On Tue, 2006-06-20 at 16:12 +0100, Paul Howarth wrote:
> Marc Schwartz (via MN) wrote:
> > On Tue, 2006-06-20 at 09:37 -0400, Stephen Smalley wrote:
> >> On Tue, 2006-06-20 at 08:26 -0500, Marc Schwartz wrote:
> >>> Also, note that now I am getting an error when trying to install the
> >>> myclam.pp module:
> >>>
> >>> # semodule -i myclam.pp
> >>> libsepol.scope_copy_callback: myclam: Duplicate declaration in module:
> >>> type/attribute clamscan_tmp_t
> >>> libsemanage.semanage_link_sandbox: Link packages failed
> >>> semodule: Failed!
> >>>
> >>>
> >>> So I presume that there is an update in the version 1.0.1 of the new
> >>> clamav module that conflicts with the declarations in our new module?
> >> Yes, clamscan_tmp_t is defined in the clamav module now, so your
> >> definition can go away. Unlike allow rules, which are just unioned
> >> together (thus, no harm in duplicates), duplicate type declarations are
> >> treated as an error.
> >>
> >>> The current myclam.te is:
> >>>
> >>> # cat myclam.te
> >>> ####### myclam.te #######
> >>> policy_module(myclam, 0.1.2)
> >>>
> >>> require {
> >>> type clamscan_t;
> >>> type procmail_tmp_t;
> >>> type postfix_local_t;
> >>> };
> >>>
> >>> # temp files
> >>> type clamscan_tmp_t;
> >>> files_tmp_file(clamscan_tmp_t)
> >>>
> >>> # Allow clamscan to create and use temp files and dirs
> >>> allow clamscan_t clamscan_tmp_t:dir create_dir_perms;
> >>> allow clamscan_t clamscan_tmp_t:file create_file_perms;
> >>> files_type(clamscan_tmp_t)
> >>> files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
> >>>
> >>> # Allow clamscan to read and write temp files created by procmail
> >>> # (needed for clamassassin)
> >>> allow clamscan_t procmail_tmp_t:file rw_file_perms;
> >>>
> >>> # Allow clamscan output to be piped back into the
> >>> # postfix local delivery process
> >>> allow clamscan_t postfix_local_t:fd use;
> >>> allow clamscan_t postfix_local_t:fifo_file write;
> >
> > Thanks Stephen.
> >
> > So is it sufficient to simply remove the:
> >
> > type clamscan_tmp_t;
> >
> > line and retain the rest of the content or are the other changes that
> > should be made in light of the new clamav module?
> >
> > Paul, I presume that you will also want to increment the version number?
>
> Try this one:
>
> policy_module(myclamscan, 0.2.0)
>
> require {
> type clamscan_t;
> type postfix_local_t;
> type procmail_tmp_t;
> };
>
> # temp files
> # Included in selinux-policy-2.2.43-4
> #type clamscan_tmp_t;
> #files_tmp_file(clamscan_tmp_t)
>
> # Allow clamscan to create and use temp files and dirs
> # Included in selinux-policy-2.2.43-4
> #allow clamscan_t clamscan_tmp_t:dir create_dir_perms;
> #allow clamscan_t clamscan_tmp_t:file create_file_perms;
> #files_type(clamscan_tmp_t)
> #files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
>
> # Allow clamscan to read and write temp files created by procmail
> # (needed for clamassassin)
> allow clamscan_t procmail_tmp_t:file rw_file_perms;
>
> # Allow clamscan output to be piped back into the
> # postfix local delivery process
> allow clamscan_t postfix_local_t:fd use;
> allow clamscan_t postfix_local_t:fifo_file write;
OK. Done.
Also, just to confirm that you are explicitly changing the policy name
from myclam to myclamscan?
> > Also, as an FYI, this is the second time that I have experienced an RPM
> > related error with the policies. Paul, you may recall a few weeks ago,
> > there was a partial install of an update RPM, which was not actually
> > loaded, but rpm reported both versions being installed. Not sure if this
> > is unique to my system or if others may be having any issues. I have not
> > checked Bugzilla for any reports on these.
>
> This is not something I've been seeing here. Might be worth peeking
> through your logs for the time the update was applied to see if there
> was anything strange happening.
Nothing in the logs to indicate a problem. The new rpms were installed
on June 13, with no errors noted.
BTW, I am now getting the following messages with avclist, since the
loading of the updated policies today:
type=AVC msg=audit(1150817767.142:753): avc: denied { getattr } for pid=2268 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1150817767.142:753): arch=40000003 syscall=195 success=no exit=-13 a0=a22fb98 a1=92360c8 a2=4891eff4 a3=a22fb98 items=1 pid=2268 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl"type=AVC_PATH msg=audit(1150817767.142:753): path="/usr/bin/pyzor"
type=CWD msg=audit(1150817767.142:753): cwd="/"
type=PATH msg=audit(1150817767.142:753): item=0 name="/usr/bin/pyzor" flags=1 inode=3140757 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1150817767.142:754): avc: denied { getattr } for pid=2268 comm="spamd" name="pyzor" dev=hdc7 ino=3140757 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:pyzor_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1150817767.142:754): arch=40000003 syscall=195 success=no exit=-13 a0=a22fb98 a1=92360c8 a2=4891eff4 a3=a22fb98 items=1 pid=2268 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl"type=AVC_PATH msg=audit(1150817767.142:754): path="/usr/bin/pyzor"
type=CWD msg=audit(1150817767.142:754): cwd="/"
type=PATH msg=audit(1150817767.142:754): item=0 name="/usr/bin/pyzor" flags=1 inode=3140757 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
Thanks,
Marc
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
