On Mon, 2006-06-26 at 12:47 -0500, Marc Schwartz (via MN) wrote:
On Mon, 2006-06-26 at 12:31 +0100, Paul Howarth wrote:
> Marc Schwartz wrote:
> > After loading the updated modules, you'll need to do:
> >>
> >> # restorecon -rv /var/dcc
> >
> > Done and new mydcc policy installed:
> >
> > # semodule -l
> > amavis 1.0.4
> > clamav 1.0.1
> > dcc 1.0.0
> > myclamav 0.1.1
> > mydcc 0.1.6
> > mypostfix 0.1.0
> > mypyzor 0.2.1
> > myspamassassin 0.1.1
> > procmail 0.5.4
> > pyzor 1.0.1
> > razor 1.0.0
> >
> >
> > New avc's:
> >
> > type=AVC msg=audit(1151269000.770:5837): avc: denied { search } for
pid=23000 comm="dccproc" name="dcc" dev=dm-1 ino=58510
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir
> > type=SYSCALL msg=audit(1151269000.770:5837): arch=40000003 syscall=12
success=yes exit=0 a0=bfdb1202 a1=0 a2=4891eff4 a3=37 items=1 pid=23000 auid=4294967295
uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none)
comm="dccproc" exe="/usr/local/bin/dccproc"
subj=system_u:system_r:spamd_t:s0
> > type=CWD msg=audit(1151269000.770:5837): cwd="/"
> > type=PATH msg=audit(1151269000.770:5837): item=0 name="/var/dcc"
inode=58510 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:dcc_var_t:s0
>
> dccproc is still running in the spamd_t domain; for some reason the
> domain transition hasn't happened.
>
> Can you check that the dccproc being invoked by spamassassin is the one
> in /usr/local/bin and that its context type is dcc_client_exec_t?
dccproc only exists in two locations:
/var/dcc/build/dcc/dccproc/dccproc
and
/usr/local/bin/dccproc
The former is where dcc does it's build each night.
It was:
user_u:object_r:bin_t
I ran restorecon on it and now:
system_u:object_r:dcc_client_exec_t
However, thinking that the build process might change the context, I
manually ran updatedcc via sudo from the CLI. Sure enough, the context
is back to:
user_u:object_r:bin_t
So the change in context will occur every night. :-(
Should I add a restorecon to crontab after updatedcc runs?
Yes.
Also, there is some configuration info here:
http://www.rhyolite.com/anti-spam/dcc/dcc-tree/INSTALL.html
where some settings (ie. UID) might be apropos here. If something makes
sense to change, let me know.
It looks tricky. There's one script that both compiles and then installs
the updated version. It only needs to be root to do the install, and
would need changing to split the functionality.
Paul.