On Wed, 2008-03-05 at 11:59 -0500, Stephen Smalley wrote:
> On Wed, 2008-03-05 at 16:12 +0000, Arthur Dent wrote:
> > On Wed, Mar 05, 2008 at 10:47:15AM -0500, Stephen Smalley wrote:
> >
> > Hi Stephen,
> >
> > > >
> > > > As a mater of interest, I have a procmail recipe which writes a copy of every
> > > > mail I receive to a backup area on my /dev/sda8 partition, mounted as
> > > > /mnt/backup/ by fstab. (It is an ext3 partition).
> > > >
> > > > I have tried doing:
> > > > "restorecon -v -R /mnt/backup"
> > > > and even:
> > > > "fixfiles relabel"
> > > >
> > > > on this partition, but I gather this will not work. I think that I must
> > > > somehow define a policy for this (and probably other) partition(s), but I am
> > > > unclear as to how to go about this.
> > >
> > > You might try something like this, assuming that you only store mail
> > > files under /mnt/backup and only procmail requires access:
> > >
> > > semanage fcontext -a -t mail_spool_t "/mnt/backup(/.*)?"
> > > restorecon -v -R /mnt/backup
> > >
> > Thanks! This is really helpful.
> >
> > > If you need other things to be able to access it, then we'll have to
> > > know more to decide how to label it, or you could possibly move it to a
> > > subdir of /mnt/backup like /mnt/backup/spool that can be devoted to
> > > procmail's use.
> > >
> >
> > Well, before I try the above commands...
> >
> > Generally it is only procmail that needs access, however, I have this file
> > "rotated" by logrotate (run as root) on a monthly basis. It is rotated with
> > the "date" extension and that file is archived by a cron job (root) to DVD.
> >
> > Oh, and I have a daily backup routine that uses "tar" run from a cron job that
> > also includes this directory...
> >
> > Will those things invalidate your suggested solution?
>
> You'll likely need a local policy module then to permit such access
> in addition to the commands above.
> Maybe something like this:
>
> # cat mymailbackup.te
> policy_module(mybackup, 1.0)
> require {
> # Symbols defined outside of this module.
> type system_crond_t;
> type user_crond_t;
> type mail_spool_t;
> }
>
> # Mark mail_spool_t as a log file that can be managed by logrotate.
> logging_log_file(mail_spool_t)
> # Let system and user cron jobs read it.
> read_files_pattern(system_crond_t, mail_spool_t, mail_spool_t)
> read_files_pattern(user_crond_t, mail_spool_t, mail_spool_t)
>
> # make -f /usr/share/selinux/devel/Makefile mybackup.pp
> # semodule -i mybackup.pp
Actually, did you need write access to /mnt/backup from the cron job, or
only read access? The above only gives read access.
Also, on second thought, I suppose that if you are running these as user
cron jobs, they'll run unconfined_t under the default targeted policy
and thus not require any additional rules at all. So you may only need
the logging_log_file() part.
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
