Sorry Dominick - I pasted the wrong error into this email. I've pasted
the right one below.
Richard Chapman wrote:
Hi Dominick
It has taken me a while to decide to go ahead with your suggestion
below... (I think I was hoping the problem would go away...:-)) and it
looks like I am heading in the right direction - but there is a little
more work to do.
There seemed to be a problem with the quotes in the line:
echo "optional_policy(`" >> myprocmail.te;
but I edited the .te file - and the make worked fine - after I
installed the selinux-policy-devel package. Here is myprocmail.te:
policy_module(myprocmail, 0.0.1)
require { type procmail_t; }
optional_policy(`spamassassin_domtrans_spamc(procmail_t)')
I installed the policy file using teh GUI Selinux Administration tool.
I think we have got rid of the procmail error - but now we have a new
error. (see below). I'm guessing I need another line or two in my
myprocmail.te file. Can you tell me what it is I need? I'm pretty sure
this is a new error - which might suggest that there is something
wrong with the above policy file??
I haven't tried the webalizer changes yet. I have turned webalizer off
for the time being.
Many thanks
Richard.
Summary
SELinux is preventing spamc (spamc_t) "write" to pipe (postfix_local_t).
Detailed Description
[SELinux is in permissive mode, the operation would have been denied
but was permitted due to permissive mode.]
SELinux denied access requested by spamc. It is not expected that this
access is required by spamc and this access may signal an intrusion
attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional
access.
Allowing Access
You can generate a local policy module to allow this access - see FAQ
<http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can
disable SELinux protection altogether. Disabling SELinux protection is
not recommended. Please file a bug report
<http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this package.
Additional Information
Source Context: system_u:system_r:spamc_t
Target Context: system_u:system_r:postfix_local_t
Target Objects: pipe [ fifo_file ]
Source: spamc
Source Path: /usr/bin/spamc
Port: <Unknown>
Host: C5.aardvark.com.au
Source RPM Packages: spamassassin-3.2.4-1.el5
Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-203.el5
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: catchall
Host Name: C5.aardvark.com.au
Platform: Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue
Dec 16 11:57:43 EST 2008 x86_64 x86_64
Alert Count: 8
First Seen: Mon Jan 26 14:24:43 2009
Last Seen: Mon Jan 26 17:10:19 2009
Local ID: 8cff6375-1acd-4f86-bb7f-7c99129a9a2b
Line Numbers:
Raw Audit Messages :
host=C5.aardvark.com.au type=AVC msg=audit(1232957419.466:2987): avc:
denied { write } for pid=17103 comm="spamc" path="pipe:[224027]"
dev=pipefs ino=224027 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
host=C5.aardvark.com.au type=AVC msg=audit(1232957419.466:2987): avc:
denied { write } for pid=17103 comm="spamc" path="pipe:[224027]"
dev=pipefs ino=224027 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
host=C5.aardvark.com.au type=SYSCALL msg=audit(1232957419.466:2987):
arch=c000003e syscall=59 success=yes exit=0 a0=ac072e0 a1=ac09310
a2=ac09260 a3=8 items=0 ppid=17102 pid=17103 auid=4294967295 uid=500
gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501
tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc"
subj=system_u:system_r:spamc_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1232957419.466:2987):
arch=c000003e syscall=59 success=yes exit=0 a0=ac072e0 a1=ac09310
a2=ac09260 a3=8 items=0 ppid=17102 pid=17103 auid=4294967295 uid=500
gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501
tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc"
subj=system_u:system_r:spamc_t:s0 key=(null)
domg472 g472 wrote:
Hello,
With regard to procmail, i think your policy is missing a domain
transition to spamassassin.
A custom policy looking something like the following may or may not
fix that issue:
mkdir ~/myprocmail; cd ~/myprocmail;
echo "policy_module(myprocmail, 0.0.1)" > myprocmail.te;
echo "require { type procmail_t; }" >> myprocmail.te;
echo "optional_policy(`" >> myprocmail.te;
echo "spamassassin_domtrans_spamc(procmail_t)" >> myprocmail.te;
echo "')" >> myprocmail.te;
make -f /usr/share/selinux/devel/Makefile
/usr/sbin/semodule -i myprocmail.pp
With regard to webalizer it looks like webalizer is searching
something in a "bin" directory.
If you want you can allow this.
mkdir ~/mywebalizer; cd ~mywebalizer;
echo "policy_module(mywebalizer, 0.0.1)" > mywebalizer.te;
echo "require { type webalizer_t; }" >> mywebalizer.te;
echo "corecmd_search_bin(webalizer_t)" >> mywebalizer.te;
make -f /usr/share/selinux/devel/Makefile
/usr/sbin/semodule -i mywebalizer.pp
It may be that both procmail and webalizer domains need more access
after this, but you will notice that if this is the case.
P.s. You may or may not need to escape some of the characters in my
example.
Hth,
Dominick
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
