11:38 p.m.
With a fully updated FC5 targeted policy, in permissive mode, while sorting
incoming mail, procmail invokes spamassassin, which wants read and getattr
permission for file /etc/shadow. I used audit2allow to create an allow
rule for these cases, but the resulting local.pp module will not load,
because it triggers an assert rule.
What is the recommended resolution to this issue?
-- Chuck
1:57 a.m.
On Wed, 2006-08-16 at 21:38 -0700, Charles A. Crayne wrote:
With a fully updated FC5 targeted policy, in permissive mode, while
sorting
incoming mail, procmail invokes spamassassin, which wants read and getattr
permission for file /etc/shadow. I used audit2allow to create an allow
rule for these cases, but the resulting local.pp module will not load,
because it triggers an assert rule.
Can you post the AVC messages you get when calling spamassassin from
procmail?
How do you call spamassassin from procmail? Can you post the procmail
recipe you use?
Paul.
6:47 a.m.
On Wed, 2006-08-16 at 21:38 -0700, Charles A. Crayne wrote:
With a fully updated FC5 targeted policy, in permissive mode, while
sorting
incoming mail, procmail invokes spamassassin, which wants read and getattr
permission for file /etc/shadow. I used audit2allow to create an allow
rule for these cases, but the resulting local.pp module will not load,
because it triggers an assert rule.
What is the recommended resolution to this issue?
Odds are good that it doesn't truly need those permissions, so use a
dontaudit rule instead of an allow rule, and see if it works then in
enforcing mode. The dontaudit rule will just suppress the audit message
without allowing it to happen.
--
Stephen Smalley
National Security Agency
9:53 p.m.
On Thu, 17 Aug 2006 07:57:17 +0100
Paul Howarth <paul(a)city-fan.org> wrote:
:Can you post the AVC messages you get when calling spamassassin from
:procmail?
Aug 17 15:19:02 kernel: audit(1155853142.532:103485): avc: denied
{ read } for pid=20360 comm=spamassassin name="shadow" dev=hda3
ino=230475 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:shadow_t tclass=file
Aug 17 15:19:02 kernel: audit(1155853142.532:103486): avc: denied
{ getattr } for pid=20360 comm=spamassassin name="shadow" dev=hda3
ino=230475 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:shadow_t tclass=file
:How do you call spamassassin from procmail? Can you post the procmail
:recipe you use?
#Run spamassassin on non-subscription messages
:0fw
| /usr/bin/spamassassin
-- Chuck
11:22 p.m.
On Thu, 17 Aug 2006 07:57:17 +0100
Paul Howarth <paul(a)city-fan.org> wrote:
:How do you call spamassassin from procmail?
In addition to the direct call cited in my previous reply, I have now
unearthed an indirect call via a perl script, as follows:
. . .
open( SPAM, '| spamassassin -e > /dev/null');
print SPAM "$message";
close( SPAM );
. . .
-- Chuck
7:38 a.m.
Charles A. Crayne wrote:
On Thu, 17 Aug 2006 07:57:17 +0100
Paul Howarth <paul(a)city-fan.org> wrote:
:How do you call spamassassin from procmail?
In addition to the direct call cited in my previous reply, I have now
unearthed an indirect call via a perl script, as follows:
. . .
open( SPAM, '| spamassassin -e > /dev/null');
print SPAM "$message";
close( SPAM );
. . .
-- Chuck
Chuck,
What happens if you change the call in .procmailrc to:
:0 fw
| /usr/bin/spamc
so that the spamd daemon is used rather than running the spamassassin
executable each time?
Marc Schwartz
8:16 a.m.
Marc Schwartz wrote:
Charles A. Crayne wrote:
> On Thu, 17 Aug 2006 07:57:17 +0100
> Paul Howarth <paul(a)city-fan.org> wrote:
>
> :How do you call spamassassin from procmail?
>
> In addition to the direct call cited in my previous reply, I have now
> unearthed an indirect call via a perl script, as follows:
>
> . . .
> open( SPAM, '| spamassassin -e > /dev/null');
> print SPAM "$message";
> close( SPAM );
> . . .
>
> -- Chuck
>
Chuck,
What happens if you change the call in .procmailrc to:
:0 fw
| /usr/bin/spamc
so that the spamd daemon is used rather than running the spamassassin
executable each time?
This is much more likely to work properly, since procmail will
transition properly to the spamaassassin client domain this way. And of
course it'll be faster.
Paul.
11:16 p.m.
On Fri, 18 Aug 2006 07:38:45 -0500
Marc Schwartz <MSchwartz(a)mn.rr.com> wrote:
:What happens if you change the call in .procmailrc to:
:
::0 fw
:| /usr/bin/spamc
:
:
:so that the spamd daemon is used rather than running the spamassassin
:executable each time?
Most of the denied messages changed from spamassassin to spamd.:-)
However, the ones involving shadow_t still said spamassassin, and now that
I have changed the Perl call, as well, the shadow_t issue seems to have
gone away.
Thanks to both you and Paul for the suggestion.
-- Chuck
2:57 a.m.
On Sun, 2006-08-20 at 21:16 -0700, Charles A. Crayne wrote:
On Fri, 18 Aug 2006 07:38:45 -0500
Marc Schwartz <MSchwartz(a)mn.rr.com> wrote:
:What happens if you change the call in .procmailrc to:
:
::0 fw
:| /usr/bin/spamc
:
:
:so that the spamd daemon is used rather than running the spamassassin
:executable each time?
Most of the denied messages changed from spamassassin to spamd.:-)
However, the ones involving shadow_t still said spamassassin, and now that
I have changed the Perl call, as well, the shadow_t issue seems to have
gone away.
Thanks to both you and Paul for the suggestion.
Which selinux-policy version do you have?
$ rpm -q selinux-policy
Paul.
2:16 p.m.
On Mon, 21 Aug 2006 08:57:05 +0100
Paul Howarth <paul(a)city-fan.org> wrote:
:Which selinux-policy version do you have?
selinux-policy-2.3.3-8.fc5
-- Chuck
6457
days inactive
6461
days old
selinux@lists.fedoraproject.org
9 comments
4 participants
participants (4)
-
Charles A. Crayne -
Marc Schwartz -
Paul Howarth -
Stephen Smalley