9:33 p.m.
module myprocmail 1.0;
require {
type quota_db_t;
type etc_aliases_t;
type procmail_t;
type admin_home_t;
type spamc_t;
type shadow_t;
class file { getattr read open append lock };
class dir { getattr read open write };
class capability { dac_read_search dac_override };
}
#============= procmail_t ==============
allow procmail_t etc_aliases_t:file { getattr read open };
allow procmail_t quota_db_t:file { getattr append open lock };
allow procmail_t admin_home_t:dir write;
allow procmail_t admin_home_t:file open;
allow spamc_t self:capability { dac_read_search dac_override };
allow spamc_t shadow_t:file read;
Then everytime we do a restorecon -vR for a home directory we get the
following and if you repeat the command you will get the same output.
We did do, semanage fcontext -a -e /home /export/home, so selinux knows
that this is a home directory structure for NFS automounting.
restorecon -vR /export/home/chighley
restorecon reset /export/home/chighley/.pyzor context
system_u:object_r:spamc_home_t:s0->system_u:object_r:pyzor_home_t:s0
restorecon reset /export/home/chighley/.pyzor/servers context
system_u:object_r:spamc_home_t:s0->system_u:object_r:pyzor_home_t:s0
restorecon reset /export/home/chighley/.razor context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/identity context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/razor-agent.log context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c101.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c102.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c103.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c104.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c105.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c118.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c121.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c122.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c123.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c301.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c302.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c303.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c304.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c305.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.folly.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.joy.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n001.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n002.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n003.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n004.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.catalogue.lst
context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.discovery.lst
context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.nomination.lst
context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.catalogue.lst.lock
context
system_u:object_r:spamc_home_t:s0->system_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/servers.nomination.lst.lock context
system_u:object_r:spamc_home_t:s0->system_u:object_r:razor_home_t:s0
9:47 p.m.
"David Highley wrote:"
module myprocmail 1.0;
require {
type quota_db_t;
type etc_aliases_t;
type procmail_t;
type admin_home_t;
type spamc_t;
type shadow_t;
class file { getattr read open append lock };
class dir { getattr read open write };
class capability { dac_read_search dac_override };
}
#============= procmail_t ==============
allow procmail_t etc_aliases_t:file { getattr read open };
allow procmail_t quota_db_t:file { getattr append open lock };
allow procmail_t admin_home_t:dir write;
allow procmail_t admin_home_t:file open;
allow spamc_t self:capability { dac_read_search dac_override };
allow spamc_t shadow_t:file read;
Then everytime we do a restorecon -vR for a home directory we get the
following and if you repeat the command you will get the same output.
We did do, semanage fcontext -a -e /home /export/home, so selinux knows
that this is a home directory structure for NFS automounting.
restorecon -vR /export/home/chighley
restorecon reset /export/home/chighley/.pyzor context
system_u:object_r:spamc_home_t:s0->system_u:object_r:pyzor_home_t:s0
restorecon reset /export/home/chighley/.pyzor/servers context
system_u:object_r:spamc_home_t:s0->system_u:object_r:pyzor_home_t:s0
restorecon reset /export/home/chighley/.razor context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/identity context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/razor-agent.log context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c101.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c102.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c103.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c104.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c105.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c118.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c121.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c122.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c123.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c301.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c302.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c303.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c304.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c305.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.folly.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.joy.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n001.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n002.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n003.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n004.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.catalogue.lst
context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.discovery.lst
context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.nomination.lst
context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.catalogue.lst.lock
context
system_u:object_r:spamc_home_t:s0->system_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/servers.nomination.lst.lock context
system_u:object_r:spamc_home_t:s0->system_u:object_r:razor_home_t:s0
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
Another thing we just noticed in sending this email. The sent file did
not get a copy of this email, I know it ancient but light weight across
the wide network, sent by elm. No avc thrown so we suspect were not
seeing all the issues.
10:10 a.m.
On 01/22/2012 03:33 AM, David Highley wrote:
module myprocmail 1.0;
require {
type quota_db_t;
type etc_aliases_t;
type procmail_t;
type admin_home_t;
type spamc_t;
type shadow_t;
class file { getattr read open append lock };
class dir { getattr read open write };
class capability { dac_read_search dac_override };
}
#============= procmail_t ==============
allow procmail_t etc_aliases_t:file { getattr read open };
allow procmail_t quota_db_t:file { getattr append open lock };
allow procmail_t admin_home_t:dir write;
allow procmail_t admin_home_t:file open;
allow spamc_t self:capability { dac_read_search dac_override };
allow spamc_t shadow_t:file read;
Could you attach raw AVC msgs for these rules? What is procmail writing
to admin homedir?
And I think we should add
auth_dontaudit_read_shadow(spamc_t)
Then everytime we do a restorecon -vR for a home directory we get
the
following and if you repeat the command you will get the same output.
We did do, semanage fcontext -a -e /home /export/home, so selinux knows
that this is a home directory structure for NFS automounting.
restorecon -vR /export/home/chighley
restorecon reset /export/home/chighley/.pyzor context
system_u:object_r:spamc_home_t:s0->system_u:object_r:pyzor_home_t:s0
restorecon reset /export/home/chighley/.pyzor/servers context
system_u:object_r:spamc_home_t:s0->system_u:object_r:pyzor_home_t:s0
restorecon reset /export/home/chighley/.razor context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/identity context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/razor-agent.log context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c101.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c102.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c103.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c104.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c105.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c118.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c121.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c122.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c123.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c301.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c302.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c303.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c304.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c305.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.folly.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.joy.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n001.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n002.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n003.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n004.cloudmark.com.conf context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.catalogue.lst
context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.discovery.lst
context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.nomination.lst
context
unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.catalogue.lst.lock
context
system_u:object_r:spamc_home_t:s0->system_u:object_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/servers.nomination.lst.lock context
system_u:object_r:spamc_home_t:s0->system_u:object_r:razor_home_t:s0
We treat
spamc and razor policy together using aliases, this is a reason
why you see it. Nothing is broken.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
8:26 a.m.
"Miroslav Grepl wrote:"
On 01/22/2012 03:33 AM, David Highley wrote:
> module myprocmail 1.0;
>
> require {
> type quota_db_t;
> type etc_aliases_t;
> type procmail_t;
> type admin_home_t;
> type spamc_t;
> type shadow_t;
> class file { getattr read open append lock };
> class dir { getattr read open write };
> class capability { dac_read_search dac_override };
> }
>
> #============= procmail_t ==============
> allow procmail_t etc_aliases_t:file { getattr read open };
> allow procmail_t quota_db_t:file { getattr append open lock };
> allow procmail_t admin_home_t:dir write;
> allow procmail_t admin_home_t:file open;
> allow spamc_t self:capability { dac_read_search dac_override };
> allow spamc_t shadow_t:file read;
>
Could you attach raw AVC msgs for these rules? What is procmail writing
to admin homedir?
After correcting some labels, removing the above policy. We are now only
seeing these AVC:
----
time->Wed Jan 25 03:35:06 2012
type=SYSCALL msg=audit(1327491306.480:1221): arch=c000003e syscall=2 success=no exit=-13
a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamassassin" exe="/usr/bin/perl"
subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_read_search } for pid=1129
comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_override } for pid=1129
comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Wed Jan 25 03:35:06 2012
type=SYSCALL msg=audit(1327491306.521:1222): arch=c000003e syscall=2 success=no exit=-13
a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamassassin" exe="/usr/bin/perl"
subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_read_search } for pid=1129
comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_override } for pid=1129
comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Wed Jan 25 03:35:07 2012
type=SYSCALL msg=audit(1327491307.991:1224): arch=c000003e syscall=2 success=no exit=-13
a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamassassin" exe="/usr/bin/perl"
subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_read_search } for pid=1129
comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_override } for pid=1129
comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
10:51 a.m.
On 01/25/2012 02:26 PM, David Highley wrote:
"Miroslav Grepl wrote:"
> On 01/22/2012 03:33 AM, David Highley wrote:
>> module myprocmail 1.0;
>>
>> require {
>> type quota_db_t;
>> type etc_aliases_t;
>> type procmail_t;
>> type admin_home_t;
>> type spamc_t;
>> type shadow_t;
>> class file { getattr read open append lock };
>> class dir { getattr read open write };
>> class capability { dac_read_search dac_override };
>> }
>>
>> #============= procmail_t ==============
>> allow procmail_t etc_aliases_t:file { getattr read open };
>> allow procmail_t quota_db_t:file { getattr append open lock };
>> allow procmail_t admin_home_t:dir write;
>> allow procmail_t admin_home_t:file open;
>> allow spamc_t self:capability { dac_read_search dac_override };
>> allow spamc_t shadow_t:file read;
>>
> Could you attach raw AVC msgs for these rules? What is procmail writing
> to admin homedir?
After correcting some labels, removing the above policy. We are now only
seeing these AVC:
----
time->Wed Jan 25 03:35:06 2012
type=SYSCALL msg=audit(1327491306.480:1221): arch=c000003e syscall=2 success=no exit=-13
a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamassassin" exe="/usr/bin/perl"
subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_read_search } for pid=1129
comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_override } for pid=1129
comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Wed Jan 25 03:35:06 2012
type=SYSCALL msg=audit(1327491306.521:1222): arch=c000003e syscall=2 success=no exit=-13
a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamassassin" exe="/usr/bin/perl"
subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_read_search } for pid=1129
comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_override } for pid=1129
comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Wed Jan 25 03:35:07 2012
type=SYSCALL msg=audit(1327491307.991:1224): arch=c000003e syscall=2 success=no exit=-13
a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamassassin" exe="/usr/bin/perl"
subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_read_search } for pid=1129
comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_override } for pid=1129
comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
I guess this relates with
allow spamc_t shadow_t:file read;
Could you re-test it with the following:
Turn on full auditing
$ auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
$ ausearch -m avc -ts recent
8:30 a.m.
"Miroslav Grepl wrote:"
On 01/25/2012 02:26 PM, David Highley wrote:
> "Miroslav Grepl wrote:"
>> On 01/22/2012 03:33 AM, David Highley wrote:
>>> module myprocmail 1.0;
>>>
>>> require {
>>> type quota_db_t;
>>> type etc_aliases_t;
>>> type procmail_t;
>>> type admin_home_t;
>>> type spamc_t;
>>> type shadow_t;
>>> class file { getattr read open append lock };
>>> class dir { getattr read open write };
>>> class capability { dac_read_search dac_override };
>>> }
>>>
>>> #============= procmail_t ==============
>>> allow procmail_t etc_aliases_t:file { getattr read open };
>>> allow procmail_t quota_db_t:file { getattr append open lock };
>>> allow procmail_t admin_home_t:dir write;
>>> allow procmail_t admin_home_t:file open;
>>> allow spamc_t self:capability { dac_read_search dac_override };
>>> allow spamc_t shadow_t:file read;
>>>
>> Could you attach raw AVC msgs for these rules? What is procmail writing
>> to admin homedir?
> After correcting some labels, removing the above policy. We are now only
> seeing these AVC:
>
> ----
> time->Wed Jan 25 03:35:06 2012
> type=SYSCALL msg=audit(1327491306.480:1221): arch=c000003e syscall=2 success=no
exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamassassin" exe="/usr/bin/perl"
subj=system_u:system_r:spamc_t:s0 key=(null)
> type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_read_search } for
pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_override } for
pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> ----
> time->Wed Jan 25 03:35:06 2012
> type=SYSCALL msg=audit(1327491306.521:1222): arch=c000003e syscall=2 success=no
exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamassassin" exe="/usr/bin/perl"
subj=system_u:system_r:spamc_t:s0 key=(null)
> type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_read_search } for
pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_override } for
pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> ----
> time->Wed Jan 25 03:35:07 2012
> type=SYSCALL msg=audit(1327491307.991:1224): arch=c000003e syscall=2 success=no
exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamassassin" exe="/usr/bin/perl"
subj=system_u:system_r:spamc_t:s0 key=(null)
> type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_read_search } for
pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_override } for
pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
I guess this relates with
allow spamc_t shadow_t:file read;
Could you re-test it with the following:
Turn on full auditing
$ auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
$ ausearch -m avc -ts recent
----
time->Thu Jan 26 03:09:06 2012
type=SYSCALL msg=audit(1327576146.116:514): arch=c000003e syscall=2 success=no exit=-13
a0=7f6f3a7b4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=15544 pid=15545 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamassassin" exe="/usr/bin/perl"
subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327576146.116:514): avc: denied { dac_read_search } for pid=15545
comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327576146.116:514): avc: denied { dac_override } for pid=15545
comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:09:06 2012
type=SYSCALL msg=audit(1327576146.382:515): arch=c000003e syscall=2 success=no exit=-13
a0=7f6f3a7b4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=15544 pid=15545 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamassassin" exe="/usr/bin/perl"
subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327576146.382:515): avc: denied { dac_read_search } for pid=15545
comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327576146.382:515): avc: denied { dac_override } for pid=15545
comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:09:08 2012
type=SYSCALL msg=audit(1327576148.073:517): arch=c000003e syscall=2 success=no exit=-13
a0=7f6f3a7b4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=15544 pid=15545 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamassassin" exe="/usr/bin/perl"
subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327576148.073:517): avc: denied { dac_read_search } for pid=15545
comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327576148.073:517): avc: denied { dac_override } for pid=15545
comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:12:07 2012
type=SYSCALL msg=audit(1327576327.808:520): arch=c000003e syscall=2 success=no exit=-13
a0=7f2fb56e6b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17479 pid=17480 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamassassin" exe="/usr/bin/perl"
subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327576327.808:520): avc: denied { dac_read_search } for pid=17480
comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327576327.808:520): avc: denied { dac_override } for pid=17480
comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:12:07 2012
type=SYSCALL msg=audit(1327576327.907:521): arch=c000003e syscall=2 success=no exit=-13
a0=7f2fb56e6b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17479 pid=17480 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamassassin" exe="/usr/bin/perl"
subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327576327.907:521): avc: denied { dac_read_search } for pid=17480
comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327576327.907:521): avc: denied { dac_override } for pid=17480
comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:12:09 2012
type=SYSCALL msg=audit(1327576329.329:522): arch=c000003e syscall=2 success=no exit=-13
a0=7f2fb56e6b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17479 pid=17480 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamassassin" exe="/usr/bin/perl"
subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327576329.329:522): avc: denied { dac_read_search } for pid=17480
comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327576329.329:522): avc: denied { dac_override } for pid=17480
comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:29:01 2012
type=SYSCALL msg=audit(1327577341.693:530): arch=c000003e syscall=2 success=no exit=-13
a0=7f3bbe851b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17751 pid=17752 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamassassin" exe="/usr/bin/perl"
subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327577341.693:530): avc: denied { dac_read_search } for pid=17752
comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327577341.693:530): avc: denied { dac_override } for pid=17752
comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:29:01 2012
type=SYSCALL msg=audit(1327577341.741:531): arch=c000003e syscall=2 success=no exit=-13
a0=7f3bbe851b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17751 pid=17752 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamassassin" exe="/usr/bin/perl"
subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327577341.741:531): avc: denied { dac_read_search } for pid=17752
comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327577341.741:531): avc: denied { dac_override } for pid=17752
comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:29:02 2012
type=SYSCALL msg=audit(1327577342.749:532): arch=c000003e syscall=2 success=no exit=-13
a0=7f3bbe851b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17751 pid=17752 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="spamassassin" exe="/usr/bin/perl"
subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327577342.749:532): avc: denied { dac_read_search } for pid=17752
comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327577342.749:532): avc: denied { dac_override } for pid=17752
comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:spamc_t:s0 tclass=capability
4472
days inactive
4476
days old
selinux@lists.fedoraproject.org
5 comments
2 participants
participants (2)
-
David Highley -
Miroslav Grepl