1.24.2008

create SELinux policy from audit2allow - RHEL5

To create a policy using messages from avc:
RHEL5 has a few handy tools to help with allowing specific exceptions to the canned selinux policy, by creating
policy modules to import as needed.

Use audit2allow, which transforms audit messages from alerts to loadable modules

So, this /var/log/messages alert:
Aug 7 07:22:19 testbox setroubleshoot: SELinux is preventing /usr/libexec/postfix/local (postfix_local_t) "write" to cricket (mail_spool_t). For complete SELinux messages. run sealert -l 1afcc5f6-d4a8-47e6-b546-b2ec3b427f18

Shows this in sealert:
[07:25:12 testbox ] tmp $ sealert -l 1afcc5f6-d4a8-47e6-b546-b2ec3b427f18
Summary
SELinux is preventing /usr/libexec/postfix/local (postfix_local_t) "write"
to cricket (mail_spool_t).

Detailed Description
SELinux denied access requested by /usr/libexec/postfix/local. It is not
expected that this access is required by /usr/libexec/postfix/local and this
access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access.

Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for cricket, restorecon -v cricket
If this does not work, there is currently no automatic way to allow this
access. Instead, you can generate a local policy module to allow this
access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
can disable SELinux protection altogether. Disabling SELinux protection is
not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information

Source Context user_u:system_r:postfix_local_t
Target Context system_u:object_r:mail_spool_t
Target Objects cricket [ file ]
Affected RPM Packages postfix-2.3.3-2 [application]
Policy RPM selinux-policy-2.4.6-30.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name testbox
Platform Linux testbox 2.6.18-8.1.6.el5 #1 SMP Fri Jun 1
18:52:13 EDT 2007 x86_64 x86_64
Alert Count 7676
Line Numbers

Raw Audit Messages

avc: denied { write } for comm="local" dev=dm-1 egid=650 euid=650
exe="/usr/libexec/postfix/local" exit=-13 fsgid=650 fsuid=650 gid=0 items=0
name="cricket" pid=25939 scontext=user_u:system_r:postfix_local_t:s0 sgid=0
subj=user_u:system_r:postfix_local_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:mail_spool_t:s0 tty=(none) uid=0
Basically, postfix can't write to /var/spool/mail/cricket
[07:26:30 testbox ] tmp $ ls -alZ /var/spool/mail/
drwxrwxr-x root mail system_u:object_r:mail_spool_t .
drwxr-xr-x root root system_u:object_r:var_spool_t ..
-rw------- cricket mail system_u:object_r:mail_spool_t cricket
So run audit2allow, and generate a te file:
[07:36:29 testbox ] tmp $ sudo audit2allow -a -m postfixlocal > postfixlocal.te
[07:37:22
testbox ] tmp $ cat postfixlocal.te
module postfixlocal 1.0;
require {
class file write;
type mail_spool_t;
type postfix_local_t;
role system_r;
};

allow postfix_local_t mail_spool_t:file write;
And compile it:
[07:37:25 testbox tmp ] $ sudo checkmodule -M -m -o postfixlocal.mod postfixlocal.te
checkmodule: loading policy configuration from postfixlocal.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 6) to postfixlocal.mod
And create a policy package:
[07:37:47 testbox ] tmp $ semodule_package -o postfixlocal.pp -m postfixlocal.mod
Now we have the ingredients:
[07:38:39 testbox ] tmp $ file postfixlo*
postfixlocal.mod: data
postfixlocal.pp: data
postfixlocal.te: ASCII C++ program text
Load the policy to the kernel:
[07:38:46 testbox] tmp $ sudo semodule -i postfixlocal.pp

[07:44:14 testbox] / $ sudo semodule -l
amavis 1.1.0
ccs 1.0.0
clamav 1.1.0
dcc 1.1.0
evolution 1.1.0
iscsid 1.0.0
mozilla 1.1.0
mplayer 1.1.0
nagios 1.1.0
oddjob 1.0.1
pcscd 1.0.0
postfixlocal 1.0 <------------ module loaded =]
pyzor 1.1.0
razor 1.1.0
ricci 1.0.0
smartmon 1.1.0
Also, we can load the module to another server:
[07:47:50 testbox] tmp $ scp postfixlocal.pp testbox2:/var/tmp
stewpid@testbox2's password:
postfixlocal.pp 100% 1017 1.0KB/s 00:00

[07:48:37 testbox2] tmp $ sudo semodule -i postfixlocal.pp

[07:49:02 testbox2] tmp $ sudo semodule -l |grep postfixlocal
postfixlocal 1.0
From audit2allow man page:
[Note] Important
In order to load this newly created policy package into the kernel, you are required to
execute semodule -i local.pp
Note that if you later install another module called local, it will replace this module.
If you want to keep these rules around, then you either need to append future customizations
to this local.te, or give future customizations a different name.
So, it's best to either maintain a single policy (named local or whatever you'll remember), or separate
policy names for each access you'd like to allow/maintain. I prefer the modular approach, easy to load/unload.


2 comments:

Unknown said...

Thank you very much - you have made selinux approachable. Policy module loaded, setenforce 1, postfix restart and no error messages when forwarding or delivering mail (my error was "SELinux is preventing the /usr/libexec/postfix/local from using potentially mislabeled files (Unknown)."
douliwok

Aleksey Tsalolikhin said...

Very helpful, thanks! Aleksey