Re: Logrotate on mounted partition

On Tue, 2009-08-18 at 11:21 +0200, Dominick Grift wrote: > On Tue, Aug 18, 2009 at 10:12:16AM +0100, Arthur Dent wrote: > > On Sat, 2009-08-15 at 11:50 +0100, Arthur Dent wrote: [snip] > > > > Just to add to my own mail... > > > > I employed the above policy module, everything seemed OK so (as this > > seemed to be the last of the problems since upgrading) I switched to > > enforcing mode. > > > > Since doing so I have received no AVCs but I am finding these in my > > maillog: > > > > procmail: Lock failure on "/mnt/backup/mail/rawmail.lock" > > procmail: Error while writing to "/mnt/backup/mail/rawmail" > > > > Temporarily switching back with setenforce 0 stops them so it is selinux > > related... > > > > > > Also, I get these dovecot messages (although I haven't investigated > > fully if they are selinux related... > > **Unmatched Entries** > > dovecot: IMAP(wife): fchown() failed with > > file /home/wife/mail/.imap/INBOX/dovecot.index.tmp: Operation not > > permitted: 1 Time(s) > > dovecot: IMAP(son): fchown() failed with > > file /home/son/mail/.imap/INBOX/dovecot.index.cache.lock: Operation not > > permitted: 1 Time(s) > > dovecot: IMAP(son): fchown() failed with > > file /home/son/mail/.imap/INBOX/dovecot.index.log.newlock: Operation not > > permitted: 1 Time(s) > > dovecot: IMAP(son): fchown() failed with > > file /home/son/mail/.imap/INBOX/dovecot.index.tmp: Operation not > > permitted: 3 Time(s) > > > > > > But still no AVCs > > > > Any ideas? > Try semodule -DB to unload any silent denials. Remember that the denials shown after you do this are meant to be silenced. > To reload policy with the silenced denials: semodule -B. > > Also keep an eye on /var/log/messages since the DBUS user space object manager logs some denials there (if DBUS is at all involved) OK - since semodule -DB getting flooded with AVCs... Here are some that are related to this problem... cat /var/log/audit/audit.log | grep -i procmail .... type=AVC msg=audit(1250591203.244:43494): avc: denied { rlimitinh } for pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=process type=AVC msg=audit(1250591203.244:43494): avc: denied { siginh } for pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=process type=AVC msg=audit(1250591203.244:43494): avc: denied { noatsecure } for pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=process type=SYSCALL msg=audit(1250591203.244:43494): arch=40000003 syscall=11 success=yes exit=0 a0=5d8098 a1=bf83277c a2=4ab960 a3=41904 items=0 ppid=14766 pid=14767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null) type=AVC msg=audit(1250591203.418:43495): avc: denied { search } for pid=14767 comm="procmail" name="mnt" dev=sda5 ino=943921 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir type=SYSCALL msg=audit(1250591203.418:43495): arch=40000003 syscall=196 success=no exit=-2 a0=9779280 a1=bf95f790 a2=77cff4 a3=97793f8 items=0 ppid=14766 pid=14767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null) This still with setenforce 0 Any ideas? Thanks for your help!... Mark

-- fedora-selinux-list mailing list fedora-selinux-list(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list