testing, please ignore
by Dan Thurman
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.14.25/247 - Release Date: 1/31/2006
18 years, 2 months
Re: Spamassassin emails have wrong perms -- CC'ed to selinux list
by Justin Willmert
Justin Willmert wrote:
> I am hoping somebody can help me solve a problem I am having with
> procmail and spamassassin (specifically spamd). When spamassassin has
> marked a message as spam, it gets sorted to a Junk folder, but the
> problem is that it is owned by root:mail when it should be owned by
> the user. When this happens, dovecot will not serve the email to the
> user. I sort other emails into folders with simple matching rules and
> those work fine. Spamassassin is the only rule that is piped out to a
> program.
>
> Here is the relevant portion my procmailrc file:
>
> DROPPRIV=yes # Make this run as a normal user. If
> you need
> # root privileges for something, do
> it before
> # this line.
> # Send mail through spamassassin
> :0fw
> | spamc -u $LOGNAME
>
> # Now that we've tagged the spam, put in the appropriate folder
> :0
> * ^X-Spam-Status: Yes
> .Junk/
>
> I've tried taking the -u $LOGNAME portion out too and that doesn't
> work. Following is a maillog sample.
>
> Jan 29 17:47:11 netserv sendmail[19847]: k0TNlAig019847: Milter add:
> header: X-Virus-Scanned: ClamAV 0.88/1257/Sun Jan 29 09:15:47 2006
> on mydomain.com
> Jan 29 17:47:11 netserv sendmail[19847]: k0TNlAig019847: Milter add:
> header: X-Virus-Status: Clean
> Jan 29 17:47:11 netserv spamd[19654]: connection from mydomain.com
> [127.0.0.1] at port 57905
> Jan 29 17:47:11 netserv spamd[19654]: handle_user: unable to find
> user 'justin'!
> Jan 29 17:47:11 netserv spamd[19654]: Still running as root: user
> not specified with -u, not found, or set to root. Fall back to
> nobody.
> Jan 29 17:47:11 netserv spamd[19654]: processing message
> <BAY107-F2792E57045186E9EED3A038A160(a)phx.gbl> for justin:99.
> Jan 29 17:47:11 netserv spamd[19654]: cannot write to
> /etc/mail/bayes/bayes_journal, Bayes db update ignored: Permission
> denied
> Jan 29 17:47:13 netserv spamd[19654]: clean message (1.7/5.0) for
> justin:99 in 1.5 seconds, 1076 bytes.
> Jan 29 17:47:13 netserv spamd[19654]: result: . 1 -
> BAYES_50,DNS_FROM_RFC_POST,MSGID_FROM_MTA_HEADER
>
> scantime=1.5,size=1076,mid=<BAY107-F2792E57045186E9EED3A038A160(a)phx.gbl>,bayes=0.499999999735837,autolearn=no
>
> Jan 29 17:47:13 netserv sendmail[19849]: k0TNlAig019847:
> to=<justin(a)mydomain.com>, delay=00:00:02, xdelay=00:00:02,
> mailer=local, pri=30995, dsn=2.0.0, stat=Sent
>
> As you can see, I've also got a problem with not being able to access
> the bayes_journal. I've put it in it's own directory and made them
> owned by nobody:staff and still nothing. Anyway, here is my local.cf
> file:
>
> # These values can be overridden by editing
> ~/.spamassassin/user_prefs.cf
> # (see spamassassin(1) for details)
>
> # How many hits before a message is considered spam. The lower the
> number, the
> # more sensitive it is.
> required_hits 5
>
> # Encapsulate spam in an attachment (0=No, 1=Yes in message/rfc822,
> # 2=Yes in text/plain)
> report_safe 0
>
> # Text to prepend to subject of spam
> rewrite_header Subject [SPAM]
>
> # Enable the Bayes System
> use_bayes 1
>
> # Enable Bayes auto-learning
> bayes_auto_learn 1
>
> # Mail using languages used in these country codes will not be
> marked as being
> # possibly spam in a foreign language.
> ok_languages en
>
> I'd be happy to send along any other information you need. Thanks for
> help in advance.
>
> Justin Willmert
>
I'm cc-ing this to the fedora-selinux-list. I think some of the problems
may be applicable there.
OK, after some more testing, when I disable SELinux, many of the errors
go away. First of all, I get rid of the error message saying user can
not be found and with it the 'still running as root' error. Second, it
is able to access the bayes_journal file (as long as normal unix
permissions are right, which I've figured out). So I guess the problem
is an SELinux issue which I can't solve. I'd attach some avc error
messages, but I can't seem to find any. I've looked in maillog, secure,
and messages, but nothing.
18 years, 2 months
Problems with snmpd following update.
by J. David Rye of Roadtech
Have run in to a problem on a couple of servers that I have updated in
the last week or so.
snmpd does not start after a reboot, the following log extract is from
/var/log/messages on server f4.
Jan 31 17:26:54 f4 acpid: acpid startup succeeded
Jan 31 17:26:54 f4 kernel: audit(1138728414.530:2): avc: denied {
execmem } fo
r pid=5278 comm="snmpd" scontext=user_u:system_r:snmpd_t
tcontext=user_u:system
_r:snmpd_t tclass=process
Jan 31 17:26:54 f4 snmpd: /usr/sbin/snmpd: error while loading shared
libraries:
libbeecrypt.so.6: cannot enable executable stack as shared object
requires: Per
mission denied
Jan 31 17:26:54 f4 snmpd: snmpd startup failed
Running
execstack -q /usr/lib/libbeecrypt.so.6
gives
X /usr/lib/libbeecrypt.so.6
So the library is explisitly marked as requiring an executable stack.
looking at the obvious rpms yields the following
kernel-2.6.12-1.1381_FC3 was kernel-2.6.11-1.14_FC3
net-snmp-5.2.1.2-FC3.1 unchanged
net-snmp-libs-5.2.1.2-FC3.1 unchanged
selinux-policy-targeted-1.17.30-3.19 was
selinux-policy-targeted-1.17.30-2.96
libselinux-1.19.1-8 unchanged
beecrypt-3.1.0-6 unchanged
Any suggestions appreciated.
--
J. David Rye
http://www.roadrunner.uk.com
http://www.rha.org.uk
mailto://d.rye@roadtech.co.uk
18 years, 2 months
SElinux and firestarter
by Jonathan Underwood
Hi,
There appears to be issues with SElinux and the firestarter package
available from fedora-extras. I have attached the errors from
/var/log/messages upon boot to this email. I suspect it may be related
to either dhcpd or kernel module loading upon boot, but I'm rather
clueless about SElinux. If someone could give me some pointers on how
to proceed with debugging this it would be really appreciated. I have
reported the bug here:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179248
This is with kernel 2.6.14-1.1656_FC4, libselinux-1.23.10-2,
selinux-policy-targeted-1.27.1-2.16.
I realize that I have probably not given enough information to debug
this, but I am not sure what else would be useful.
Many thanks,
Jonathan
18 years, 2 months
Re: Denied { search } mingetty and can't log in
by Emeric Maschino
Hi,
> Just to let you know that the above AVCs have been reported as bug
> #178747, #178748, #178789, #178750 and #178753. It seems they're all due
> to an ia64 specific issue (details in bug #178747). I don't know if my
> original problem in enforcing mode with mingetty is also concerned by
> this issue. Today kernel should provide a workaround for the AVCs in
> permissive mode. I'll test it and let you know the result.
With kernel 2.6.15-1.1878_FC5, execmod checks are disabled, so I'm no
more getting the corresponding AVCs. Furthermore, I'm now able to start
in enforcing mode (the problem with mingetty was also solved). However,
from the audit.log file, I'm still getting denied read and search AVCs,
mainly due to irqbalance and hald:
type=AVC msg=audit(1138388575.636:9): avc: denied { read } for
pid=1946 comm="irqbalance" name="mtab" dev=dm-0 ino=1899143
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
type=SYSCALL msg=audit(1138388575.636:9): arch=c0000032 syscall=1028
success=no
exit=13 a0=20000008002ae8d0 a1=0 a2=1b6 a3=558281 items=1 pid=1946
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="irqbalance" exe="/usr/sbin/irqbalance"
type=AVC msg=audit(1138388575.636:10): avc: denied { read } for
pid=1946 comm="irqbalance" name="fstab" dev=dm-0 ino=1901326
scontext=system_u:system_r:irqbalance_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1138388575.636:10): arch=c0000032 syscall=1028
success=no exit=13 a0=20000008002ae938 a1=0 a2=1b6 a3=558281 items=1
pid=1946 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="irqbalance" exe="/usr/sbin/irqbalance"
type=AVC msg=audit(1138385008.409:11): avc: denied { search } for
pid=2383 comm="hald" name="boot" dev=dm-0 ino=13618177
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:boot_t:s0 tclass=dir
type=AVC msg=audit(1138385008.477:12): avc: denied { search } for
pid=2383 comm="hald" name="boot" dev=dm-0 ino=13618177
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:boot_t:s0 tclass=dir
type=AVC msg=audit(1138385008.593:13): avc: denied { search } for
pid=2383 comm="hald" name="boot" dev=dm-0 ino=13618177
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:boot_t:s0 tclass=dir
type=AVC msg=audit(1138385008.677:14): avc: denied { search } for
pid=2383 comm="hald" name="boot" dev=dm-0 ino=13618177
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:boot_t:s0 tclass=dir
type=AVC msg=audit(1138385008.733:15): avc: denied { search } for
pid=2383 comm="hald" name="boot" dev=dm-0 ino=13618177
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:boot_t:s0 tclass=dir
type=AVC msg=audit(1138385012.697:17): avc: denied { search } for
pid=2383 comm="hald" name="boot" dev=dm-0 ino=13618177
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:boot_t:s0 tclass=dir
Cheers,
M
18 years, 2 months
Kernel 2.6.14-1.1653 & selinux 1.27.1.-2.16
by G Jahchan
I have been desperately trying to get selinux strict policy to work on my
laptop to no avail. I have been using a strict policy in enforcing mode for a
long time, but since I upgraded to the kernel / selinux versions listed below,
when in enforcing mode, the policy causes authentication to fail from the
console (my default runlevel is 3).
Even though I have the following statements in my custom.te under
/etc/selinux/strict/src/policy/domains/misc/
allow kernel_t sysadm_t:process transition;
allow kernel_t sysadm_tty_device_t:chr_file { relabelfrom relabelto };
allow sysadm_t sysadm_t:process transition;
I keep getting corresponding 'avc: denied' events in the audit log.
Kernel auditing is enabled at boot time (audit=1 kernel switch) and the audit
daemon is set to run at boot time.
I am using:
kernel-2.6.14-1.1653_FC4
selinux-policy-strict-sources-1.27.1-2.16
How can I go about fixing this issue?
18 years, 2 months
user mapping
by Thorsten Scherf
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
general question: I have a Unix user called "foo" which I would like to
map to the SELinux User Identity "bar_u". In which file must I define
this mapping, so that every time the user "foo" logs in, the context is
set to "bar_u:[user_r_user_t]"?!
Thanks,
Thorsten
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFD3786wfkoLTuSgLsRAnOeAKD5oEejeLDKy2f3jsxjnty8uB7abACg8Ysk
VNN2B9+3sGwpjGnmf3utQx0=
=eW75
-----END PGP SIGNATURE-----
18 years, 2 months
