Re: Partitions Mounted by fstab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2008-03-06 at 15:53 +0000, Arthur Dent wrote:
> On Thu, Mar 06, 2008 at 03:46:28PM +0000, Arthur Dent wrote:
> > > 
> > > What file in your home directory is clamscan appending to?
> > > Maybe we can put it into a distinct type and protect the rest of your
> > > files?
> > > 
> > Not sure... clamd is used by clamassassin which is called by procmail.
> > 
> > Procmail has local configurations set in various "rc" files in
> > ~/Procmail/ in my home directory. But only procmail would require (read)
> > access to those. Then procmail writes to its log which is
> > ~/Procmail/pmlog (also rotated by logrotate).
> > 
> > I'll try commenting out that line and see what happens...
> > 
> And here's what happens...
> 
> Summary:
> 
> SELinux is preventing the clamdscan from using potentially mislabeled
> files
> (/home/mark/Procmail/pmlog).
> 
> Detailed Description:
> 
> SELinux has denied clamdscan access to potentially mislabeled file(s)
> (/home/mark/Procmail/pmlog). This means that SELinux will not allow
> clamdscan to
> use these files. It is common for users to edit files in their home
> directory or
> tmp directories and then move (mv) them to system directories. The
> problem is
> that the files end up with the wrong file context which confined
> applications
> are not allowed to access.
> 
> Allowing Access:
> 
> If you want clamdscan to access this files, you need to relabel them
> using
> restorecon -v '/home/mark/Procmail/pmlog'. You might want to relabel the
> entire
> directory using restorecon -R -v '/home/mark/Procmail'.
> 
> Additional Information:
> 
> Source Context                system_u:system_r:clamscan_t:s0
> Target Context                system_u:object_r:user_home_t:s0
> Target Objects                /home/mark/Procmail/pmlog [ file ]
> Source                        clamdscan
> Source Path                   /usr/bin/clamdscan
> Port                          <Unknown>
> Host                          mydomain.org.uk
> Source RPM Packages           clamav-0.92.1-1.fc8
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.0.8-87.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   home_tmp_bad_labels
> Host Name                     mydomain.org.uk
> Platform                      Linux mydomain.org.uk 2.6.23.15-137.fc8 #1
> SMP Sun
>                               Feb 10 17:48:34 EST 2008 i686 i686
> Alert Count                   1
> First Seen                    Thu Mar  6 15:48:08 2008
> Last Seen                     Thu Mar  6 15:48:08 2008
> Local ID                      1a0e8006-5ae4-41dc-90e3-419c7c32c2b0
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> host=mydomain.org.uk type=AVC msg=audit(1204818488.711:155): avc:
> denied  { append } for  pid=3820 comm="clamdscan"
> path="/home/mark/Procmail/pmlog" dev=sda12 ino=1426472
> scontext=system_u:system_r:clamscan_t:s0
> tcontext=system_u:object_r:user_home_t:s0 tclass=file
> 
> host=mydomain.org.uk type=SYSCALL msg=audit(1204818488.711:155):
> arch=40000003 syscall=11 success=yes exit=0 a0=933c210 a1=933aa28
> a2=93381b0 a3=40 items=0 ppid=3816 pid=3820 auid=4294967295 uid=0 gid=12
> euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none)
> comm="clamdscan" exe="/usr/bin/clamdscan"
> subj=system_u:system_r:clamscan_t:s0 key=(null)

Ok, so it is just appending to a log file there, possibly via an
inherited descriptor from the caller.

You could possibly put a different type on ~/Procmail and only give
permissions to that type, but offhand I don't see an existing type that
would fit for that purpose, so you'd have to define a new one.  Likely
more work than you want to deal with right now.

The good news is that it only requires append access, so it cannot
overwrite an existing file's contents even if you allow the above.

-- 
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux