Re: Logrotate on mounted partition

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Aug 18, 2009 at 10:12:16AM +0100, Arthur Dent wrote:
> On Sat, 2009-08-15 at 11:50 +0100, Arthur Dent wrote:
> > I have a procmail recipe which writes a copy of every mail I receive
> > (just because I'm paranoid it doesn't mean they aren't out to get me!)
> > to a backup area on my /dev/sda9 partition, mounted as
> > /mnt/backup/ by fstab. (It is an ext3 partition).
> > 
> > Back in March 2008 when I was on F8 Stephen Smalley kindly helped me to
> > prevent the hundreds of avcs by suggesting the following:
> > 
> > semanage fcontext -a -t mail_spool_t "/mnt/backup(/.*)?"
> > restorecon -v -R /mnt/backup
> > 
> > This worked perfectly. It also held true throughout my time with F9. I
> > have now upgraded to F11 (I skipped F10) and it still kind of works. I
> > get an avc when logrotate tries to access these files.
> > 
> > The strange thing is this didn't happen under F8 or F9.
> > 
> > Is there an elegant solution to this problem or should I write a policy
> > module?
> > 
> > This is what audit2allow proposes:
> > 
> > module rawmail 1.0;
> > 
> > require {
> > 	type mail_spool_t;
> > 	type logrotate_t;
> > 	class file getattr;
> > }
> > 
> > #============= logrotate_t ==============
> > allow logrotate_t mail_spool_t:file getattr;
> > 
> > 
> > The full avc is below.
> > 
> > Many thanks for all your help....
> > 
> > Mark
> 
> Just to add to my own mail...
> 
> I employed the above policy module, everything seemed OK so (as this
> seemed to be the last of the problems since upgrading) I switched to
> enforcing mode.
> 
> Since doing so I have received no AVCs but I am finding these in my
> maillog:
> 
> procmail: Lock failure on "/mnt/backup/mail/rawmail.lock"
> procmail: Error while writing to "/mnt/backup/mail/rawmail"
> 
> Temporarily switching back with setenforce 0 stops them so it is selinux
> related...
> 
> 
> Also, I get these dovecot messages (although I haven't investigated
> fully if they are selinux related...
> **Unmatched Entries**
>     dovecot: IMAP(wife): fchown() failed with
> file /home/wife/mail/.imap/INBOX/dovecot.index.tmp: Operation not
> permitted: 1 Time(s)
>     dovecot: IMAP(son): fchown() failed with
> file /home/son/mail/.imap/INBOX/dovecot.index.cache.lock: Operation not
> permitted: 1 Time(s)
>     dovecot: IMAP(son): fchown() failed with
> file /home/son/mail/.imap/INBOX/dovecot.index.log.newlock: Operation not
> permitted: 1 Time(s)
>     dovecot: IMAP(son): fchown() failed with
> file /home/son/mail/.imap/INBOX/dovecot.index.tmp: Operation not
> permitted: 3 Time(s)
>  
> 
> But still no AVCs
> 
> Any ideas?
Try semodule -DB to unload any silent denials. Remember that the denials shown after you do this are meant to be silenced.
To reload policy with the silenced denials: semodule -B.

Also keep an eye on /var/log/messages since the DBUS user space object manager logs some denials there (if DBUS is at all involved)

hth
> 
> Thanks
> 
> Mark
> 



> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Attachment: pgpIKbvnuPAhp.pgp
Description: PGP signature

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux