr } comm="postdrop"
path=2F746D702F746D7066516A67655052202864656C6574656429 dev="tmpfs"
scontext=s:s:postfix_postdrop_t:s0-s0:c0.c1023
tcontext=system_u:object_r:crond_tmp_t:s0 tclass=file
1 { getattr } comm="postdrop"
path=2F746D702F746D706658684C466C70202864656C6574656429 dev="tmpfs"
scontext=s:s:postfix_postdrop_t:s0-s0:c0.c1023
tcontext=system_u:object_r:crond_tmp_t:s0 tclass=file
2 { getattr } comm="postdrop" path="/var/spool/postfix/public/pickup"
dev="dm-1" scontext=s:s:postfix_postdrop_t:s0-s0:c0.c1023
tcontext=system_u:object_r:postfix_public_t:s0 tclass=sock_file
32 { getattr } comm="postqueue" path="pipe:[XXX]" dev="pipefs"
scontext=u:u:postfix_postqueue_t:s0-s0:c0.c1023
tcontext=s:s:sshd_t:s0-s0:c0.c1023 tclass=fifo_file
32 { getattr } comm="postqueue" path="pipe:[XXX]" dev="pipefs"
scontext=u:u:postfix_postqueue_t:s0-s0:c0.c1023
tcontext=u:u:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file
5 { getattr } comm="showq" path="/var/spool/postfix/pid/unix.showq"
dev="dm-1" scontext=s:s:postfix_showq_t:s0
tcontext=system_u:object_r:var_spool_t:s0 tclass=file
1 { getattr } comm="userdel" path="/var/spool/postfix" dev="dm-1"
scontext=u:u:useradd_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:postfix_spool_t:s0 tclass=dir
5 { lock } comm="showq" path="/pid/unix.showq" dev="dm-1"
scontext=s:s:postfix_showq_t:s0 tcontext=system_u:object_r:var_spool_t:s0
tclass=file
5 { open } comm="showq" path="/var/spool/postfix/pid/unix.showq"
dev="dm-1" scontext=s:s:postfix_showq_t:s0
tcontext=system_u:object_r:var_spool_t:s0 tclass=file
16 { read } comm="pickup" name="maildrop" dev="dm-1"
scontext=s:s:postfix_pickup_t:s0 tcontext=unconfined_u:object_r:var_spool_t:s0
tclass=dir
31 { read } comm="postqueue" path="pipe:[XXX]" dev="pipefs"
scontext=u:u:postfix_postqueue_t:s0-s0:c0.c1023
tcontext=s:s:sshd_t:s0-s0:c0.c1023 tclass=fifo_file
5 { read } comm="showq" name="maildrop" dev="dm-1"
scontext=s:s:postfix_showq_t:s0 tcontext=unconfined_u:object_r:var_spool_t:s0
tclass=dir
1 { read write } comm="postdrop"
path=2F746D702F746D7066516A67655052202864656C6574656429 dev="tmpfs"
scontext=s:s:postfix_postdrop_t:s0-s0:c0.c1023
tcontext=system_u:object_r:crond_tmp_t:s0 tclass=file
1 { read write } comm="postdrop"
path=2F746D702F746D706658684C466C70202864656C6574656429 dev="tmpfs"
scontext=s:s:postfix_postdrop_t:s0-s0:c0.c1023
tcontext=system_u:object_r:crond_tmp_t:s0 tclass=file
5 { read write } comm="showq" name="unix.showq" dev="dm-1"
scontext=s:s:postfix_showq_t:s0 tcontext=system_u:object_r:var_spool_t:s0
tclass=file
1 { use } comm="postqueue" path="/dev/pts/2" dev="devpts"
scontext=u:u:postfix_postqueue_t:s0-s0:c0.c1023
tcontext=u:u:unconfined_t:s0-s0:c0.c1023 tclass=fd
33 { use } comm="postqueue" path="pipe:[XXX]" dev="pipefs"
scontext=u:u:postfix_postqueue_t:s0-s0:c0.c1023
tcontext=u:u:unconfined_t:s0-s0:c0.c1023 tclass=fd
12 { write } comm="master" name="pickup" dev="dm-1"
scontext=s:s:postfix_master_t:s0 tcontext=system_u:object_r:var_spool_t:s0
tclass=sock_file
5 { write } comm="master" name="qmgr" dev="dm-1"
scontext=s:s:postfix_master_t:s0 tcontext=system_u:object_r:var_spool_t:s0
tclass=sock_file
2 { write } comm="postdrop" name="pickup" dev="dm-1"
scontext=s:s:postfix_postdrop_t:s0-s0:c0.c1023
tcontext=system_u:object_r:postfix_public_t:s0 tclass=sock_file
5 { write } comm="postqueue" name="showq" dev="dm-1"
scontext=u:u:postfix_postqueue_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_spool_t:s0 tclass=sock_file
31 { write } comm="postqueue" path="pipe:[XXX]" dev="pipefs"
scontext=u:u:postfix_postqueue_t:s0-s0:c0.c1023
tcontext=s:s:sshd_t:s0-s0:c0.c1023 tclass=fifo_file
37 { write } comm="postqueue" path="pipe:[XXX]" dev="pipefs"
scontext=u:u:postfix_postqueue_t:s0-s0:c0.c1023
tcontext=u:u:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file
I ran 'restorecon -R /var/spool/postfix' to ensure correct filesystem
settings. I don't remember having made any heavy change to Postfix conf.
I'm surprised to see that much of AVC message. I don't know how to
search where it goes wrong.
Thanks,
Benoit
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.1.8-3.1
ii libselinux1 2.3-2
ii libsepol1 2.3-2
ii policycoreutils 2.3-1
ii python 2.7.8-2
ii selinux-utils 2.3-2
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.3-1
ii setools 3.3.8-3.1
Versions of packages selinux-policy-default suggests:
ii logcheck 1.3.17
pn syslog-summary <none>
-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local
/srv/postgresql/([0-9].*)? system_u:object_r:postgresql_db_t:s0
/srv/log -d system_u:object_r:var_log_t:s0
/srv/log/[-0-9]*.[a-z0-9]*.messages system_u:object_r:var_log_t:s0
-- no debconf information
_______________________________________________
SELinux-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
