Discussion:
Newbie asking about first policy file
leam hall
2018-03-30 17:08:26 UTC
Permalink
Good morning!

I'm trying to learn SELinux and reduce the number of alerts that refer
to normal processes. Postfix is one of the biigies, here's what I've
gotten so far. I'd appreciate critique.

Note that the file is hand transcribed, not cut and pasted. It does
compile and install, so typographic errors are mine.

###

module postfix 0.0.1;
require {
type kernel_t;
type postfix_bounce_t;
type postfix_master_t;
type postfix_smtp_t;
}

allow postfix_bounce_t kernel_t:system module_request;
allow postfix_master_t kernel_t;system module_request;
allow postfix_smtp_t kernel_t:system module request;

###

Thanks!

Leam
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to sel
Simon Sekidde
2018-03-30 21:18:21 UTC
Permalink
Leam,

----- Original Message -----
Sent: Friday, March 30, 2018 1:08:26 PM
Subject: Newbie asking about first policy file
Good morning!
I'm trying to learn SELinux and reduce the number of alerts that refer
to normal processes. Postfix is one of the biigies, here's what I've
gotten so far. I'd appreciate critique.
This rule should already exist in the current policy to suppress the alerts

dontaudit postfix_domain kernel_t : system module_request ;
Note that the file is hand transcribed, not cut and pasted. It does
compile and install, so typographic errors are mine.
###
module postfix 0.0.1;
require {
type kernel_t;
type postfix_bounce_t;
type postfix_master_t;
type postfix_smtp_t;
}
allow postfix_bounce_t kernel_t:system module_request;
allow postfix_master_t kernel_t;system module_request;
allow postfix_smtp_t kernel_t:system module request;
###
If you are not using IPv6 then make Postfix use IPv4 only by setting the line 'inet_protocols' to ipv4 in /etc/postfix/main.cf

# Enable IPv4, and IPv6 if supported
inet_protocols = all
Thanks!
Leam
_______________________________________________
--
Simon Sekidde
gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E

_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedorapro
Leam Hall
2018-03-30 22:52:02 UTC
Permalink
Simon, thanks! I'll test that Monday when I'm back at work. I have to
weed though a few thousand alerts as I learn. :)

Leam
Post by Simon Sekidde
Leam,
----- Original Message -----
Sent: Friday, March 30, 2018 1:08:26 PM
Subject: Newbie asking about first policy file
Good morning!
I'm trying to learn SELinux and reduce the number of alerts that refer
to normal processes. Postfix is one of the biigies, here's what I've
gotten so far. I'd appreciate critique.
This rule should already exist in the current policy to suppress the alerts
dontaudit postfix_domain kernel_t : system module_request ;
Note that the file is hand transcribed, not cut and pasted. It does
compile and install, so typographic errors are mine.
###
module postfix 0.0.1;
require {
type kernel_t;
type postfix_bounce_t;
type postfix_master_t;
type postfix_smtp_t;
}
allow postfix_bounce_t kernel_t:system module_request;
allow postfix_master_t kernel_t;system module_request;
allow postfix_smtp_t kernel_t:system module request;
###
If you are not using IPv6 then make Postfix use IPv4 only by setting the line 'inet_protocols' to ipv4 in /etc/postfix/main.cf
# Enable IPv4, and IPv6 if supported
inet_protocols = all
Thanks!
Leam
_______________________________________________
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
leam hall
2018-04-02 17:20:54 UTC
Permalink
Post by Simon Sekidde
Leam,
This rule should already exist in the current policy to suppress the alerts
dontaudit postfix_domain kernel_t : system module_request ;
Didn't see it. Stock and patched RHEL 6.
Post by Simon Sekidde
If you are not using IPv6 then make Postfix use IPv4 only by setting the line 'inet_protocols' to ipv4 in /etc/postfix/main.cf
# Enable IPv4, and IPv6 if supported
inet_protocols = all
Made this change, thanks! Will see if it prevents alerts.

Leam
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an emai
Lukas Vrabec
2018-04-04 10:19:48 UTC
Permalink
Post by leam hall
Post by Simon Sekidde
Leam,
This rule should already exist in the current policy to suppress the alerts
dontaudit postfix_domain kernel_t : system module_request ;
Didn't see it. Stock and patched RHEL 6.
This could be kernel bug. We had a discussion about it:
https://github.com/fedora-selinux/selinux-policy/commit/2c13be1fb543c51935785e7a43b798a9f35f5aa0#commitcomment-27837961


But if you're running RHEL6, the bug shouldn't be there.
If you're still see these AVCs please dontaudit it like it's mentioned
in email from Simon.

Lukas.
Post by leam hall
Post by Simon Sekidde
If you are not using IPv6 then make Postfix use IPv4 only by setting the line 'inet_protocols' to ipv4 in /etc/postfix/main.cf
# Enable IPv4, and IPv6 if supported
inet_protocols = all
Made this change, thanks! Will see if it prevents alerts.
Leam
_______________________________________________
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an
leam hall
2018-04-04 11:55:43 UTC
Permalink
Post by Lukas Vrabec
Post by leam hall
Post by Simon Sekidde
Leam,
This rule should already exist in the current policy to suppress the alerts
dontaudit postfix_domain kernel_t : system module_request ;
Didn't see it. Stock and patched RHEL 6.
https://github.com/fedora-selinux/selinux-policy/commit/2c13be1fb543c51935785e7a43b798a9f35f5aa0#commitcomment-27837961
But if you're running RHEL6, the bug shouldn't be there.
If you're still see these AVCs please dontaudit it like it's mentioned
in email from Simon.
Lukas.
Not sure we want to hide the denial. Doesn't that mean SELinux is
preventing Postfix from doing something it thinks it should do?
Wouldn't allowing it be better, assuming Postfix is supposed to do
whatever?

Or do I not understand?

Leam
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedorapro
Lukas Vrabec
2018-04-08 21:38:18 UTC
Permalink
Post by leam hall
Post by Lukas Vrabec
Post by leam hall
Post by Simon Sekidde
Leam,
This rule should already exist in the current policy to suppress the alerts
dontaudit postfix_domain kernel_t : system module_request ;
Didn't see it. Stock and patched RHEL 6.
https://github.com/fedora-selinux/selinux-policy/commit/2c13be1fb543c51935785e7a43b798a9f35f5aa0#commitcomment-27837961
But if you're running RHEL6, the bug shouldn't be there.
If you're still see these AVCs please dontaudit it like it's mentioned
in email from Simon.
Lukas.
Not sure we want to hide the denial. Doesn't that mean SELinux is
preventing Postfix from doing something it thinks it should do?
Wouldn't allowing it be better, assuming Postfix is supposed to do
whatever?
This SELinux denial is caused by bug in kernel, most probably postfix
doesn't really need request kernel for add new module. You have 2
options here:

First one, dontaudit it, which means that it won't be allowed and you
want be spammed about this in audit log.

Second one, I don't dontaudit it and wait while it will be (hopefully)
fixed in kernel.

Lukas.
Post by leam hall
Or do I not understand?
Leam
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to

Loading...