Re: postfix, procmail and SELinux - No Go

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 2006-06-26 at 12:47 -0500, Marc Schwartz (via MN) wrote:
> On Mon, 2006-06-26 at 12:31 +0100, Paul Howarth wrote: 
> > Marc Schwartz wrote:
> > > After loading the updated modules, you'll need to do:
> > >>
> > >> # restorecon -rv /var/dcc
> > > 
> > > Done and new mydcc policy installed:
> > > 
> > > # semodule -l
> > > amavis  1.0.4
> > > clamav  1.0.1
> > > dcc     1.0.0
> > > myclamav        0.1.1
> > > mydcc   0.1.6
> > > mypostfix       0.1.0
> > > mypyzor 0.2.1
> > > myspamassassin  0.1.1
> > > procmail        0.5.4
> > > pyzor   1.0.1
> > > razor   1.0.0
> > > 
> > > 
> > > New avc's:
> > > 
> > > type=AVC msg=audit(1151269000.770:5837): avc:  denied  { search } for  pid=23000 comm="dccproc" name="dcc" dev=dm-1 ino=58510 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir
> > > type=SYSCALL msg=audit(1151269000.770:5837): arch=40000003 syscall=12 success=yes exit=0 a0=bfdb1202 a1=0 a2=4891eff4 a3=37 items=1 pid=23000 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dccproc" subj=system_u:system_r:spamd_t:s0
> > > type=CWD msg=audit(1151269000.770:5837):  cwd="/"
> > > type=PATH msg=audit(1151269000.770:5837): item=0 name="/var/dcc" inode=58510 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:dcc_var_t:s0
> > 
> > dccproc is still running in the spamd_t domain; for some reason the 
> > domain transition hasn't happened.
> > 
> > Can you check that the dccproc being invoked by spamassassin is the one 
> > in /usr/local/bin and that its context type is dcc_client_exec_t?
> 
> dccproc only exists in two locations:
> 
>   /var/dcc/build/dcc/dccproc/dccproc
> 
> and 
> 
>   /usr/local/bin/dccproc
> 
> The former is where dcc does it's build each night.
> 
> 
> It was:
> 
>   user_u:object_r:bin_t 
> 
> I ran restorecon on it and now:
> 
>   system_u:object_r:dcc_client_exec_t
> 
> 
> However, thinking that the build process might change the context, I
> manually ran updatedcc via sudo from the CLI.  Sure enough, the context
> is back to:
> 
>   user_u:object_r:bin_t
> 
> So the change in context will occur every night. :-(
> 
> Should I add a restorecon to crontab after updatedcc runs?

Yes.

> Also, there is some configuration info here:
> 
>   http://www.rhyolite.com/anti-spam/dcc/dcc-tree/INSTALL.html
> 
> where some settings (ie. UID) might be apropos here. If something makes
> sense to change, let me know.

It looks tricky. There's one script that both compiles and then installs
the updated version. It only needs to be root to do the install, and
would need changing to split the functionality.

Paul.


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux