<snipped some content for space>
On Tue, 2006-05-30 at 20:05 +0100, Paul Howarth wrote:
On Tue, 2006-05-30 at 13:41 -0500, Marc Schwartz (via MN) wrote:
> On Tue, 2006-05-30 at 16:32 +0100, Paul Howarth wrote:
> > If you run SELinux in permissive mode and post the AVCs that get logged
> > when procmail is running, it should be possible to get this fixed.
>
> Paul,
>
> Thanks for the reply.
>
> I have re-booted with SELinux in Permissive Mode.
>
> However, while procmail is working still, I see no avc messages at all
> in /var/log/messages that would seemingly be related here. There are
> other avc's there, most of which appear to be related to the boot
> process and the relabelling of files subsequent to having disabled
> SELinux earlier.
>
> Is this something more subtle or is there someplace else that I should
> be looking?
Perhaps you have auditd running, and have AVCs logged
to /var/log/audit/audit.log instead?
Yep. That's it.
Thanks to Tom also for pointing this out.
For reference, here is my ~/.procmailrc:
# Scan for viruses using ClamAV + clamassassin
:0 fw
| /usr/local/bin/clamassassin
# Scan with SpamAssasin (+ razor, pyzor and dcc)
:0 fw
| /usr/bin/spamc -s 256000
I'm not sure how much you might need/want, but here is a sampling. I
tried to catch what appear to be complete "cycles" in each case.
Here are some using grep 'procmail':
type=AVC_PATH msg=audit(1149015973.940:563): path="/home/marcs/.procmailrc"
type=PATH msg=audit(1149015973.940:563): item=0 name="/home/marcs/.procmailrc"
flags=1 inode=426353 dev=fd:00 mode=0100664 ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1149015973.940:564): avc: denied { read } for pid=11095
comm="procmail" name=".procmailrc" dev=dm-0 ino=426353
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=SYSCALL msg=audit(1149015973.940:564): arch=40000003 syscall=5 success=yes exit=4
a0=9337d60 a1=8000 a2=0 a3=8000 items=1 pid=11095 auid=500 uid=500 gid=500 euid=500
suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="procmail"
exe="/usr/bin/procmail"
type=PATH msg=audit(1149015973.940:564): item=0 name="/home/marcs/.procmailrc"
flags=101 inode=426353 dev=fd:00 mode=0100664 ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1149015973.956:565): avc: denied { execute } for pid=11101
comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0
tclass=file
type=AVC msg=audit(1149015973.956:565): avc: denied { execute_no_trans } for pid=11101
comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0
tclass=file
type=AVC msg=audit(1149015973.956:565): avc: denied { read } for pid=11101
comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0
tclass=file
type=AVC msg=audit(1149015973.960:566): avc: denied { search } for pid=11101
comm="clamscan" name="clamav" dev=hdc5 ino=30881
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0
tclass=dir
type=AVC msg=audit(1149015973.960:566): avc: denied { read } for pid=11101
comm="clamscan" name="daily.cvd" dev=hdc5 ino=29403
scontext=system_u:system_r:procmail_t:s0 tcontext=user_u:object_r:clamd_var_lib_t:s0
tclass=file
type=AVC msg=audit(1149015973.960:567): avc: denied { getattr } for pid=11101
comm="clamscan" name="daily.cvd" dev=hdc5 ino=29403
scontext=system_u:system_r:procmail_t:s0 tcontext=user_u:object_r:clamd_var_lib_t:s0
tclass=file
type=AVC msg=audit(1149015973.972:568): avc: denied { read } for pid=11105
comm="clamscan" name="clamav" dev=hdc5 ino=30881
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0
tclass=dir
type=AVC msg=audit(1149015973.972:569): avc: denied { getattr } for pid=11105
comm="clamscan" name="clamav" dev=hdc5 ino=30881
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0
tclass=dir
type=AVC msg=audit(1149015973.972:570): avc: denied { read } for pid=11105
comm="clamscan" name="main.cvd" dev=hdc5 ino=30890
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0
tclass=file
type=AVC msg=audit(1149015973.972:571): avc: denied { getattr } for pid=11105
comm="clamscan" name="main.cvd" dev=hdc5 ino=30890
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0
tclass=file
type=AVC msg=audit(1149015974.368:572): avc: denied { write } for pid=11105
comm="clamscan" name="main.ndb" dev=hdc6 ino=146248
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1149015974.368:573): avc: denied { read } for pid=11105
comm="clamscan" name="clamav-5f6ea15f5332ca86" dev=hdc6 ino=30
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1149015974.532:574): avc: denied { create } for pid=11105
comm="clamscan" name="main.zmd"
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1149015974.532:575): avc: denied { getattr } for pid=11105
comm="clamscan" name="main.zmd" dev=hdc6 ino=146249
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1149015974.532:576): avc: denied { unlink } for pid=11105
comm="clamscan" name="clamav-5f6ea15f5332ca86" dev=hdc6 ino=30
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1149015974.992:577): avc: denied { search } for pid=11105
comm="clamscan" name="/" dev=hdc6 ino=2
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149015975.444:578): avc: denied { read } for pid=11105
comm="clamscan" name="clamav-a0ba2088c392494c" dev=hdc6 ino=146243
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149015975.444:579): avc: denied { setattr } for pid=11105
comm="clamscan" name="clamav-a0ba2088c392494c" dev=hdc6 ino=146243
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149015975.444:580): avc: denied { write } for pid=11105
comm="clamscan" name="/" dev=hdc6 ino=2
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149015975.444:580): avc: denied { remove_name } for pid=11105
comm="clamscan" name="clamav-a0ba2088c392494c" dev=hdc6 ino=146243
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149015975.444:580): avc: denied { rmdir } for pid=11105
comm="clamscan" name="clamav-a0ba2088c392494c" dev=hdc6 ino=146243
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149015975.452:581): avc: denied { add_name } for pid=11105
comm="clamscan" name="clamav-c8c20a1e39aef1bc"
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149015975.452:581): avc: denied { create } for pid=11105
comm="clamscan" name="clamav-c8c20a1e39aef1bc"
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
Here are some using grep 'postfix':
type=SYSCALL msg=audit(1149014661.600:328): arch=40000003 syscall=196 success=no exit=-2
a0=9769930 a1=bf8a4b80 a2=580ff4 a3=3 items=1 pid=8367 auid=500 uid=0 gid=0 euid=500
suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="local"
exe="/usr/libexec/postfix/local"
type=CWD msg=audit(1149014661.600:328): cwd="/var/spool/postfix"
type=CWD msg=audit(1149014661.604:329): cwd="/var/spool/postfix"
type=CWD msg=audit(1149014661.604:330): cwd="/var/spool/postfix"
type=AVC msg=audit(1149014770.075:378): avc: denied { search } for pid=8646
comm="local" name="/" dev=dm-0 ino=2
scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=dir
Some using grep 'pyzor'. Note that neither 'razor' nor 'dcc' are
showing
up curiously:
type=AVC_PATH msg=audit(1149015851.011:541): path="/home/marcs/.pyzor"
type=PATH msg=audit(1149015851.011:541): item=0 name="/home/marcs/.pyzor"
flags=1 inode=427255 dev=fd:00 mode=040755 ouid=500 ogid=5 00 rdev=00:00
type=AVC msg=audit(1149015851.015:542): avc: denied { getattr } for pid=10802
comm="pyzor" name="servers" dev=dm-0 ino=427256 scon
text=system_u:system_r:pyzor_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1149015851.015:542): arch=40000003 syscall=195 success=yes exit=0
a0=86c1fb0 a1=bf9b8da8 a2=4891eff4 a3=868e1b 0 items=1 pid=10802 auid=4294967295 uid=500
gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor"
exe="/usr/bin/ python"
type=AVC_PATH msg=audit(1149015851.015:542): path="/home/marcs/.pyzor/servers"
type=PATH msg=audit(1149015851.015:542): item=0
name="/home/marcs/.pyzor/servers" flags=1 inode=427256 dev=fd:00 mode=0100664
ouid=5 00 ogid=500 rdev=00:00
type=AVC msg=audit(1149015851.015:543): avc: denied { search } for pid=10802
comm="pyzor" name="marcs" dev=dm-0 ino=425153 scontex
t=system_u:system_r:pyzor_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1149015851.015:543): avc: denied { read } for pid=10802
comm="pyzor" name="servers" dev=dm-0 ino=427256 scontex
t=system_u:system_r:pyzor_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1149015851.015:543): arch=40000003 syscall=5 success=yes exit=3
a0=87273d0 a1=8000 a2=1b6 a3=86e0b90 items=1 p id=10802 auid=4294967295 uid=500 gid=0
euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor"
exe="/usr/bin/python"
type=PATH msg=audit(1149015851.015:543): item=0
name="/home/marcs/.pyzor/servers" flags=101 inode=427256 dev=fd:00 mode=0100664
ouid =500 ogid=500 rdev=00:00
type=AVC msg=audit(1149015851.027:544): avc: denied { search } for pid=10802
comm="pyzor" name="/" dev=hdc6 ino=2 scontext=system_
u:system_r:pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149015851.027:544): avc: denied { write } for pid=10802
comm="pyzor" name="/" dev=hdc6 ino=2 scontext=system_u
:system_r:pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149015851.027:544): avc: denied { add_name } for pid=10802
comm="pyzor" name="bBOXo3" scontext=system_u:system _r:pyzor_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149015851.027:544): avc: denied { create } for pid=10802
comm="pyzor" name="bBOXo3" scontext=system_u:system_r :pyzor_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=file
More with grep 'spamd':
type=AVC msg=audit(1149017045.372:768): avc: denied { search } for pid=1949
comm="spamd" name="/" dev=dm-0 ino=2
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1149017045.372:768): arch=40000003 syscall=195 success=yes exit=0
a0=a3a19c0 a1=9ffa0c8 a2=4891eff4 a3=a3a19c0 items=1 pid=1949 auid=4294967295 uid=0 gid=0
euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd"
exe="/usr/bin/perl"
type=PATH msg=audit(1149017045.372:768): item=0
name="/home/marcs/.spamassassin/user_prefs" flags=1 inode=1193881 dev=fd:00
mode=0100664 ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1149017045.380:769): avc: denied { getattr } for pid=1949
comm="spamd" name="bayes_toks" dev=dm-0 ino=1193882
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=SYSCALL msg=audit(1149017045.380:769): arch=40000003 syscall=195 success=yes exit=0
a0=a3a19c0 a1=9ffa0c8 a2=4891eff4 a3=a3a19c0 items=1 pid=1949 auid=4294967295 uid=0 gid=0
euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd"
exe="/usr/bin/perl"
type=AVC_PATH msg=audit(1149017045.380:769):
path="/home/marcs/.spamassassin/bayes_toks"
type=PATH msg=audit(1149017045.380:769): item=0
name="/home/marcs/.spamassassin/bayes_toks" flags=1 inode=1193882 dev=fd:00
mode=0100600 ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1149017045.380:770): avc: denied { read } for pid=1949
comm="spamd" name="bayes_toks" dev=dm-0 ino=1193882
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=SYSCALL msg=audit(1149017045.380:770): arch=40000003 syscall=5 success=yes exit=8
a0=b1db3b8 a1=8000 a2=0 a3=8000 items=1 pid=1949 auid=4294967295 uid=0 gid=0 euid=500
suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd"
exe="/usr/bin/perl"
type=PATH msg=audit(1149017045.380:770): item=0
name="/home/marcs/.spamassassin/bayes_toks" flags=101 inode=1193882 dev=fd:00
mode=0100600 ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1149017047.188:771): avc: denied { append } for pid=1949
comm="spamd" name="bayes_journal" dev=dm-0 ino=2338489
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=SYSCALL msg=audit(1149017047.188:771): arch=40000003 syscall=5 success=yes exit=10
a0=b8211d8 a1=8441 a2=1b6 a3=8441 items=1 pid=1949 auid=4294967295 uid=0 gid=0 euid=500
suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd"
exe="/usr/bin/perl"
type=PATH msg=audit(1149017047.188:771): item=0
name="/home/marcs/.spamassassin/bayes_journal" flags=310 inode=1193874
dev=fd:00 mode=040755 ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1149017047.188:772): avc: denied { ioctl } for pid=1949
comm="spamd" name="bayes_journal" dev=dm-0 ino=2338489
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
type=SYSCALL msg=audit(1149017047.188:772): arch=40000003 syscall=54 success=no exit=-25
a0=a a1=5401 a2=bf84f5d8 a3=bf84f618 items=0 pid=1949 auid=4294967295 uid=0 gid=0 euid=500
suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd"
exe="/usr/bin/perl"
type=AVC_PATH msg=audit(1149017047.188:772):
path="/home/marcs/.spamassassin/bayes_journal"
type=AVC msg=audit(1149017047.828:791): avc: denied { write } for pid=1949
comm="spamd" name="bayes_toks" dev=dm-0 ino=1193882
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
Finally with grep "clamassassin":
type=SYSCALL msg=audit(1149016209.330:652): arch=40000003 syscall=5 success=yes exit=3
a0=99e48c0 a1=8241 a2=1b6 a3=8241 items=1 pid=11646 auid=500 uid=500 gid=500 euid=500
suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamassassin"
exe="/bin/bash"
type=PATH msg=audit(1149016209.330:652): item=0
name="/tmp/clamassassinmsg.jSBOI11644" flags=310 inode=2 dev=16:06 mode=041777
ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149016209.330:653): avc: denied { getattr } for pid=11646
comm="cat" name="clamassassinmsg.jSBOI11644" dev=hdc6 ino=28
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC_PATH msg=audit(1149016209.330:653):
path="/tmp/clamassassinmsg.jSBOI11644"
type=AVC msg=audit(1149016209.334:654): avc: denied { execute } for pid=11647
comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0
tclass=file
type=AVC msg=audit(1149016209.334:654): avc: denied { execute_no_trans } for pid=11647
comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0
tclass=file
type=AVC msg=audit(1149016209.334:654): avc: denied { read } for pid=11647
comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0
tclass=file
type=AVC msg=audit(1149016209.346:657): avc: denied { read } for pid=11651
comm="clamassassin" name="clamassassinmsg.jSBOI11644" dev=hdc6 ino=28
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1149016209.346:657): arch=40000003 syscall=5 success=yes exit=3
a0=99e1190 a1=8000 a2=0 a3=8000 items=1 pid=11651 auid=500 uid=500 gid=500 euid=500
suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamassassin"
exe="/bin/bash"
type=PATH msg=audit(1149016209.346:657): item=0
name="/tmp/clamassassinmsg.jSBOI11644" flags=101 inode=28 dev=16:06
mode=0100600 ouid=500 ogid=500 rdev=00:00
type=AVC msg=audit(1149017043.144:752): avc: denied { add_name } for pid=13192
comm="mktemp" name="clamassassinmsg.QRJvd13192"
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1149017043.144:752): avc: denied { create } for pid=13192
comm="mktemp" name="clamassassinmsg.QRJvd13192"
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=PATH msg=audit(1149017043.144:752): item=0
name="/tmp/clamassassinmsg.QRJvd13192" flags=310 inode=2 dev=16:06 mode=041777
ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149017043.152:753): avc: denied { write } for pid=13194
comm="clamassassin" name="clamassassinmsg.QRJvd13192" dev=hdc6 ino=28
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
> BTW, on a separate and possible SELinux related issue, I had
noted that
> the Evolution Data Server was crashing after I first installed FC5 with
> SELinux enabled. For the time this morning that I had SELinux disabled,
> I was not getting the crash. Didn't make the association initially, but
> now that I have it re-enabled in Permissive Mode, it's crashing again.
> No avc's in the log here either.
Don't know what's happening with that. Having SELinux in permissive mode
should behave almost identically to disabled mode really.
No avc's in /var/log/audit/audit.log, now that I am searching that.
Yeah, this is curious. I'll pay attention to it and post back with any
further data.
Thanks,
Marc