On Sat, 2009-08-15 at 11:50 +0100, Arthur Dent wrote:
I have a procmail recipe which writes a copy of every mail I receive
(just because I'm paranoid it doesn't mean they aren't out to get me!)
to a backup area on my /dev/sda9 partition, mounted as
/mnt/backup/ by fstab. (It is an ext3 partition).
Back in March 2008 when I was on F8 Stephen Smalley kindly helped me to
prevent the hundreds of avcs by suggesting the following:
semanage fcontext -a -t mail_spool_t "/mnt/backup(/.*)?"
restorecon -v -R /mnt/backup
This worked perfectly. It also held true throughout my time with F9. I
have now upgraded to F11 (I skipped F10) and it still kind of works. I
get an avc when logrotate tries to access these files.
The strange thing is this didn't happen under F8 or F9.
Is there an elegant solution to this problem or should I write a policy
module?
This is what audit2allow proposes:
module rawmail 1.0;
require {
type mail_spool_t;
type logrotate_t;
class file getattr;
}
#============= logrotate_t ==============
allow logrotate_t mail_spool_t:file getattr;
The full avc is below.
Many thanks for all your help....
Mark
Just to add to my own mail...
I employed the above policy module, everything seemed OK so (as this
seemed to be the last of the problems since upgrading) I switched to
enforcing mode.
Since doing so I have received no AVCs but I am finding these in my
maillog:
procmail: Lock failure on "/mnt/backup/mail/rawmail.lock"
procmail: Error while writing to "/mnt/backup/mail/rawmail"
Temporarily switching back with setenforce 0 stops them so it is selinux
related...
Also, I get these dovecot messages (although I haven't investigated
fully if they are selinux related...
**Unmatched Entries**
dovecot: IMAP(wife): fchown() failed with
file /home/wife/mail/.imap/INBOX/dovecot.index.tmp: Operation not
permitted: 1 Time(s)
dovecot: IMAP(son): fchown() failed with
file /home/son/mail/.imap/INBOX/dovecot.index.cache.lock: Operation not
permitted: 1 Time(s)
dovecot: IMAP(son): fchown() failed with
file /home/son/mail/.imap/INBOX/dovecot.index.log.newlock: Operation not
permitted: 1 Time(s)
dovecot: IMAP(son): fchown() failed with
file /home/son/mail/.imap/INBOX/dovecot.index.tmp: Operation not
permitted: 3 Time(s)
But still no AVCs
Any ideas?
Thanks
Mark