So just where is procmail_t allowed to write/create/rename etc?

Dominick Grift domg472 at gmail.com
Fri Mar 5 18:47:56 UTC 2010 

On 03/05/2010 07:41 PM, Daniel B. Thurman wrote:

> Not sure what you mean by going into permissive mode.. you
> mean: setenforce=0?

setenforce 0

< reproduce issue >

paste avc denials here.

setenforce 1

>> We know it wants to write to the mqueue dir, question is: for what
>> purpose. Does it want to create something there and why?
>>    
> Beats me!  Not enough information to go on...
>>> =================================================
>>>
>>> Summary:
>>>
>>> SELinux is preventing /usr/bin/procmail "write" access on
>>> /var/spool/mqueue.
>>>
>>> Detailed Description:
>>>
>>> SELinux denied access requested by procmail. It is not expected that
>>> this access
>>> is required by procmail and this access may signal an intrusion attempt.
>>> It is
>>> also possible that the specific version or configuration of the
>>> application is
>>> causing it to require additional access.
>>>
>>> Allowing Access:
>>>
>>> You can generate a local policy module to allow this access - see FAQ
>>> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please
>>> file a bug
>>> report.
>>>
>>> Additional Information:
>>>
>>> Source Context                system_u:system_r:procmail_t:s0
>>> Target Context                system_u:object_r:mqueue_spool_t:s0
>>> Target Objects                /var/spool/mqueue [ dir ]
>>> Source                        procmail
>>> Source Path                   /usr/bin/procmail
>>> Port<Unknown>
>>> Host                          host.domain.com
>>> Source RPM Packages           procmail-3.22-25.fc12
>>> Target RPM Packages           sendmail-8.14.3-8.fc12
>>> Policy RPM                    selinux-policy-3.6.32-89.fc12
>>> Selinux Enabled               True
>>> Policy Type                   targeted
>>> Enforcing Mode                Enforcing
>>> Plugin Name                   catchall
>>> Host Name                     host.domain.com
>>> Platform                      Linux host.domain.com
>>> 2.6.31.12-174.2.22.fc12.i686
>>>                                 #1 SMP Fri Feb 19 19:26:06 UTC 2010
>>> i686 i686
>>> Alert Count                   9
>>> First Seen                    Tue 02 Mar 2010 03:12:16 AM PST
>>> Last Seen                     Tue 02 Mar 2010 05:13:03 AM PST
>>> Local ID                      5c68ab75-d7e0-4e2d-b380-857eb7e33c68
>>> Line Numbers
>>>
>>> Raw Audit Messages
>>>
>>> node=host.domain.com type=AVC msg=audit(1267535583.841:38780): avc:
>>> denied  { write } for  pid=12554 comm="procmail" name="mqueue" dev=sdb8
>>> ino=29627 scontext=system_u:system_r:procmail_t:s0
>>> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
>>>
>>> node=host.domain.com type=SYSCALL msg=audit(1267535583.841:38780):
>>> arch=40000003 syscall=5 success=no exit=-13 a0=92f6d68 a1=8441 a2=1b7
>>> a3=1b7 items=0 ppid=12553 pid=12554 auid=4294967295 uid=0 gid=12 euid=0
>>> suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
>>> comm="procmail" exe="/usr/bin/procmail"
>>> subj=system_u:system_r:procmail_t:s0 key=(null)
>>>      
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100305/0c9a1049/attachment.bin

More information about the selinux mailing list