Fedora 16 and procmail
David Highley
dhighley at highley-recommended.com
Wed Jan 25 14:26:53 UTC 2012
"Miroslav Grepl wrote:"
>
> On 01/22/2012 03:33 AM, David Highley wrote:
> > module myprocmail 1.0;
> >
> > require {
> > type quota_db_t;
> > type etc_aliases_t;
> > type procmail_t;
> > type admin_home_t;
> > type spamc_t;
> > type shadow_t;
> > class file { getattr read open append lock };
> > class dir { getattr read open write };
> > class capability { dac_read_search dac_override };
> > }
> >
> > #============= procmail_t ==============
> > allow procmail_t etc_aliases_t:file { getattr read open };
> > allow procmail_t quota_db_t:file { getattr append open lock };
>
> > allow procmail_t admin_home_t:dir write;
> > allow procmail_t admin_home_t:file open;
> > allow spamc_t self:capability { dac_read_search dac_override };
> > allow spamc_t shadow_t:file read;
> >
> Could you attach raw AVC msgs for these rules? What is procmail writing
> to admin homedir?
After correcting some labels, removing the above policy. We are now only
seeing these AVC:
----
time->Wed Jan 25 03:35:06 2012
type=SYSCALL msg=audit(1327491306.480:1221): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Wed Jan 25 03:35:06 2012
type=SYSCALL msg=audit(1327491306.521:1222): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Wed Jan 25 03:35:07 2012
type=SYSCALL msg=audit(1327491307.991:1224): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
More information about the selinux
mailing list