Problem with sendmail and spamassassin

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Problem with sendmail and spamassassin

Postby shaman » Wed Jun 02, 2004 7:32 am

Hi all!

I have a problem with sendmail and spamassassin. After learning my acl is:

/usr/sbin/spamass-milter o {
/usr/lib/libssl.so.0.9.7 rx
/usr/lib/libcrypto.so.0.9.7 rx
/lib/libnss_compat-2.3.2.so rx
/lib/libnsl-2.3.2.so rx
/lib/libdl-2.3.2.so rx
/lib/libc-2.3.2.so rx
/lib/ld-2.3.2.so rx
/etc/passwd r
/etc/nsswitch.conf r
/etc/ld.so.cache r
/usr/bin/spamc xi
/usr/sbin/spamass-milter xi
/ h
-CAP_ALL
}
/opt/AVP/kavkeeper/kavkeeper o {
/var/runAvpCtl r
/usr/sbin/sendmail x
/tmp w
/opt/AVP/kavkeeper/kavkeeper x
/ r
/usr/share/zoneinfo r
/usr/lib r
/lib rx
/etc/grsec h
/etc r
/etc/mail r
/opt/AVP/etc/defUnix.node.bin rw
/opt/AVP/etc/defUnix.sl rw
/opt/AVP/etc/defUnix.atom.bin rw
/dev/null rw
/dev/log rw
/var/run r
-CAP_ALL
+CAP_NET_BIND_SERVICE
+CAP_NET_RAW
}
/usr/sbin/saslauthd o {
/usr/sbin/saslauthd x
/ h
+CAP_ALL
}
/usr/bin/spamd o {
/etc/mail rwa
/etc/shadow r
/usr/bin/spamd rx
/ h
+CAP_ALL
}
/usr/sbin/sendmail o {
/var/tmp
/var/spool
/var
/usr/lib/sasl2 rx
/usr/bin/procmail x
/usr/bin
/usr
/proc/stat r
/opt/AVP/kavkeeper
/opt/AVP
/opt
/dev/random r
/etc/mail rw
/etc/shadow r
/opt/AVP/kavkeeper/kavkeeper x
/var/spool/mail rw
/var/spool/mqueue rw
/var/spool/mqueue.kav rw
/var/spool/clientmqueue rw
/usr/share/zoneinfo r
/var/run rxw
/etc/mail/access.db rw
/lib rx
/usr/lib rx
/etc/grsec h
/etc r
/dev/null rw
/dev/log rw
/proc/loadavg r
/usr/bin/spamd xi
/usr/sbin/sendmail x
/ r
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
+CAP_NET_RAW
}

But it's not work. In kern.log:

Jun 2 14:46:49 mail kernel: grsec: denied access to hidden file /etc/shadow by (spamd:30133) UID(1150) EUID(1150), parent (spamd:26650) UID(1150) EUID(1150)

Jun 2 14:46:49 mail kernel: grsec: denied open of /etc/mail/spamassassin/bayes_journal for appending by (spamd:30133) UID(1150) EUID(1150), parent (spamd:26650) UID(1150) EUID(1150)

Jun 2 14:46:49 mail kernel: grsec: denied open of /etc/mail/spamassassin/bayes.lock.mail.nutritek.ru.30133 for writing by (spamd:30133) UID(1150) EUID(1150), parent (spamd:26650) UID(1150) EUID(1150)

Jun 2 14:46:49 mail kernel: grsec: denied open of /etc/mail/spamassassin/auto_whitelist.lock.mail.nutritek.ru.30133 for writing by (spamd:30133) UID(1150) EUID(1150), parent (spamd:26650) UID(1150) EUID(1150)

Jun 2 14:46:49 mail kernel: grsec: From 192.168.99.73: denied connect to the unix domain socket /var/run/AvpCtl by (kavkeeper:645) UID(0) EUID(0), parent (sendmail:21016) UID(0) EUID(0)

Help me, please.
P.S. Sorry for my english.
shaman
 
Posts: 7
Joined: Wed Jun 02, 2004 7:27 am

Postby sekko » Fri Jun 11, 2004 11:25 pm

The logs say:

grsec: denied open of xxxx for writing by spamd:30133) UID(1150) EUID(1150)

so, be sure that ACL applies to the user with UID 1150 and not to root only!

-- Claudio
sekko
 
Posts: 13
Joined: Mon Apr 05, 2004 5:52 am

Postby spender » Mon Jun 14, 2004 2:15 am

/dev/null rw
/dev/log rw
/proc/loadavg r
/usr/bin/spamd xi
/usr/sbin/sendmail x

note the /usr/bin/spamd line. That's the problem. Grsecurity won't automatically fix any errors you manually throw into the configuration. The inherit flag means that when executing /usr/bin/spamd, it won't use the spamd subject that was learned.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Postby shaman » Mon Jun 14, 2004 4:57 pm

sekko wrote:The logs say:

grsec: denied open of xxxx for writing by spamd:30133) UID(1150) EUID(1150)

so, be sure that ACL applies to the user with UID 1150 and not to root only!

-- Claudio

I read manual but can't find anything about it. How can i do that?
shaman
 
Posts: 7
Joined: Wed Jun 02, 2004 7:27 am

Postby onyx » Mon Jun 14, 2004 5:16 pm

spender wrote:/dev/null rw
/dev/log rw
/proc/loadavg r
/usr/bin/spamd xi
/usr/sbin/sendmail x

note the /usr/bin/spamd line. That's the problem. Grsecurity won't automatically fix any errors you manually throw into the configuration. The inherit flag means that when executing /usr/bin/spamd, it won't use the spamd subject that was learned.

-Brad


Brad has already answered your question, bt I think you didn't notice. Remove the i flag from /usr/bin/spamd (as spender said).
so instead of /usr/bin/spamd xi you'll have /usr/bin/spamd x

bye
onyx
 
Posts: 36
Joined: Tue Jan 20, 2004 7:46 pm

Postby shaman » Wed Jun 16, 2004 2:37 pm

OK, thank you. It's work now.
shaman
 
Posts: 7
Joined: Wed Jun 02, 2004 7:27 am


Return to RBAC policy development

cron