[sandbox] modifying the Xephyr window title (patch)
by Christoph A.
Hi,
If most of your windows are sandboxed applications, your bar looks like:
[Sandbox sandbo..] [Sandbox sandbo..] [Sandbox sandbo..]
and it is hard to find a specific application.
example of a current Xephyr title:
Sandbox sandbox_web_t:s0:c112,c991 -- /usr/bin/firefox
with the modification in the attached patch titles will look like:
/usr/bin/firefox (sandbox_web_t)
and it should be easier to find a specific application.
In addition to the type I would find it handy to also include the
DISPLAY in the title (needed when using xsel for copy'n paste).
The second patch only adds '-nolisten tcp' to Xephyr, but if there are
use cases where one needs Xephyr to open a listener this patch will
break thinks.
regards,
Christoph A.
btw: secon's manpage doesn't contain the '-l' option.
11 years, 8 months
Policy for CouchDB
by Michael Milverton
Hi,
I'm in the process of writing a policy for couchdb (nosql database). I'm
using the selinux-polgengui and eclipse slide tools to help. I've hit a road
block because it won't start but I'm not getting any more AVC's. I'm
wondering if anybody might be able to offer some clue about getting more
AVC's from it because if it won't talk to me I can't get much further.
The only entries in audit.log are:
type=CRED_ACQ msg=audit(1309362790.614:1343): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=?
terminal=? res=success'
type=USER_START msg=audit(1309362790.619:1344): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:session_open acct="couchdb" exe="/sbin/runuser" hostname=?
addr=? terminal=? res=success'
type=USER_END msg=audit(1309362790.640:1345): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:session_close acct="couchdb" exe="/sbin/runuser" hostname=?
addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1309362790.641:1346): user pid=11935 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0
msg='op=PAM:setcred acct="couchdb" exe="/sbin/runuser" hostname=? addr=?
terminal=? res=success'
type=SERVICE_START msg=audit(1309362790.676:1347): user pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=':
comm="couchdb" exe=2F62696E2F73797374656D64202864656C6574656429 hostname=?
addr=? terminal=? res=failed'
Now, it will start fine (and run) when it is unlabeled (not what I want of
course). Couchdb runs under the username/group couchdb but I haven't added
any transition rules for this yet (any help on this would be appreciated).
FC FILE:
/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
/usr/bin/couchjs -- gen_context(system_u:object_r:couchdb_exec_t,s0)
TE FILE:
policy_module(couchdb,1.0.0)
require {
type bin_t;
type fs_t;
type proc_t;
}
type couchdb_t;
domain_type(couchdb_t)
permissive couchdb_t;
# Access to shared libraries
libs_use_ld_so(couchdb_t)
libs_use_shared_libs(couchdb_t)
miscfiles_read_localization(couchdb_t)
dev_read_urand(couchdb_t)
# Type for the daemon
type couchdb_exec_t;
files_type(couchdb_exec_t)
domain_entry_file(couchdb_t, couchdb_exec_t)
init_daemon_domain(couchdb_t, couchdb_exec_t)
# Logging
logging_send_syslog_msg(couchdb_t)
logging_log_file(couchdb_t)
# Temp files
type couchdb_tmp_t;
files_tmp_file(couchdb_tmp_t)
manage_dirs_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
manage_files_pattern(couchdb_t, couchdb_tmp_t, couchdb_tmp_t)
files_tmp_filetrans(couchdb_t, couchdb_tmp_t, { dir file })
#type couchdb_config_t;
files_read_etc_files(couchdb_t)
# /bin/basename and some others
allow couchdb_t bin_t:file { read getattr open execute execute_no_trans };
allow couchdb_t fs_t:filesystem getattr;
allow couchdb_t proc_t:file { read getattr open };
allow couchdb_t self:fifo_file { read write getattr };
# Not sure about this
auth_domtrans_chk_passwd(couchdb_t)
# Not sure about this either.
domain_use_interactive_fds(couchdb_t)
Any clues, tips, advice would be most appreciated
Thanks
12 years
making a file context change work for initrc_t and unconfined_t
by Maria Iano
I have a RHEL 6.2 server running LikewiseOpen. It appears to me that I
will take care of a large number of denials if I can change the type
of /var/lib/likewise/.lsassd to be lsassd_var_socket_t.
I added the file context rule with semanage, and used restorecon to
change it to lsassd_var_socket_t as desired. But later I found that /
var/lib/likewise/.lsassd had type var_lib_t again. I assume that is
because the likewise processes run as initrc_t.
I'd like to change the policy and tell it that services running in
either initrc_t or unconfined_t domains should create the file /var/
lib/likewise/.lsassd with type lsassd_var_socket_t. (A command line
tool lwsm for managing the processes runs in unconfined_t so I'd like
to include that domain to be safe. ) How can I go about doing that in
RHEL 6 (or can I)?
Thanks,
Maria
12 years, 1 month
SELinux for LXC Container
by Shweta Shinde
Hi everyone,
I am interested in the security aspects of LXC.
How can we use SELinux to secure LXC containers?
Any information will be very helpful.
--
Regards,
Shweta
12 years, 1 month
Suggestion on autorelabel
by mark
Y'know, folks, fsck -c gives you a clue that not only is it running, but a
vague feel for how much longer it'll be. .autorelabel, esp with several
2TB drives in a system, gives screens and screens and screens of
asterisks, with no clue if it'll *ever* finish (which matters, when I'm
going to be leaving soon, and it needs to be up for an overnight
backup....)
mark
12 years, 1 month
Domain transition not working
by Nabeel Moidu
Hi
I've got an executable file script.sh labeled xyz_exec_t. I've also defined
a domain xyz_t and added daemon_domain(xyz_t, xyz_exec_t) in the .te file.
When compiled and inserted, the file context labels seem to be enforced
correctly. Normally the executable script.sh is invoked by the init
scripts. As per the domain transition rule, I expect it show up xyz_t as
its domain in ps -efZ . But the transition does not work as expected. The
process runs as an unconfined domain.
But when I add runcon in the line where the init script invokes the
executable with the domain as xyz_t, the process runs in the proper context.
Once I remove the runcon and invoke the init script, the domain transition
I applied in the custom module does not work out.
Any suggestions ?
NB: The system is on permissive mode and this particular domain xyz_t has
also been defined as a permissive domain.
Nabeel
12 years, 1 month
Issue with updating denyhosts to use systemd
by Jason L Tibbitts III
So I'm trying to get denyhosts updated to use systemd to keep it from
being kicked out of the distribution, and I'm running into an odd
problem that at the end comes down to selinux.
denyhosts wants the hostname in the environment when it starts up.
(This lets it add the hostname to the subject of messages it sends.)
The initscript used to do this but of course not with systemd so I need
another method. Using /etc/sysconfig/network as an EnvironmentFile
seems a terrible, horrible hack so I just fixed denyhosts to so it
internally by just calling platform.node() (python if it's not obvious)
at the appropriate place. Unfortunately selinux disallows this. I
guess the policy needs to be opened a bit but I'm not sure how to do
this properly or without compromising security.
- J<
Jan 31 13:58:16 ld93 denyhosts.py[1785]: Traceback (most recent call last):
Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/bin/denyhosts.py", line 113, in <module>
Jan 31 13:58:16 ld93 denyhosts.py[1785]: os.environ['HOSTNAME'] = platform.node()
Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1292, in node
Jan 31 13:58:16 ld93 denyhosts.py[1785]: return uname()[1]
Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1249, in uname
Jan 31 13:58:16 ld93 denyhosts.py[1785]: processor = _syscmd_uname('-p','')
Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1005, in _syscmd_uname
Jan 31 13:58:16 ld93 denyhosts.py[1785]: output = string.strip(f.read())
Jan 31 13:58:16 ld93 denyhosts.py[1785]: IOError: [Errno 13] Permission denied
time->Tue Jan 31 13:58:16 2012
type=SYSCALL msg=audit(1328039896.475:18367): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=ffffc000 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null)
type=AVC msg=audit(1328039896.475:18367): avc: denied { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
----
time->Tue Jan 31 13:58:16 2012
type=SYSCALL msg=audit(1328039896.475:18368): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=1 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null)
type=AVC msg=audit(1328039896.475:18368): avc: denied { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
----
time->Tue Jan 31 13:58:16 2012
type=SYSCALL msg=audit(1328039896.475:18369): arch=c000003e syscall=59 success=no exit=-13 a0=398ed70c1e a1=7fff61067b60 a2=7fff6106a6b0 a3=7f5312d0d9d0 items=0 ppid=1785 pid=1786 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null)
type=AVC msg=audit(1328039896.475:18369): avc: denied { execute } for pid=1786 comm="denyhosts.py" name="bash" dev=dm-0 ino=686466 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
----
time->Tue Jan 31 13:58:16 2012
type=SYSCALL msg=audit(1328039896.475:18370): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069b40 a2=7fff61069b40 a3=2025 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null)
type=AVC msg=audit(1328039896.475:18370): avc: denied { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
----
time->Tue Jan 31 13:58:16 2012
type=SYSCALL msg=audit(1328039896.475:18371): arch=c000003e syscall=0 success=no exit=-13 a0=3 a1=7f5312d36000 a2=2000 a3=22 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null)
type=AVC msg=audit(1328039896.475:18371): avc: denied { read } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
12 years, 1 month
SLIDE for RHEL6 and Derivatives
by David Quigley
<resent as I sent it from the wrong mailing address>
I am preparing resources for a talk and I'm trying to build a CentOS 6.2
VM with all the SELinux tools installed on it. Most of them are easy as
they are in the yum repo but I can't seem to find any RPMs for SLIDE.
The tresys yum repo relies on things that aren't in RHEL6 or EPEL6 and
only seem to be for RHEL 5 at the moment. Has anyone gotten SLIDE
installed on RHEL6? Is Tresys working on releasing RHEL 6 rpms for SLIDE?
Dave
12 years, 1 month
Fedora 16 AVC at boot time
by David Highley
Must be an order issue at boot time. We did a reboot today after a
kernel update and saw the following even though we have,
selinux-policy-3.10.0-72.fc16.noarch:
getsebool allow_ypbind
allow_ypbind --> on
----
time->Tue Jan 24 06:17:02 2012
type=SYSCALL msg=audit(1327414622.867:2517): arch=c000003e syscall=59 success=yes exit=0 a0=9669f0 a1=cc8170 a2=7fff1bf396c8 a3=1f items=0 ppid=5248 pid=5253 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=293 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1327414622.867:2517): avc: denied { transition } for pid=5253 comm="rpm" path="/bin/bash" dev=dm-1 ino=393240 scontext=unconfined_u:system_r:bootloader_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process
----
time->Tue Jan 24 06:23:38 2012
type=SYSCALL msg=audit(1327415018.410:38): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1359 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1327415018.410:38): avc: denied { search } for pid=1359 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
----
time->Tue Jan 24 06:23:38 2012
type=SYSCALL msg=audit(1327415018.410:39): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1360 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1327415018.410:39): avc: denied { search } for pid=1360 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
----
time->Tue Jan 24 06:23:38 2012
type=SYSCALL msg=audit(1327415018.411:40): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1361 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1327415018.411:40): avc: denied { search } for pid=1361 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
----
time->Tue Jan 24 06:23:38 2012
type=SYSCALL msg=audit(1327415018.411:41): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1362 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1327415018.411:41): avc: denied { search } for pid=1362 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
----
time->Tue Jan 24 06:23:38 2012
type=SYSCALL msg=audit(1327415018.414:42): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1365 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1327415018.414:42): avc: denied { search } for pid=1365 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
----
time->Tue Jan 24 06:23:38 2012
type=SYSCALL msg=audit(1327415018.414:43): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1364 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1327415018.414:43): avc: denied { search } for pid=1364 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
----
time->Tue Jan 24 06:23:38 2012
type=SYSCALL msg=audit(1327415018.415:44): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1366 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1327415018.415:44): avc: denied { search } for pid=1366 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
----
time->Tue Jan 24 06:23:38 2012
type=SYSCALL msg=audit(1327415018.416:45): arch=c000003e syscall=2 success=no exit=-13 a0=7fff0fc10e50 a1=0 a2=7fff0fc10e79 a3=68 items=0 ppid=1180 pid=1363 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1327415018.416:45): avc: denied { search } for pid=1363 comm="/usr/sbin/httpd" name="yp" dev=dm-1 ino=1313161 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir
----
time->Tue Jan 24 06:23:38 2012
type=SYSCALL msg=audit(1327415018.418:46): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367 pid=1369 auid=4294967295 uid=81 gid=81 euid=0 suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon-lau" exe="/lib64/dbus-1/dbus-daemon-launch-helper" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1327415018.418:46): avc: denied { name_connect } for pid=1369 comm="dbus-daemon-lau" dest=111 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
----
time->Tue Jan 24 06:23:38 2012
type=SYSCALL msg=audit(1327415018.418:47): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fff07112f60 a2=10 a3=98 items=0 ppid=1367 pid=1369 auid=4294967295 uid=81 gid=81 euid=0 suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon-lau" exe="/lib64/dbus-1/dbus-daemon-launch-helper" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1327415018.418:47): avc: denied { name_bind } for pid=1369 comm="dbus-daemon-lau" src=697 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
----
time->Tue Jan 24 06:23:38 2012
type=SYSCALL msg=audit(1327415018.418:48): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff071131f0 a2=10 a3=98 items=0 ppid=1367 pid=1369 auid=4294967295 uid=81 gid=81 euid=0 suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon-lau" exe="/lib64/dbus-1/dbus-daemon-launch-helper" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1327415018.418:48): avc: denied { name_connect } for pid=1369 comm="dbus-daemon-lau" dest=111 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
12 years, 1 month
Fedora 16 and procmail
by David Highley
module myprocmail 1.0;
require {
type quota_db_t;
type etc_aliases_t;
type procmail_t;
type admin_home_t;
type spamc_t;
type shadow_t;
class file { getattr read open append lock };
class dir { getattr read open write };
class capability { dac_read_search dac_override };
}
#============= procmail_t ==============
allow procmail_t etc_aliases_t:file { getattr read open };
allow procmail_t quota_db_t:file { getattr append open lock };
allow procmail_t admin_home_t:dir write;
allow procmail_t admin_home_t:file open;
allow spamc_t self:capability { dac_read_search dac_override };
allow spamc_t shadow_t:file read;
Then everytime we do a restorecon -vR for a home directory we get the
following and if you repeat the command you will get the same output.
We did do, semanage fcontext -a -e /home /export/home, so selinux knows
that this is a home directory structure for NFS automounting.
restorecon -vR /export/home/chighley
restorecon reset /export/home/chighley/.pyzor context
system_u:object_r:spamc_home_t:s0->system_u:object_r:pyzor_home_t:s0
restorecon reset /export/home/chighley/.pyzor/servers context
system_u:object_r:spamc_home_t:s0->system_u:object_r:pyzor_home_t:s0
restorecon reset /export/home/chighley/.razor context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/identity context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/razor-agent.log context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c101.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c102.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c103.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c104.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c105.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c118.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c121.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c122.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c123.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c301.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c302.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c303.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c304.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c305.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.folly.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.joy.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n001.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n002.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n003.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n004.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.catalogue.lst
context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.discovery.lst
context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.nomination.lst
context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.catalogue.lst.lock
context
system_u:object_r:spamc_home_t:s0->system_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/servers.nomination.lst.lock context
system_u:object_r:spamc_home_t:s0->system_u:object_r:razor_home_t:s0
12 years, 1 month