On Tue, Aug 18, 2009 at 10:12:16AM +0100, Arthur Dent wrote:
> On Sat, 2009-08-15 at 11:50 +0100, Arthur Dent wrote:
> > I have a procmail recipe which writes a copy of every mail I receive
> > (just because I'm paranoid it doesn't mean they aren't out to get me!)
> > to a backup area on my /dev/sda9 partition, mounted as
> > /mnt/backup/ by fstab. (It is an ext3 partition).
> >
> > Back in March 2008 when I was on F8 Stephen Smalley kindly helped me to
> > prevent the hundreds of avcs by suggesting the following:
> >
> > semanage fcontext -a -t mail_spool_t "/mnt/backup(/.*)?"
> > restorecon -v -R /mnt/backup
> >
> > This worked perfectly. It also held true throughout my time with F9. I
> > have now upgraded to F11 (I skipped F10) and it still kind of works. I
> > get an avc when logrotate tries to access these files.
> >
> > The strange thing is this didn't happen under F8 or F9.
> >
> > Is there an elegant solution to this problem or should I write a policy
> > module?
> >
> > This is what audit2allow proposes:
> >
> > module rawmail 1.0;
> >
> > require {
> > type mail_spool_t;
> > type logrotate_t;
> > class file getattr;
> > }
> >
> > #============= logrotate_t ==============
> > allow logrotate_t mail_spool_t:file getattr;
> >
> >
> > The full avc is below.
> >
> > Many thanks for all your help....
> >
> > Mark
>
> Just to add to my own mail...
>
> I employed the above policy module, everything seemed OK so (as this
> seemed to be the last of the problems since upgrading) I switched to
> enforcing mode.
>
> Since doing so I have received no AVCs but I am finding these in my
> maillog:
>
> procmail: Lock failure on "/mnt/backup/mail/rawmail.lock"
> procmail: Error while writing to "/mnt/backup/mail/rawmail"
>
> Temporarily switching back with setenforce 0 stops them so it is selinux
> related...
>
>
> Also, I get these dovecot messages (although I haven't investigated
> fully if they are selinux related...
> **Unmatched Entries**
> dovecot: IMAP(wife): fchown() failed with
> file /home/wife/mail/.imap/INBOX/dovecot.index.tmp: Operation not
> permitted: 1 Time(s)
> dovecot: IMAP(son): fchown() failed with
> file /home/son/mail/.imap/INBOX/dovecot.index.cache.lock: Operation not
> permitted: 1 Time(s)
> dovecot: IMAP(son): fchown() failed with
> file /home/son/mail/.imap/INBOX/dovecot.index.log.newlock: Operation not
> permitted: 1 Time(s)
> dovecot: IMAP(son): fchown() failed with
> file /home/son/mail/.imap/INBOX/dovecot.index.tmp: Operation not
> permitted: 3 Time(s)
>
>
> But still no AVCs
>
> Any ideas?
Try semodule -DB to unload any silent denials. Remember that the denials shown after you do this are meant to be silenced.
To reload policy with the silenced denials: semodule -B.
Also keep an eye on /var/log/messages since the DBUS user space object manager logs some denials there (if DBUS is at all involved)
hth
>
> Thanks
>
> Mark
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attachment:
pgpIKbvnuPAhp.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
