SELinux context for perl/sendmail/mysql?

mntbighker · 12-10-2013, 08:21 PM

I have a perl handler that forwards mail from a specific address and adds the record to a mysql database. Can anyone put me on the path for the SELinux context and preferred script location? I am trying to avoid the simplistic audit2allow method. I would rather determine the correct labeling instead. I presume this will involve changing the script label, possibly relocating it and probably a couple of booleans. This is on CentOS 5.

John VV · 12-10-2013, 10:48 PM

as you might know CentOS 5 is a bit old
5.10 is the current and ONLY supported version
is SELinuxTroubleShooter installed ?
and what is it stating the error as and the fix it recommends
( remember that in the old 5 series SE was less polished and needed a lot of configuring )

or
what errors are you getting in /var/log/setroubleshoot/setroubleshootd.log

see the cent wiki
http://wiki.centos.org/HowTos/SELinux

but you are using the older RHEL 5/Centos 5 so
the redhat documentation ( cent uses the redhat docs )
-- the RHEL6
https://access.redhat.com/site/docum...dit2allow.html

the SE guide for rhel6
https://access.redhat.com/site/docum...nhanced_Linux/

audit2allow will create a rule from the error log

mntbighker · 12-11-2013, 01:55 PM

When I said CentOS 5 I meant 5.x, or in this case 5.10.

I only just enabled setroubleshoot logging (run_init service setroubleshoot restart):

Code:

2013-12-11 12:28:46,617 [plugin.INFO] importing /usr/share/setroubleshoot/plugins/__init__ as plugins
2013-12-11 12:28:46,655 [avc.INFO] audit socket (/var/run/audispd_events) connected
2013-12-11 12:28:46,659 [server.INFO] creating system dbus: bus_name=com.redhat.setroubleshootd object_path=/com/redhat/setroubleshootd interface=com.redhat.SEtroubleshootdIface

And actually the last thing I did last night may have resolved this:

Code:

#>chcon -t sendmail_exec_t -r object_r /var/www/html/rmt2-bin/rmt2-mailgate
#>semanage fcontext -a -t sendmail_exec_t "/var/www/html/rmt2-bin/rmt2-mailgate"

However I am not sure this was the best or most secure method for doing so. I am still interested in some guidance.

The original mailgate AVC's were:

Code:

type=AVC msg=audit(1386706253.608:4912): avc:  denied  { connectto } for  pid=31027 comm="rmt2-mailgate" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:postfix_local_t:s0 tcontext=user_u:system_r:mysqld_t:s0 tclass=unix_stream_socket

type=AVC msg=audit(1386706253.608:4912): avc:  denied  { write } for  pid=31027 comm="rmt2-mailgate" name="mysql.sock" dev=dm-1 ino=714609 scontext=system_u:system_r:postfix_local_t:s0 tcontext=user_u:object_r:mysqld_var_run_t:s0 tclass=sock_file

type=AVC msg=audit(1386692999.697:4842): avc:  denied  { execute } for  pid=30656 comm="local" name="rmt2-mailgate" dev=dm-1 ino=260692 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file

type=AVC msg=audit(1386692999.697:4842): avc:  denied  { execute_no_trans } for  pid=30656 comm="local" path="/var/www/html/rmt2-bin/rmt2-mailgate" dev=dm-1 ino=260692 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file

type=AVC msg=audit(1386692999.697:4842): avc:  denied  { read } for  pid=30656 comm="local" path="/var/www/html/rmt2-bin/rmt2-mailgate" dev=dm-1 ino=260692 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file

mntbighker · 12-11-2013, 02:43 PM

When I said CentOS 5 I meant 5.x, or in this case 5.10.

I only just enabled setroubleshoot logging (run_init service setroubleshoot restart):

Code:

2013-12-11 12:28:46,617 [plugin.INFO] importing /usr/share/setroubleshoot/plugins/__init__ as plugins
2013-12-11 12:28:46,655 [avc.INFO] audit socket (/var/run/audispd_events) connected
2013-12-11 12:28:46,659 [server.INFO] creating system dbus: bus_name=com.redhat.setroubleshootd object_path=/com/redhat/setroubleshootd interface=com.redhat.SEtroubleshootdIface

And actually the last thing I did last night may have resolved this:

Code:

#>chcon -t sendmail_exec_t -r object_r /var/www/html/rmt2-bin/rmt2-mailgate
#>semanage fcontext -a -t sendmail_exec_t "/var/www/html/rmt2-bin/rmt2-mailgate"

However I am not sure this was the best or most secure method for doing so. I am still interested in some guidance.

The original mailgate AVC's were:

Code:

type=AVC msg=audit(1386706253.608:4912): avc:  denied  { connectto } for  pid=31027 comm="rmt2-mailgate" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:postfix_local_t:s0 tcontext=user_u:system_r:mysqld_t:s0 tclass=unix_stream_socket

type=AVC msg=audit(1386706253.608:4912): avc:  denied  { write } for  pid=31027 comm="rmt2-mailgate" name="mysql.sock" dev=dm-1 ino=714609 scontext=system_u:system_r:postfix_local_t:s0 tcontext=user_u:object_r:mysqld_var_run_t:s0 tclass=sock_file

type=AVC msg=audit(1386692999.697:4842): avc:  denied  { execute } for  pid=30656 comm="local" name="rmt2-mailgate" dev=dm-1 ino=260692 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file

type=AVC msg=audit(1386692999.697:4842): avc:  denied  { execute_no_trans } for  pid=30656 comm="local" path="/var/www/html/rmt2-bin/rmt2-mailgate" dev=dm-1 ino=260692 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file

type=AVC msg=audit(1386692999.697:4842): avc:  denied  { read } for  pid=30656 comm="local" path="/var/www/html/rmt2-bin/rmt2-mailgate" dev=dm-1 ino=260692 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file

Code:

[root@xxxx ~]# getsebool -a | grep mail
allow_postfix_local_write_mail_spool --> on
fetchmail_disable_trans --> off
logging_syslogd_can_sendmail --> off
mail_read_content --> off
mailman_mail_disable_trans --> off
[root@xxxx ~]# getsebool -a | grep http
allow_httpd_anon_write --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> on
httpd_can_network_connect_db --> on
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_execmem --> off
httpd_read_user_content --> off
httpd_rotatelogs_disable_trans --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> on
httpd_unified --> on

mntbighker · 12-16-2013, 01:47 PM

Apparently it's not resolved:

Code:

type=AVC msg=audit(1387226083.060:2928): avc:  denied  { search } for  pid=20205 comm="rmt2-mailgate" name="mysql" dev=dm-1 ino=714640 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir

type=AVC msg=audit(1387226083.060:2928): avc:  denied  { write } for  pid=20205 comm="rmt2-mailgate" name="mysql.sock" dev=dm-1 ino=714638 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:mysqld_var_run_t:s0 tclass=sock_file

type=AVC msg=audit(1387226083.060:2928): avc:  denied  { connectto } for  pid=20205 comm="rmt2-mailgate" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=unix_stream_socket

I relocated the perl script below /usr/bin and changed the context to system_u:object_r:bin_t. This resolved the postfix errors but the mysql access errors remain.

Ideas?

I used audit2allow for this but this is usually my last resort.

Code:

[root@xxxxxx ~]# cat SELinux/SEmailgate.te

module SEmailgate 1.0;

require {
	type mysqld_db_t;
	type mysqld_var_run_t;
	type postfix_local_t;
	type mysqld_t;
	class sock_file write;
	class unix_stream_socket connectto;
	class dir search;
}

#============= postfix_local_t ==============
allow postfix_local_t mysqld_db_t:dir search;
allow postfix_local_t mysqld_t:unix_stream_socket connectto;
allow postfix_local_t mysqld_var_run_t:sock_file write;

mntbighker · 12-16-2013, 03:56 PM

While I'm at this, enabling enforcing kills PMwiki as well, because it can't alter files or get a lock file. So far I found very limited guidance on what SELinux booleans or other things need to be changed to allow PMwiki to operate. The one thing I DID see was this:

Code:

chcon -R -t httpd_sys_rw_content_t 'wiki.d'

and I get:

Code:

chcon: failed to change context of wiki.d to system_u:object_r:httpd_sys_rw_content_t:s0: Invalid argument