So just where is procmail_t allowed to write/create/rename etc?

Daniel B. Thurman dant at cdkkt.com
Fri Mar 5 18:20:26 UTC 2010 

On 03/05/2010 10:04 AM, Robert Nichols wrote:
> Actually, let me ask that another way.  How should I go about finding
> the contexts where procmail_t is allowed to create/delete/rename files?
> I'm getting a flood of AVCs like the ones below and need to figure out
> an appropriate context for some directories that, FWIW, are deep down
> under /srv.
>
>
> node=omega-3x.local type=AVC msg=audit(1267778517.644:30180): avc:  denied  {
> write } for  pid=3017 comm="decode64" name="Received-0305" dev=sda8 ino=7442469
> scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_t:s0
> tclass=dir
>
> node=omega-3x.local type=AVC msg=audit(1267778517.644:30180): avc:  denied  {
> add_name } for  pid=3017 comm="decode64" name="jARhqK"
> scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_t:s0
> tclass=dir
>
> node=omega-3x.local type=AVC msg=audit(1267778517.644:30180): avc:  denied  {
> create } for  pid=3017 comm="decode64" name="jARhqK"
> scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_t:s0
> tclass=file
>
> node=omega-3x.local type=AVC msg=audit(1267778517.644:30180): avc:  denied  {
> read write open } for  pid=3017 comm="decode64" name="jARhqK" dev=sda8
> ino=5347353 scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:object_r:var_t:s0 tclass=file
>
> node=omega-3x.local type=AVC msg=audit(1267778517.645:30181): avc:  denied  {
> setattr } for  pid=3017 comm="decode64" name="jARhqK" dev=sda8 ino=5347353
> scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_t:s0
> tclass=file
>
> node=omega-3x.local type=AVC msg=audit(1267778517.725:30183): avc:  denied  {
> link } for  pid=3017 comm="decode64" name="jARhqK" dev=sda8 ino=5347353
> scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_t:s0
> tclass=file
>
> node=omega-3x.local type=AVC msg=audit(1267778517.726:30184): avc:  denied  {
> remove_name } for  pid=3017 comm="decode64" name="jARhqK" dev=sda8 ino=5347353
> scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_t:s0
> tclass=dir
>
> node=omega-3x.local type=AVC msg=audit(1267778517.726:30184): avc:  denied  {
> unlink } for  pid=3017 comm="decode64" name="jARhqK" dev=sda8 ino=5347353
> scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_t:s0
> tclass=fil

I get all sorts of procmail selinux issues (not to hijack this thread, 
but might
be related?).  Here is one of many:

=================================================

Summary:

SELinux is preventing /usr/bin/procmail "write" access on /var/spool/mqueue.

Detailed Description:

SELinux denied access requested by procmail. It is not expected that 
this access
is required by procmail and this access may signal an intrusion attempt. 
It is
also possible that the specific version or configuration of the 
application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:procmail_t:s0
Target Context                system_u:object_r:mqueue_spool_t:s0
Target Objects                /var/spool/mqueue [ dir ]
Source                        procmail
Source Path                   /usr/bin/procmail
Port <Unknown>
Host                          host.domain.com
Source RPM Packages           procmail-3.22-25.fc12
Target RPM Packages           sendmail-8.14.3-8.fc12
Policy RPM                    selinux-policy-3.6.32-89.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     host.domain.com
Platform                      Linux host.domain.com 
2.6.31.12-174.2.22.fc12.i686
                               #1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686
Alert Count                   9
First Seen                    Tue 02 Mar 2010 03:12:16 AM PST
Last Seen                     Tue 02 Mar 2010 05:13:03 AM PST
Local ID                      5c68ab75-d7e0-4e2d-b380-857eb7e33c68
Line Numbers

Raw Audit Messages

node=host.domain.com type=AVC msg=audit(1267535583.841:38780): avc: 
denied  { write } for  pid=12554 comm="procmail" name="mqueue" dev=sdb8 
ino=29627 scontext=system_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir

node=host.domain.com type=SYSCALL msg=audit(1267535583.841:38780): 
arch=40000003 syscall=5 success=no exit=-13 a0=92f6d68 a1=8441 a2=1b7 
a3=1b7 items=0 ppid=12553 pid=12554 auid=4294967295 uid=0 gid=12 euid=0 
suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 
comm="procmail" exe="/usr/bin/procmail" 
subj=system_u:system_r:procmail_t:s0 key=(null)

More information about the selinux mailing list