On Tue, 2006-05-30 at 14:47 -0500, Marc Schwartz (via MN) wrote: > <snipped some content for space> > > On Tue, 2006-05-30 at 20:05 +0100, Paul Howarth wrote: > > On Tue, 2006-05-30 at 13:41 -0500, Marc Schwartz (via MN) wrote: > > > On Tue, 2006-05-30 at 16:32 +0100, Paul Howarth wrote: > > > > If you run SELinux in permissive mode and post the AVCs that get logged > > > > when procmail is running, it should be possible to get this fixed. > > > > > > Paul, > > > > > > Thanks for the reply. > > > > > > I have re-booted with SELinux in Permissive Mode. > > > > > > However, while procmail is working still, I see no avc messages at all > > > in /var/log/messages that would seemingly be related here. There are > > > other avc's there, most of which appear to be related to the boot > > > process and the relabelling of files subsequent to having disabled > > > SELinux earlier. > > > > > > Is this something more subtle or is there someplace else that I should > > > be looking? > > > > Perhaps you have auditd running, and have AVCs logged > > to /var/log/audit/audit.log instead? > > Yep. That's it. > > Thanks to Tom also for pointing this out. > > > For reference, here is my ~/.procmailrc: > > # Scan for viruses using ClamAV + clamassassin > :0 fw > | /usr/local/bin/clamassassin > > # Scan with SpamAssasin (+ razor, pyzor and dcc) > :0 fw > | /usr/bin/spamc -s 256000 > > > > I'm not sure how much you might need/want, but here is a sampling. I > tried to catch what appear to be complete "cycles" in each case. > > Here are some using grep 'procmail': > > type=AVC_PATH msg=audit(1149015973.940:563): path="/home/marcs/.procmailrc" > type=PATH msg=audit(1149015973.940:563): item=0 name="/home/marcs/.procmailrc" flags=1 inode=426353 dev=fd:00 mode=0100664 ouid=500 ogid=500 rdev=00:00 > type=AVC msg=audit(1149015973.940:564): avc: denied { read } for pid=11095 comm="procmail" name=".procmailrc" dev=dm-0 ino=426353 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file > type=SYSCALL msg=audit(1149015973.940:564): arch=40000003 syscall=5 success=yes exit=4 a0=9337d60 a1=8000 a2=0 a3=8000 items=1 pid=11095 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="procmail" exe="/usr/bin/procmail" > type=PATH msg=audit(1149015973.940:564): item=0 name="/home/marcs/.procmailrc" flags=101 inode=426353 dev=fd:00 mode=0100664 ouid=500 ogid=500 rdev=00:00 This one's a labelling prpblem. I don;t think you should have anything labelled file_t on the system. Try changing the context of ~/.procmailrc to user_home_t. > type=AVC msg=audit(1149015973.956:565): avc: denied { execute } for pid=11101 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file > type=AVC msg=audit(1149015973.956:565): avc: denied { execute_no_trans } for pid=11101 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file This needs a policy change. There needs to be a domain transition from procmail_t to (I think) clamscan_exec_t. This could be done with a policy module in the short term, and when it's working properly, publish the fix one fedora-selinux-list and it should get included in the main policy. > type=AVC msg=audit(1149015973.956:565): avc: denied { read } for pid=11101 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file > type=AVC msg=audit(1149015973.960:566): avc: denied { search } for pid=11101 comm="clamscan" name="clamav" dev=hdc5 ino=30881 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir > type=AVC msg=audit(1149015973.960:566): avc: denied { read } for pid=11101 comm="clamscan" name="daily.cvd" dev=hdc5 ino=29403 scontext=system_u:system_r:procmail_t:s0 tcontext=user_u:object_r:clamd_var_lib_t:s0 tclass=file > type=AVC msg=audit(1149015973.960:567): avc: denied { getattr } for pid=11101 comm="clamscan" name="daily.cvd" dev=hdc5 ino=29403 scontext=system_u:system_r:procmail_t:s0 tcontext=user_u:object_r:clamd_var_lib_t:s0 tclass=file > type=AVC msg=audit(1149015973.972:568): avc: denied { read } for pid=11105 comm="clamscan" name="clamav" dev=hdc5 ino=30881 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir > type=AVC msg=audit(1149015973.972:569): avc: denied { getattr } for pid=11105 comm="clamscan" name="clamav" dev=hdc5 ino=30881 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=dir > type=AVC msg=audit(1149015973.972:570): avc: denied { read } for pid=11105 comm="clamscan" name="main.cvd" dev=hdc5 ino=30890 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=file > type=AVC msg=audit(1149015973.972:571): avc: denied { getattr } for pid=11105 comm="clamscan" name="main.cvd" dev=hdc5 ino=30890 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamd_var_lib_t:s0 tclass=file > type=AVC msg=audit(1149015974.368:572): avc: denied { write } for pid=11105 comm="clamscan" name="main.ndb" dev=hdc6 ino=146248 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1149015974.368:573): avc: denied { read } for pid=11105 comm="clamscan" name="clamav-5f6ea15f5332ca86" dev=hdc6 ino=30 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1149015974.532:574): avc: denied { create } for pid=11105 comm="clamscan" name="main.zmd" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1149015974.532:575): avc: denied { getattr } for pid=11105 comm="clamscan" name="main.zmd" dev=hdc6 ino=146249 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1149015974.532:576): avc: denied { unlink } for pid=11105 comm="clamscan" name="clamav-5f6ea15f5332ca86" dev=hdc6 ino=30 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1149015974.992:577): avc: denied { search } for pid=11105 comm="clamscan" name="/" dev=hdc6 ino=2 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=AVC msg=audit(1149015975.444:578): avc: denied { read } for pid=11105 comm="clamscan" name="clamav-a0ba2088c392494c" dev=hdc6 ino=146243 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=AVC msg=audit(1149015975.444:579): avc: denied { setattr } for pid=11105 comm="clamscan" name="clamav-a0ba2088c392494c" dev=hdc6 ino=146243 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=AVC msg=audit(1149015975.444:580): avc: denied { write } for pid=11105 comm="clamscan" name="/" dev=hdc6 ino=2 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=AVC msg=audit(1149015975.444:580): avc: denied { remove_name } for pid=11105 comm="clamscan" name="clamav-a0ba2088c392494c" dev=hdc6 ino=146243 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=AVC msg=audit(1149015975.444:580): avc: denied { rmdir } for pid=11105 comm="clamscan" name="clamav-a0ba2088c392494c" dev=hdc6 ino=146243 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=AVC msg=audit(1149015975.452:581): avc: denied { add_name } for pid=11105 comm="clamscan" name="clamav-c8c20a1e39aef1bc" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=AVC msg=audit(1149015975.452:581): avc: denied { create } for pid=11105 comm="clamscan" name="clamav-c8c20a1e39aef1bc" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir I bet the domain transition would fix all of these. > Here are some using grep 'postfix': > > type=SYSCALL msg=audit(1149014661.600:328): arch=40000003 syscall=196 success=no exit=-2 a0=9769930 a1=bf8a4b80 a2=580ff4 a3=3 items=1 pid=8367 auid=500 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="local" exe="/usr/libexec/postfix/local" > type=CWD msg=audit(1149014661.600:328): cwd="/var/spool/postfix" > type=CWD msg=audit(1149014661.604:329): cwd="/var/spool/postfix" > type=CWD msg=audit(1149014661.604:330): cwd="/var/spool/postfix" > type=AVC msg=audit(1149014770.075:378): avc: denied { search } for pid=8646 comm="local" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir That looks like a mis-labelled directory. > Some using grep 'pyzor'. Note that neither 'razor' nor 'dcc' are showing > up curiously: > > type=AVC_PATH msg=audit(1149015851.011:541): path="/home/marcs/.pyzor" > type=PATH msg=audit(1149015851.011:541): item=0 name="/home/marcs/.pyzor" flags=1 inode=427255 dev=fd:00 mode=040755 ouid=500 ogid=5 00 rdev=00:00 > type=AVC msg=audit(1149015851.015:542): avc: denied { getattr } for pid=10802 comm="pyzor" name="servers" dev=dm-0 ino=427256 scon text=system_u:system_r:pyzor_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file > type=SYSCALL msg=audit(1149015851.015:542): arch=40000003 syscall=195 success=yes exit=0 a0=86c1fb0 a1=bf9b8da8 a2=4891eff4 a3=868e1b 0 items=1 pid=10802 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/ python" > type=AVC_PATH msg=audit(1149015851.015:542): path="/home/marcs/.pyzor/servers" > type=PATH msg=audit(1149015851.015:542): item=0 name="/home/marcs/.pyzor/servers" flags=1 inode=427256 dev=fd:00 mode=0100664 ouid=5 00 ogid=500 rdev=00:00 > type=AVC msg=audit(1149015851.015:543): avc: denied { search } for pid=10802 comm="pyzor" name="marcs" dev=dm-0 ino=425153 scontex t=system_u:system_r:pyzor_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir > type=AVC msg=audit(1149015851.015:543): avc: denied { read } for pid=10802 comm="pyzor" name="servers" dev=dm-0 ino=427256 scontex t=system_u:system_r:pyzor_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file > type=SYSCALL msg=audit(1149015851.015:543): arch=40000003 syscall=5 success=yes exit=3 a0=87273d0 a1=8000 a2=1b6 a3=86e0b90 items=1 p id=10802 auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="pyzor" exe="/usr/bin/python" > type=PATH msg=audit(1149015851.015:543): item=0 name="/home/marcs/.pyzor/servers" flags=101 inode=427256 dev=fd:00 mode=0100664 ouid =500 ogid=500 rdev=00:00 > type=AVC msg=audit(1149015851.027:544): avc: denied { search } for pid=10802 comm="pyzor" name="/" dev=hdc6 ino=2 scontext=system_ u:system_r:pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=AVC msg=audit(1149015851.027:544): avc: denied { write } for pid=10802 comm="pyzor" name="/" dev=hdc6 ino=2 scontext=system_u :system_r:pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=AVC msg=audit(1149015851.027:544): avc: denied { add_name } for pid=10802 comm="pyzor" name="bBOXo3" scontext=system_u:system _r:pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=AVC msg=audit(1149015851.027:544): avc: denied { create } for pid=10802 comm="pyzor" name="bBOXo3" scontext=system_u:system_r :pyzor_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file Those look to me like things that should be allowed but I don't know anything about pyzor so maybe it can be used differently? > More with grep 'spamd': > > type=AVC msg=audit(1149017045.372:768): avc: denied { search } for pid=1949 comm="spamd" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir > type=SYSCALL msg=audit(1149017045.372:768): arch=40000003 syscall=195 success=yes exit=0 a0=a3a19c0 a1=9ffa0c8 a2=4891eff4 a3=a3a19c0 items=1 pid=1949 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl" > type=PATH msg=audit(1149017045.372:768): item=0 name="/home/marcs/.spamassassin/user_prefs" flags=1 inode=1193881 dev=fd:00 mode=0100664 ouid=500 ogid=500 rdev=00:00 > type=AVC msg=audit(1149017045.380:769): avc: denied { getattr } for pid=1949 comm="spamd" name="bayes_toks" dev=dm-0 ino=1193882 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file > type=SYSCALL msg=audit(1149017045.380:769): arch=40000003 syscall=195 success=yes exit=0 a0=a3a19c0 a1=9ffa0c8 a2=4891eff4 a3=a3a19c0 items=1 pid=1949 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl" > type=AVC_PATH msg=audit(1149017045.380:769): path="/home/marcs/.spamassassin/bayes_toks" > type=PATH msg=audit(1149017045.380:769): item=0 name="/home/marcs/.spamassassin/bayes_toks" flags=1 inode=1193882 dev=fd:00 mode=0100600 ouid=500 ogid=500 rdev=00:00 > type=AVC msg=audit(1149017045.380:770): avc: denied { read } for pid=1949 comm="spamd" name="bayes_toks" dev=dm-0 ino=1193882 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file > type=SYSCALL msg=audit(1149017045.380:770): arch=40000003 syscall=5 success=yes exit=8 a0=b1db3b8 a1=8000 a2=0 a3=8000 items=1 pid=1949 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl" > type=PATH msg=audit(1149017045.380:770): item=0 name="/home/marcs/.spamassassin/bayes_toks" flags=101 inode=1193882 dev=fd:00 mode=0100600 ouid=500 ogid=500 rdev=00:00 > type=AVC msg=audit(1149017047.188:771): avc: denied { append } for pid=1949 comm="spamd" name="bayes_journal" dev=dm-0 ino=2338489 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file > type=SYSCALL msg=audit(1149017047.188:771): arch=40000003 syscall=5 success=yes exit=10 a0=b8211d8 a1=8441 a2=1b6 a3=8441 items=1 pid=1949 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl" > type=PATH msg=audit(1149017047.188:771): item=0 name="/home/marcs/.spamassassin/bayes_journal" flags=310 inode=1193874 dev=fd:00 mode=040755 ouid=500 ogid=500 rdev=00:00 > type=AVC msg=audit(1149017047.188:772): avc: denied { ioctl } for pid=1949 comm="spamd" name="bayes_journal" dev=dm-0 ino=2338489 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file > type=SYSCALL msg=audit(1149017047.188:772): arch=40000003 syscall=54 success=no exit=-25 a0=a a1=5401 a2=bf84f5d8 a3=bf84f618 items=0 pid=1949 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl" > type=AVC_PATH msg=audit(1149017047.188:772): path="/home/marcs/.spamassassin/bayes_journal" > type=AVC msg=audit(1149017047.828:791): avc: denied { write } for pid=1949 comm="spamd" name="bayes_toks" dev=dm-0 ino=1193882 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file More mislabelled files. I think you need to relabel the system. > Finally with grep "clamassassin": > > type=SYSCALL msg=audit(1149016209.330:652): arch=40000003 syscall=5 success=yes exit=3 a0=99e48c0 a1=8241 a2=1b6 a3=8241 items=1 pid=11646 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamassassin" exe="/bin/bash" > type=PATH msg=audit(1149016209.330:652): item=0 name="/tmp/clamassassinmsg.jSBOI11644" flags=310 inode=2 dev=16:06 mode=041777 ouid=0 ogid=0 rdev=00:00 > type=AVC msg=audit(1149016209.330:653): avc: denied { getattr } for pid=11646 comm="cat" name="clamassassinmsg.jSBOI11644" dev=hdc6 ino=28 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC_PATH msg=audit(1149016209.330:653): path="/tmp/clamassassinmsg.jSBOI11644" > type=AVC msg=audit(1149016209.334:654): avc: denied { execute } for pid=11647 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file > type=AVC msg=audit(1149016209.334:654): avc: denied { execute_no_trans } for pid=11647 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file > type=AVC msg=audit(1149016209.334:654): avc: denied { read } for pid=11647 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file > type=AVC msg=audit(1149016209.346:657): avc: denied { read } for pid=11651 comm="clamassassin" name="clamassassinmsg.jSBOI11644" dev=hdc6 ino=28 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=SYSCALL msg=audit(1149016209.346:657): arch=40000003 syscall=5 success=yes exit=3 a0=99e1190 a1=8000 a2=0 a3=8000 items=1 pid=11651 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamassassin" exe="/bin/bash" > type=PATH msg=audit(1149016209.346:657): item=0 name="/tmp/clamassassinmsg.jSBOI11644" flags=101 inode=28 dev=16:06 mode=0100600 ouid=500 ogid=500 rdev=00:00 > type=AVC msg=audit(1149017043.144:752): avc: denied { add_name } for pid=13192 comm="mktemp" name="clamassassinmsg.QRJvd13192" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=AVC msg=audit(1149017043.144:752): avc: denied { create } for pid=13192 comm="mktemp" name="clamassassinmsg.QRJvd13192" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=PATH msg=audit(1149017043.144:752): item=0 name="/tmp/clamassassinmsg.QRJvd13192" flags=310 inode=2 dev=16:06 mode=041777 ouid=0 ogid=0 rdev=00:00 > type=AVC msg=audit(1149017043.152:753): avc: denied { write } for pid=13194 comm="clamassassin" name="clamassassinmsg.QRJvd13192" dev=hdc6 ino=28 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file These are clamassassin running in the procmail domain. I think the domain transition mentioned above would probably fix these. Paul. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list