Fedora 16 and procmail

Mon Jan 23 16:10:20 UTC 2012

On 01/22/2012 03:33 AM, David Highley wrote:
> module myprocmail 1.0;
>
> require {
>          type quota_db_t;
>          type etc_aliases_t;
>          type procmail_t;
>          type admin_home_t;
>          type spamc_t;
>          type shadow_t;
>          class file { getattr read open append lock };
>          class dir  { getattr read open write };
>          class capability { dac_read_search dac_override };
> }
>
> #============= procmail_t ==============
> allow procmail_t etc_aliases_t:file { getattr read open };
> allow procmail_t quota_db_t:file { getattr append open lock };

> allow procmail_t admin_home_t:dir write;
> allow procmail_t admin_home_t:file open;
> allow spamc_t self:capability { dac_read_search dac_override };
> allow spamc_t shadow_t:file read;
>
Could you attach raw AVC msgs for these rules? What is procmail writing 
to admin homedir?


And I think we should add

auth_dontaudit_read_shadow(spamc_t)
> Then everytime we do a restorecon -vR for a home directory we get the
> following and if you repeat the command you will get the same output.
> We did do, semanage fcontext -a -e /home /export/home, so selinux knows
> that this is a home directory structure for NFS automounting.
>
> restorecon -vR /export/home/chighley
> restorecon reset /export/home/chighley/.pyzor context
> system_u:object_r:spamc_home_t:s0->system_u:object_r:pyzor_home_t:s0
> restorecon reset /export/home/chighley/.pyzor/servers context
> system_u:object_r:spamc_home_t:s0->system_u:object_r:pyzor_home_t:s0
> restorecon reset /export/home/chighley/.razor context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset /export/home/chighley/.razor/identity context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset /export/home/chighley/.razor/razor-agent.log context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c101.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c102.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c103.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c104.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c105.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c118.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c121.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c122.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c123.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c301.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c302.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c303.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c304.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c305.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.folly.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.joy.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.n001.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.n002.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.n003.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.n004.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset /export/home/chighley/.razor/servers.catalogue.lst
> context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset /export/home/chighley/.razor/servers.discovery.lst
> context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset /export/home/chighley/.razor/servers.nomination.lst
> context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset /export/home/chighley/.razor/servers.catalogue.lst.lock
> context
> system_u:object_r:spamc_home_t:s0->system_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/servers.nomination.lst.lock context
> system_u:object_r:spamc_home_t:s0->system_u:object_r:razor_home_t:s0
We treat spamc and razor policy together using aliases, this is a reason 
why you see it. Nothing is broken.
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux