Hi Dominick
It has taken me a while to decide to go ahead with your suggestion
below... (I think I was hoping the problem would go away...:-)) and it
looks like I am heading in the right direction - but there is a little
more work to do.
There seemed to be a problem with the quotes in the line:
echo "optional_policy(`" >> myprocmail.te;
but I edited the .te file - and the make worked fine - after I installed
the selinux-policy-devel package. Here is myprocmail.te:
policy_module(myprocmail, 0.0.1)
require { type procmail_t; }
optional_policy(`spamassassin_domtrans_spamc(procmail_t)')
I installed the policy file using teh GUI Selinux Administration tool.
I think we have got rid of the procmail error - but now we have a new
error. (see below). I'm guessing I need another line or two in my
myprocmail.te file. Can you tell me what it is I need? I'm pretty sure
this is a new error - which might suggest that there is something wrong
with the above policy file??
I haven't tried the webalizer changes yet. I have turned webalizer off
for the time being.
Many thanks
Richard.
Summary
SELinux is preventing the semodule from using potentially mislabeled
files
(/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session).
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but
was permitted due to permissive mode.]
SELinux has denied semodule access to potentially mislabeled file(s)
(/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session).
This means that SELinux will not allow semodule to use these files. It
is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem
is that the files end up with the wrong file context which confined
applications are not allowed to access.
Allowing Access
If you want semodule to access this files, you need to relabel them
using restorecon -v
'/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session'.
You might want to relabel the entire directory using restorecon -R -v
'/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01'.
Additional Information
Source Context: system_u:system_r:semanage_t
Target Context: user_u:object_r:user_home_t
Target Objects:
/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session
[ file ]
Source: semodule
Source Path: /usr/sbin/semodule
Port: <Unknown>
Host: C5.aardvark.com.au
Source RPM Packages: policycoreutils-1.33.12-14.el5
Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-203.el5
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: home_tmp_bad_labels
Host Name: C5.aardvark.com.au
Platform: Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec
16 11:57:43 EST 2008 x86_64 x86_64
Alert Count: 1
First Seen: Sun Jan 25 14:38:32 2009
Last Seen: Sun Jan 25 14:38:32 2009
Local ID: 5d6e1851-5dc3-49a1-b758-5b33327cdf8f
Line Numbers:
Raw Audit Messages :
host=C5.aardvark.com.au type=AVC msg=audit(1232861912.353:38467): avc:
denied { append } for pid=23410 comm="semodule"
path="/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session"
dev=dm-0 ino=29294829 scontext=system_u:system_r:semanage_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1232861912.353:38467): avc:
denied { append } for pid=23410 comm="semodule"
path="/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session"
dev=dm-0 ino=29294829 scontext=system_u:system_r:semanage_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
host=C5.aardvark.com.au type=SYSCALL msg=audit(1232861912.353:38467):
arch=c000003e syscall=59 success=yes exit=0 a0=34ab410 a1=34ab7b0
a2=34aa660 a3=3 items=0 ppid=23404 pid=23410 auid=102 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3534 comm="semodule"
exe="/usr/sbin/semodule" subj=system_u:system_r:semanage_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1232861912.353:38467):
arch=c000003e syscall=59 success=yes exit=0 a0=34ab410 a1=34ab7b0
a2=34aa660 a3=3 items=0 ppid=23404 pid=23410 auid=102 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3534 comm="semodule"
exe="/usr/sbin/semodule" subj=system_u:system_r:semanage_t:s0 key=(null)
domg472 g472 wrote:
Hello,
With regard to procmail, i think your policy is missing a domain
transition to spamassassin.
A custom policy looking something like the following may or may not
fix that issue:
mkdir ~/myprocmail; cd ~/myprocmail;
echo "policy_module(myprocmail, 0.0.1)" > myprocmail.te;
echo "require { type procmail_t; }" >> myprocmail.te;
echo "optional_policy(`" >> myprocmail.te;
echo "spamassassin_domtrans_spamc(procmail_t)" >> myprocmail.te;
echo "')" >> myprocmail.te;
make -f /usr/share/selinux/devel/Makefile
/usr/sbin/semodule -i myprocmail.pp
With regard to webalizer it looks like webalizer is searching
something in a "bin" directory.
If you want you can allow this.
mkdir ~/mywebalizer; cd ~mywebalizer;
echo "policy_module(mywebalizer, 0.0.1)" > mywebalizer.te;
echo "require { type webalizer_t; }" >> mywebalizer.te;
echo "corecmd_search_bin(webalizer_t)" >> mywebalizer.te;
make -f /usr/share/selinux/devel/Makefile
/usr/sbin/semodule -i mywebalizer.pp
It may be that both procmail and webalizer domains need more access
after this, but you will notice that if this is the case.
P.s. You may or may not need to escape some of the characters in my example.
Hth,
Dominick
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
