Re: Denials from spamc and webalizer on Centos 5.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Dominick

It has taken me a while to decide to go ahead with your suggestion below... (I think I was hoping the problem would go away...:-)) and it looks like I am heading in the right direction - but there is a little more work to do.

There seemed to be a problem with the quotes in the line:

echo "optional_policy(`" >> myprocmail.te;

but I edited the .te file - and the make worked fine - after I installed the selinux-policy-devel package. Here is myprocmail.te:

policy_module(myprocmail, 0.0.1)
require { type procmail_t; }
optional_policy(`spamassassin_domtrans_spamc(procmail_t)')

I installed the policy file using teh GUI Selinux Administration tool.

I think we have got rid of the procmail error - but now we have a new error. (see below). I'm guessing I need another line or two in my myprocmail.te file. Can you tell me what it is I need? I'm pretty sure this is a new error - which might suggest that there is something wrong with the above policy file??

I haven't tried the webalizer changes yet. I have turned webalizer off for the time being.

Many thanks

Richard.


Summary
SELinux is preventing the semodule from using potentially mislabeled files (/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session).
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]

SELinux has denied semodule access to potentially mislabeled file(s) (/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session). This means that SELinux will not allow semodule to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access.

Allowing Access
If you want semodule to access this files, you need to relabel them using restorecon -v '/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session'. You might want to relabel the entire directory using restorecon -R -v '/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01'.
Additional Information

Source Context:   	system_u:system_r:semanage_t
Target Context:   	user_u:object_r:user_home_t
Target Objects: /root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session [ file ]
Source:   	semodule
Source Path:   	/usr/sbin/semodule
Port:   	<Unknown>
Host:   	C5.aardvark.com.au
Source RPM Packages:   	policycoreutils-1.33.12-14.el5
Target RPM Packages:   	
Policy RPM:   	selinux-policy-2.4.6-203.el5
Selinux Enabled:   	True
Policy Type:   	targeted
MLS Enabled:   	True
Enforcing Mode:   	Permissive
Plugin Name:   	home_tmp_bad_labels
Host Name:   	C5.aardvark.com.au
Platform: Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
Alert Count:   	1
First Seen:   	Sun Jan 25 14:38:32 2009
Last Seen:   	Sun Jan 25 14:38:32 2009
Local ID:   	5d6e1851-5dc3-49a1-b758-5b33327cdf8f
Line Numbers:   	

Raw Audit Messages :

host=C5.aardvark.com.au type=AVC msg=audit(1232861912.353:38467): avc: denied { append } for pid=23410 comm="semodule" path="/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session" dev=dm-0 ino=29294829 scontext=system_u:system_r:semanage_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file host=C5.aardvark.com.au type=AVC msg=audit(1232861912.353:38467): avc: denied { append } for pid=23410 comm="semodule" path="/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session" dev=dm-0 ino=29294829 scontext=system_u:system_r:semanage_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file host=C5.aardvark.com.au type=SYSCALL msg=audit(1232861912.353:38467): arch=c000003e syscall=59 success=yes exit=0 a0=34ab410 a1=34ab7b0 a2=34aa660 a3=3 items=0 ppid=23404 pid=23410 auid=102 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3534 comm="semodule" exe="/usr/sbin/semodule" subj=system_u:system_r:semanage_t:s0 key=(null) host=C5.aardvark.com.au type=SYSCALL msg=audit(1232861912.353:38467): arch=c000003e syscall=59 success=yes exit=0 a0=34ab410 a1=34ab7b0 a2=34aa660 a3=3 items=0 ppid=23404 pid=23410 auid=102 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3534 comm="semodule" exe="/usr/sbin/semodule" subj=system_u:system_r:semanage_t:s0 key=(null)


domg472 g472 wrote:
Hello,

With regard to procmail, i think your policy is missing a domain
transition to spamassassin.

A custom policy looking something like the following may or may not
fix that issue:

mkdir ~/myprocmail; cd ~/myprocmail;
echo "policy_module(myprocmail, 0.0.1)" > myprocmail.te;
echo "require { type procmail_t; }" >> myprocmail.te;
echo "optional_policy(`" >> myprocmail.te;
echo "spamassassin_domtrans_spamc(procmail_t)" >> myprocmail.te;
echo "')" >> myprocmail.te;

make -f /usr/share/selinux/devel/Makefile
/usr/sbin/semodule -i myprocmail.pp

With regard to webalizer it looks like webalizer is searching
something in a "bin" directory.
If you want you can allow this.

mkdir ~/mywebalizer; cd ~mywebalizer;
echo "policy_module(mywebalizer, 0.0.1)" > mywebalizer.te;
echo "require { type webalizer_t; }" >> mywebalizer.te;
echo "corecmd_search_bin(webalizer_t)" >> mywebalizer.te;

make -f /usr/share/selinux/devel/Makefile
/usr/sbin/semodule -i  mywebalizer.pp

It may be that both procmail and webalizer domains need more access
after this, but you will notice that if this is the case.

P.s. You may or may not need to escape some of the characters in my example.

Hth,
Dominick


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux