Fedora 16 and procmail

David Highley dhighley at highley-recommended.com
Wed Jan 25 14:26:53 UTC 2012 

"Miroslav Grepl wrote:"
> 
> On 01/22/2012 03:33 AM, David Highley wrote:
> > module myprocmail 1.0;
> >
> > require {
> >          type quota_db_t;
> >          type etc_aliases_t;
> >          type procmail_t;
> >          type admin_home_t;
> >          type spamc_t;
> >          type shadow_t;
> >          class file { getattr read open append lock };
> >          class dir  { getattr read open write };
> >          class capability { dac_read_search dac_override };
> > }
> >
> > #============= procmail_t ==============
> > allow procmail_t etc_aliases_t:file { getattr read open };
> > allow procmail_t quota_db_t:file { getattr append open lock };
> 
> > allow procmail_t admin_home_t:dir write;
> > allow procmail_t admin_home_t:file open;
> > allow spamc_t self:capability { dac_read_search dac_override };
> > allow spamc_t shadow_t:file read;
> >
> Could you attach raw AVC msgs for these rules? What is procmail writing 
> to admin homedir?

After correcting some labels, removing the above policy. We are now only
seeing these AVC:

----
time->Wed Jan 25 03:35:06 2012
type=SYSCALL msg=audit(1327491306.480:1221): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327491306.480:1221): avc:  denied  { dac_read_search } for  pid=1129 comm="spamassassin" capability=2  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327491306.480:1221): avc:  denied  { dac_override } for  pid=1129 comm="spamassassin" capability=1  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Wed Jan 25 03:35:06 2012
type=SYSCALL msg=audit(1327491306.521:1222): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327491306.521:1222): avc:  denied  { dac_read_search } for  pid=1129 comm="spamassassin" capability=2  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327491306.521:1222): avc:  denied  { dac_override } for  pid=1129 comm="spamassassin" capability=1  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Wed Jan 25 03:35:07 2012
type=SYSCALL msg=audit(1327491307.991:1224): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327491307.991:1224): avc:  denied  { dac_read_search } for  pid=1129 comm="spamassassin" capability=2  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327491307.991:1224): avc:  denied  { dac_override } for  pid=1129 comm="spamassassin" capability=1  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability

More information about the selinux mailing list