On Tue, Aug 18, 2009 at 10:12:16AM +0100, Arthur Dent wrote:
On Sat, 2009-08-15 at 11:50 +0100, Arthur Dent wrote:
> I have a procmail recipe which writes a copy of every mail I receive
> (just because I'm paranoid it doesn't mean they aren't out to get me!)
> to a backup area on my /dev/sda9 partition, mounted as
> /mnt/backup/ by fstab. (It is an ext3 partition).
>
> Back in March 2008 when I was on F8 Stephen Smalley kindly helped me to
> prevent the hundreds of avcs by suggesting the following:
>
> semanage fcontext -a -t mail_spool_t "/mnt/backup(/.*)?"
> restorecon -v -R /mnt/backup
>
> This worked perfectly. It also held true throughout my time with F9. I
> have now upgraded to F11 (I skipped F10) and it still kind of works. I
> get an avc when logrotate tries to access these files.
>
> The strange thing is this didn't happen under F8 or F9.
>
> Is there an elegant solution to this problem or should I write a policy
> module?
>
> This is what audit2allow proposes:
>
> module rawmail 1.0;
>
> require {
> type mail_spool_t;
> type logrotate_t;
> class file getattr;
> }
>
> #============= logrotate_t ==============
> allow logrotate_t mail_spool_t:file getattr;
>
>
> The full avc is below.
>
> Many thanks for all your help....
>
> Mark
Just to add to my own mail...
I employed the above policy module, everything seemed OK so (as this
seemed to be the last of the problems since upgrading) I switched to
enforcing mode.
Since doing so I have received no AVCs but I am finding these in my
maillog:
procmail: Lock failure on "/mnt/backup/mail/rawmail.lock"
procmail: Error while writing to "/mnt/backup/mail/rawmail"
Temporarily switching back with setenforce 0 stops them so it is selinux
related...
Also, I get these dovecot messages (although I haven't investigated
fully if they are selinux related...
**Unmatched Entries**
dovecot: IMAP(wife): fchown() failed with
file /home/wife/mail/.imap/INBOX/dovecot.index.tmp: Operation not
permitted: 1 Time(s)
dovecot: IMAP(son): fchown() failed with
file /home/son/mail/.imap/INBOX/dovecot.index.cache.lock: Operation not
permitted: 1 Time(s)
dovecot: IMAP(son): fchown() failed with
file /home/son/mail/.imap/INBOX/dovecot.index.log.newlock: Operation not
permitted: 1 Time(s)
dovecot: IMAP(son): fchown() failed with
file /home/son/mail/.imap/INBOX/dovecot.index.tmp: Operation not
permitted: 3 Time(s)
But still no AVCs
Any ideas?
Try semodule -DB to unload any silent denials. Remember that the denials
shown after you do this are meant to be silenced.
To reload policy with the silenced denials: semodule -B.
Also keep an eye on /var/log/messages since the DBUS user space object manager logs some
denials there (if DBUS is at all involved)
hth
Thanks
Mark
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list