Re: Does SETroubleshoot speak to SEBool?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Feb 02, 2009 at 07:27:25PM +0000, Arthur Dent wrote:
> On Mon, Feb 02, 2009 at 01:52:36PM -0500, Daniel J Walsh wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Arthur Dent wrote:
> > > On Mon, Feb 02, 2009 at 07:01:16PM +0100, Dominick Grift wrote:

> > > #============= spamd_t ==============
> > > allow spamd_t admin_home_t:dir { read write add_name remove_name };
> > > allow spamd_t admin_home_t:file { write getattr read create unlink ioctl
> > > append };
> > This is spamd creating stuff in the /root directory.  Not sure if you
> > want to actually allow this.  Might want to setup the directory with
> > properly lableing to allow spamd to write there.
> > userdom_read_sysadm_home_content_files(spamd_t)
> 
> Hmmm... I was about to say that nothing is run as root WRT spamassassin
> or spamd, but then I looked at the avcs. It seems that razor is the
> offender here:
> avc: denied { getattr } for pid=2200 comm="spamd"
> path="/root/.razor/razor-agent.conf"
> 
> (and several others like it)
> 
> I don't know if razor can be installed by a non-root user. If not, can I
> (should I?) just do what you suggest below?
> 
> > 
> > What directory?
> 
> Could this be /root/.razor/ ?
> 
> > You could setup labeling of
> > 
> > # semanage fcontext -a -t spamassassin_home_t '/root/.spamassassin(/.*)?'
> > #restorecon -R -v /root
> 
> Does this make the command:
> # semanage fcontext -a -t spamassassin_home_t '/root/.razor(/.*)?'
> # restorecon -R -v /root

OK. Forget this... I poked around my filesystem and found that actually I
*did* have razor in my non-privileged user area. However, strangely, I also
had it in /root. The odd thing is that it seems that for the most part razor
would use the /home/mark/.razor files, but on this occasion (and others
clearly) - on a whim - must have used the /root/.razor files to do its stuff.

I have removed the /root/.razor directory and also removed those items from my
local policy. So far (touching wood here) it seems OK...

Thanks for your help on this...

Mark

Attachment: pgpG3PxK62fPI.pgp
Description: PGP signature

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux