Denials from spamc and webalizer on Centos 5.2

Richard Chapman rchapman at aardvark.com.au
Mon Jan 26 08:52:24 UTC 2009 

Hi Dominick

It has taken me a while to decide to go ahead with your suggestion 
below... (I think I was hoping the problem would go away...:-)) and it 
looks like I am heading in the right direction - but there is a little 
more work to do.

There seemed to be a problem with the quotes in the line:

echo "optional_policy(`" >> myprocmail.te;

but I edited the .te file - and the make worked fine - after I installed 
the selinux-policy-devel package. Here is myprocmail.te:

policy_module(myprocmail, 0.0.1)
require { type procmail_t; }
optional_policy(`spamassassin_domtrans_spamc(procmail_t)')

I installed the policy file using teh GUI Selinux Administration tool.

I think we have got rid of the procmail error - but now we have a new 
error. (see below). I'm guessing I need another line or two in my 
myprocmail.te file. Can you tell me what it is I need? I'm pretty sure 
this is a new error - which might suggest that there is something wrong 
with the above policy file??

I haven't tried the webalizer changes yet. I have turned webalizer off 
for the time being.

Many thanks

Richard.


Summary
SELinux is preventing the semodule from using potentially mislabeled 
files 
(/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session). 

Detailed Description
[SELinux is in permissive mode, the operation would have been denied but 
was permitted due to permissive mode.]

SELinux has denied semodule access to potentially mislabeled file(s) 
(/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session). 
This means that SELinux will not allow semodule to use these files. It 
is common for users to edit files in their home directory or tmp 
directories and then move (mv) them to system directories. The problem 
is that the files end up with the wrong file context which confined 
applications are not allowed to access.

Allowing Access
If you want semodule to access this files, you need to relabel them 
using restorecon -v 
'/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session'. 
You might want to relabel the entire directory using restorecon -R -v 
'/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01'.
Additional Information

Source Context:   	system_u:system_r:semanage_t
Target Context:   	user_u:object_r:user_home_t
Target Objects:   
/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session 
[ file ]
Source:   	semodule
Source Path:   	/usr/sbin/semodule
Port:   	<Unknown>
Host:   	C5.aardvark.com.au
Source RPM Packages:   	policycoreutils-1.33.12-14.el5
Target RPM Packages:   	
Policy RPM:   	selinux-policy-2.4.6-203.el5
Selinux Enabled:   	True
Policy Type:   	targeted
MLS Enabled:   	True
Enforcing Mode:   	Permissive
Plugin Name:   	home_tmp_bad_labels
Host Name:   	C5.aardvark.com.au
Platform:   	Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec 
16 11:57:43 EST 2008 x86_64 x86_64
Alert Count:   	1
First Seen:   	Sun Jan 25 14:38:32 2009
Last Seen:   	Sun Jan 25 14:38:32 2009
Local ID:   	5d6e1851-5dc3-49a1-b758-5b33327cdf8f
Line Numbers:   	

Raw Audit Messages :

host=C5.aardvark.com.au type=AVC msg=audit(1232861912.353:38467): avc: 
denied { append } for pid=23410 comm="semodule" 
path="/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session" 
dev=dm-0 ino=29294829 scontext=system_u:system_r:semanage_t:s0 
tcontext=user_u:object_r:user_home_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1232861912.353:38467): avc: 
denied { append } for pid=23410 comm="semodule" 
path="/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session" 
dev=dm-0 ino=29294829 scontext=system_u:system_r:semanage_t:s0 
tcontext=user_u:object_r:user_home_t:s0 tclass=file
host=C5.aardvark.com.au type=SYSCALL msg=audit(1232861912.353:38467): 
arch=c000003e syscall=59 success=yes exit=0 a0=34ab410 a1=34ab7b0 
a2=34aa660 a3=3 items=0 ppid=23404 pid=23410 auid=102 uid=0 gid=0 euid=0 
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3534 comm="semodule" 
exe="/usr/sbin/semodule" subj=system_u:system_r:semanage_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1232861912.353:38467): 
arch=c000003e syscall=59 success=yes exit=0 a0=34ab410 a1=34ab7b0 
a2=34aa660 a3=3 items=0 ppid=23404 pid=23410 auid=102 uid=0 gid=0 euid=0 
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3534 comm="semodule" 
exe="/usr/sbin/semodule" subj=system_u:system_r:semanage_t:s0 key=(null)


domg472 g472 wrote:
> Hello,
>
> With regard to procmail, i think your policy is missing a domain
> transition to spamassassin.
>
> A custom policy looking something like the following may or may not
> fix that issue:
>
> mkdir ~/myprocmail; cd ~/myprocmail;
> echo "policy_module(myprocmail, 0.0.1)" > myprocmail.te;
> echo "require { type procmail_t; }" >> myprocmail.te;
> echo "optional_policy(`" >> myprocmail.te;
> echo "spamassassin_domtrans_spamc(procmail_t)" >> myprocmail.te;
> echo "')" >> myprocmail.te;
>
> make -f /usr/share/selinux/devel/Makefile
> /usr/sbin/semodule -i myprocmail.pp
>
> With regard to webalizer it looks like webalizer is searching
> something in a "bin" directory.
> If you want you can allow this.
>
> mkdir ~/mywebalizer; cd ~mywebalizer;
> echo "policy_module(mywebalizer, 0.0.1)" > mywebalizer.te;
> echo "require { type webalizer_t; }" >> mywebalizer.te;
> echo "corecmd_search_bin(webalizer_t)" >> mywebalizer.te;
>
> make -f /usr/share/selinux/devel/Makefile
> /usr/sbin/semodule -i  mywebalizer.pp
>
> It may be that both procmail and webalizer domains need more access
> after this, but you will notice that if this is the case.
>
> P.s. You may or may not need to escape some of the characters in my example.
>
> Hth,
> Dominick
>
>

More information about the selinux mailing list