So just where is procmail_t allowed to write/create/rename etc?
Daniel B. Thurman
dant at cdkkt.com
Fri Mar 5 18:20:26 UTC 2010
On 03/05/2010 10:04 AM, Robert Nichols wrote:
> Actually, let me ask that another way. How should I go about finding
> the contexts where procmail_t is allowed to create/delete/rename files?
> I'm getting a flood of AVCs like the ones below and need to figure out
> an appropriate context for some directories that, FWIW, are deep down
> under /srv.
>
>
> node=omega-3x.local type=AVC msg=audit(1267778517.644:30180): avc: denied {
> write } for pid=3017 comm="decode64" name="Received-0305" dev=sda8 ino=7442469
> scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_t:s0
> tclass=dir
>
> node=omega-3x.local type=AVC msg=audit(1267778517.644:30180): avc: denied {
> add_name } for pid=3017 comm="decode64" name="jARhqK"
> scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_t:s0
> tclass=dir
>
> node=omega-3x.local type=AVC msg=audit(1267778517.644:30180): avc: denied {
> create } for pid=3017 comm="decode64" name="jARhqK"
> scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_t:s0
> tclass=file
>
> node=omega-3x.local type=AVC msg=audit(1267778517.644:30180): avc: denied {
> read write open } for pid=3017 comm="decode64" name="jARhqK" dev=sda8
> ino=5347353 scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:object_r:var_t:s0 tclass=file
>
> node=omega-3x.local type=AVC msg=audit(1267778517.645:30181): avc: denied {
> setattr } for pid=3017 comm="decode64" name="jARhqK" dev=sda8 ino=5347353
> scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_t:s0
> tclass=file
>
> node=omega-3x.local type=AVC msg=audit(1267778517.725:30183): avc: denied {
> link } for pid=3017 comm="decode64" name="jARhqK" dev=sda8 ino=5347353
> scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_t:s0
> tclass=file
>
> node=omega-3x.local type=AVC msg=audit(1267778517.726:30184): avc: denied {
> remove_name } for pid=3017 comm="decode64" name="jARhqK" dev=sda8 ino=5347353
> scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_t:s0
> tclass=dir
>
> node=omega-3x.local type=AVC msg=audit(1267778517.726:30184): avc: denied {
> unlink } for pid=3017 comm="decode64" name="jARhqK" dev=sda8 ino=5347353
> scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_t:s0
> tclass=fil
I get all sorts of procmail selinux issues (not to hijack this thread,
but might
be related?). Here is one of many:
=================================================
Summary:
SELinux is preventing /usr/bin/procmail "write" access on /var/spool/mqueue.
Detailed Description:
SELinux denied access requested by procmail. It is not expected that
this access
is required by procmail and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.
Additional Information:
Source Context system_u:system_r:procmail_t:s0
Target Context system_u:object_r:mqueue_spool_t:s0
Target Objects /var/spool/mqueue [ dir ]
Source procmail
Source Path /usr/bin/procmail
Port <Unknown>
Host host.domain.com
Source RPM Packages procmail-3.22-25.fc12
Target RPM Packages sendmail-8.14.3-8.fc12
Policy RPM selinux-policy-3.6.32-89.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name host.domain.com
Platform Linux host.domain.com
2.6.31.12-174.2.22.fc12.i686
#1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686
Alert Count 9
First Seen Tue 02 Mar 2010 03:12:16 AM PST
Last Seen Tue 02 Mar 2010 05:13:03 AM PST
Local ID 5c68ab75-d7e0-4e2d-b380-857eb7e33c68
Line Numbers
Raw Audit Messages
node=host.domain.com type=AVC msg=audit(1267535583.841:38780): avc:
denied { write } for pid=12554 comm="procmail" name="mqueue" dev=sdb8
ino=29627 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
node=host.domain.com type=SYSCALL msg=audit(1267535583.841:38780):
arch=40000003 syscall=5 success=no exit=-13 a0=92f6d68 a1=8441 a2=1b7
a3=1b7 items=0 ppid=12553 pid=12554 auid=4294967295 uid=0 gid=12 euid=0
suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295
comm="procmail" exe="/usr/bin/procmail"
subj=system_u:system_r:procmail_t:s0 key=(null)
More information about the selinux
mailing list