module myprocmail 1.0;
require { type quota_db_t; type etc_aliases_t; type procmail_t; type admin_home_t; type spamc_t; type shadow_t; class file { getattr read open append lock }; class dir { getattr read open write }; class capability { dac_read_search dac_override }; }
#============= procmail_t ============== allow procmail_t etc_aliases_t:file { getattr read open }; allow procmail_t quota_db_t:file { getattr append open lock }; allow procmail_t admin_home_t:dir write; allow procmail_t admin_home_t:file open; allow spamc_t self:capability { dac_read_search dac_override }; allow spamc_t shadow_t:file read;
Then everytime we do a restorecon -vR for a home directory we get the following and if you repeat the command you will get the same output. We did do, semanage fcontext -a -e /home /export/home, so selinux knows that this is a home directory structure for NFS automounting.
restorecon -vR /export/home/chighley restorecon reset /export/home/chighley/.pyzor context system_u:object_r:spamc_home_t:s0->system_u:object_r:pyzor_home_t:s0 restorecon reset /export/home/chighley/.pyzor/servers context system_u:object_r:spamc_home_t:s0->system_u:object_r:pyzor_home_t:s0 restorecon reset /export/home/chighley/.razor context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/identity context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/razor-agent.log context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c101.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c102.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c103.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c104.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c105.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c118.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c121.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c122.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c123.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c301.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c302.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c303.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c304.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c305.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.folly.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.joy.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.n001.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.n002.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.n003.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.n004.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/servers.catalogue.lst context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/servers.discovery.lst context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/servers.nomination.lst context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/servers.catalogue.lst.lock context system_u:object_r:spamc_home_t:s0->system_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/servers.nomination.lst.lock context system_u:object_r:spamc_home_t:s0->system_u:object_r:razor_home_t:s0
"David Highley wrote:"
module myprocmail 1.0;
require { type quota_db_t; type etc_aliases_t; type procmail_t; type admin_home_t; type spamc_t; type shadow_t; class file { getattr read open append lock }; class dir { getattr read open write }; class capability { dac_read_search dac_override }; }
#============= procmail_t ============== allow procmail_t etc_aliases_t:file { getattr read open }; allow procmail_t quota_db_t:file { getattr append open lock }; allow procmail_t admin_home_t:dir write; allow procmail_t admin_home_t:file open; allow spamc_t self:capability { dac_read_search dac_override }; allow spamc_t shadow_t:file read;
Then everytime we do a restorecon -vR for a home directory we get the following and if you repeat the command you will get the same output. We did do, semanage fcontext -a -e /home /export/home, so selinux knows that this is a home directory structure for NFS automounting.
restorecon -vR /export/home/chighley restorecon reset /export/home/chighley/.pyzor context system_u:object_r:spamc_home_t:s0->system_u:object_r:pyzor_home_t:s0 restorecon reset /export/home/chighley/.pyzor/servers context system_u:object_r:spamc_home_t:s0->system_u:object_r:pyzor_home_t:s0 restorecon reset /export/home/chighley/.razor context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/identity context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/razor-agent.log context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c101.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c102.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c103.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c104.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c105.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c118.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c121.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c122.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c123.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c301.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c302.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c303.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c304.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c305.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.folly.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.joy.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.n001.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.n002.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.n003.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.n004.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/servers.catalogue.lst context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/servers.discovery.lst context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/servers.nomination.lst context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/servers.catalogue.lst.lock context system_u:object_r:spamc_home_t:s0->system_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/servers.nomination.lst.lock context system_u:object_r:spamc_home_t:s0->system_u:object_r:razor_home_t:s0 -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Another thing we just noticed in sending this email. The sent file did not get a copy of this email, I know it ancient but light weight across the wide network, sent by elm. No avc thrown so we suspect were not seeing all the issues.
On 01/22/2012 03:33 AM, David Highley wrote:
module myprocmail 1.0;
require { type quota_db_t; type etc_aliases_t; type procmail_t; type admin_home_t; type spamc_t; type shadow_t; class file { getattr read open append lock }; class dir { getattr read open write }; class capability { dac_read_search dac_override }; }
#============= procmail_t ============== allow procmail_t etc_aliases_t:file { getattr read open }; allow procmail_t quota_db_t:file { getattr append open lock };
allow procmail_t admin_home_t:dir write; allow procmail_t admin_home_t:file open; allow spamc_t self:capability { dac_read_search dac_override }; allow spamc_t shadow_t:file read;
Could you attach raw AVC msgs for these rules? What is procmail writing to admin homedir?
And I think we should add
auth_dontaudit_read_shadow(spamc_t)
Then everytime we do a restorecon -vR for a home directory we get the following and if you repeat the command you will get the same output. We did do, semanage fcontext -a -e /home /export/home, so selinux knows that this is a home directory structure for NFS automounting.
restorecon -vR /export/home/chighley restorecon reset /export/home/chighley/.pyzor context system_u:object_r:spamc_home_t:s0->system_u:object_r:pyzor_home_t:s0 restorecon reset /export/home/chighley/.pyzor/servers context system_u:object_r:spamc_home_t:s0->system_u:object_r:pyzor_home_t:s0 restorecon reset /export/home/chighley/.razor context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/identity context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/razor-agent.log context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c101.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c102.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c103.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c104.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c105.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c118.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c121.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c122.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c123.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c301.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c302.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c303.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c304.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.c305.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.folly.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.joy.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.n001.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.n002.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.n003.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/server.n004.cloudmark.com.conf context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/servers.catalogue.lst context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/servers.discovery.lst context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/servers.nomination.lst context unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/servers.catalogue.lst.lock context system_u:object_r:spamc_home_t:s0->system_u:object_r:razor_home_t:s0 restorecon reset /export/home/chighley/.razor/servers.nomination.lst.lock context system_u:object_r:spamc_home_t:s0->system_u:object_r:razor_home_t:s0
We treat spamc and razor policy together using aliases, this is a reason why you see it. Nothing is broken.
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
"Miroslav Grepl wrote:"
On 01/22/2012 03:33 AM, David Highley wrote:
module myprocmail 1.0;
require { type quota_db_t; type etc_aliases_t; type procmail_t; type admin_home_t; type spamc_t; type shadow_t; class file { getattr read open append lock }; class dir { getattr read open write }; class capability { dac_read_search dac_override }; }
#============= procmail_t ============== allow procmail_t etc_aliases_t:file { getattr read open }; allow procmail_t quota_db_t:file { getattr append open lock };
allow procmail_t admin_home_t:dir write; allow procmail_t admin_home_t:file open; allow spamc_t self:capability { dac_read_search dac_override }; allow spamc_t shadow_t:file read;
Could you attach raw AVC msgs for these rules? What is procmail writing to admin homedir?
After correcting some labels, removing the above policy. We are now only seeing these AVC:
---- time->Wed Jan 25 03:35:06 2012 type=SYSCALL msg=audit(1327491306.480:1221): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null) type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability ---- time->Wed Jan 25 03:35:06 2012 type=SYSCALL msg=audit(1327491306.521:1222): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null) type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability ---- time->Wed Jan 25 03:35:07 2012 type=SYSCALL msg=audit(1327491307.991:1224): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null) type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
On 01/25/2012 02:26 PM, David Highley wrote:
"Miroslav Grepl wrote:"
On 01/22/2012 03:33 AM, David Highley wrote:
module myprocmail 1.0;
require { type quota_db_t; type etc_aliases_t; type procmail_t; type admin_home_t; type spamc_t; type shadow_t; class file { getattr read open append lock }; class dir { getattr read open write }; class capability { dac_read_search dac_override }; }
#============= procmail_t ============== allow procmail_t etc_aliases_t:file { getattr read open }; allow procmail_t quota_db_t:file { getattr append open lock }; allow procmail_t admin_home_t:dir write; allow procmail_t admin_home_t:file open; allow spamc_t self:capability { dac_read_search dac_override }; allow spamc_t shadow_t:file read;
Could you attach raw AVC msgs for these rules? What is procmail writing to admin homedir?
After correcting some labels, removing the above policy. We are now only seeing these AVC:
time->Wed Jan 25 03:35:06 2012 type=SYSCALL msg=audit(1327491306.480:1221): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null) type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
time->Wed Jan 25 03:35:06 2012 type=SYSCALL msg=audit(1327491306.521:1222): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null) type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
time->Wed Jan 25 03:35:07 2012 type=SYSCALL msg=audit(1327491307.991:1224): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null) type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I guess this relates with
allow spamc_t shadow_t:file read;
Could you re-test it with the following:
Turn on full auditing $ auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute $ ausearch -m avc -ts recent
"Miroslav Grepl wrote:"
On 01/25/2012 02:26 PM, David Highley wrote:
"Miroslav Grepl wrote:"
On 01/22/2012 03:33 AM, David Highley wrote:
module myprocmail 1.0;
require { type quota_db_t; type etc_aliases_t; type procmail_t; type admin_home_t; type spamc_t; type shadow_t; class file { getattr read open append lock }; class dir { getattr read open write }; class capability { dac_read_search dac_override }; }
#============= procmail_t ============== allow procmail_t etc_aliases_t:file { getattr read open }; allow procmail_t quota_db_t:file { getattr append open lock }; allow procmail_t admin_home_t:dir write; allow procmail_t admin_home_t:file open; allow spamc_t self:capability { dac_read_search dac_override }; allow spamc_t shadow_t:file read;
Could you attach raw AVC msgs for these rules? What is procmail writing to admin homedir?
After correcting some labels, removing the above policy. We are now only seeing these AVC:
time->Wed Jan 25 03:35:06 2012 type=SYSCALL msg=audit(1327491306.480:1221): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null) type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
time->Wed Jan 25 03:35:06 2012 type=SYSCALL msg=audit(1327491306.521:1222): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null) type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
time->Wed Jan 25 03:35:07 2012 type=SYSCALL msg=audit(1327491307.991:1224): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null) type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I guess this relates with
allow spamc_t shadow_t:file read;
Could you re-test it with the following:
Turn on full auditing $ auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute $ ausearch -m avc -ts recent
---- time->Thu Jan 26 03:09:06 2012 type=SYSCALL msg=audit(1327576146.116:514): arch=c000003e syscall=2 success=no exit=-13 a0=7f6f3a7b4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=15544 pid=15545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null) type=AVC msg=audit(1327576146.116:514): avc: denied { dac_read_search } for pid=15545 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability type=AVC msg=audit(1327576146.116:514): avc: denied { dac_override } for pid=15545 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability ---- time->Thu Jan 26 03:09:06 2012 type=SYSCALL msg=audit(1327576146.382:515): arch=c000003e syscall=2 success=no exit=-13 a0=7f6f3a7b4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=15544 pid=15545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null) type=AVC msg=audit(1327576146.382:515): avc: denied { dac_read_search } for pid=15545 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability type=AVC msg=audit(1327576146.382:515): avc: denied { dac_override } for pid=15545 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability ---- time->Thu Jan 26 03:09:08 2012 type=SYSCALL msg=audit(1327576148.073:517): arch=c000003e syscall=2 success=no exit=-13 a0=7f6f3a7b4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=15544 pid=15545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null) type=AVC msg=audit(1327576148.073:517): avc: denied { dac_read_search } for pid=15545 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability type=AVC msg=audit(1327576148.073:517): avc: denied { dac_override } for pid=15545 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability ---- time->Thu Jan 26 03:12:07 2012 type=SYSCALL msg=audit(1327576327.808:520): arch=c000003e syscall=2 success=no exit=-13 a0=7f2fb56e6b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17479 pid=17480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null) type=AVC msg=audit(1327576327.808:520): avc: denied { dac_read_search } for pid=17480 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability type=AVC msg=audit(1327576327.808:520): avc: denied { dac_override } for pid=17480 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability ---- time->Thu Jan 26 03:12:07 2012 type=SYSCALL msg=audit(1327576327.907:521): arch=c000003e syscall=2 success=no exit=-13 a0=7f2fb56e6b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17479 pid=17480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null) type=AVC msg=audit(1327576327.907:521): avc: denied { dac_read_search } for pid=17480 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability type=AVC msg=audit(1327576327.907:521): avc: denied { dac_override } for pid=17480 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability ---- time->Thu Jan 26 03:12:09 2012 type=SYSCALL msg=audit(1327576329.329:522): arch=c000003e syscall=2 success=no exit=-13 a0=7f2fb56e6b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17479 pid=17480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null) type=AVC msg=audit(1327576329.329:522): avc: denied { dac_read_search } for pid=17480 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability type=AVC msg=audit(1327576329.329:522): avc: denied { dac_override } for pid=17480 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability ---- time->Thu Jan 26 03:29:01 2012 type=SYSCALL msg=audit(1327577341.693:530): arch=c000003e syscall=2 success=no exit=-13 a0=7f3bbe851b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17751 pid=17752 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null) type=AVC msg=audit(1327577341.693:530): avc: denied { dac_read_search } for pid=17752 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability type=AVC msg=audit(1327577341.693:530): avc: denied { dac_override } for pid=17752 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability ---- time->Thu Jan 26 03:29:01 2012 type=SYSCALL msg=audit(1327577341.741:531): arch=c000003e syscall=2 success=no exit=-13 a0=7f3bbe851b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17751 pid=17752 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null) type=AVC msg=audit(1327577341.741:531): avc: denied { dac_read_search } for pid=17752 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability type=AVC msg=audit(1327577341.741:531): avc: denied { dac_override } for pid=17752 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability ---- time->Thu Jan 26 03:29:02 2012 type=SYSCALL msg=audit(1327577342.749:532): arch=c000003e syscall=2 success=no exit=-13 a0=7f3bbe851b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17751 pid=17752 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null) type=AVC msg=audit(1327577342.749:532): avc: denied { dac_read_search } for pid=17752 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability type=AVC msg=audit(1327577342.749:532): avc: denied { dac_override } for pid=17752 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
selinux@lists.fedoraproject.org
-
David Highley -
Miroslav Grepl