On 03/05/2010 12:07 PM, Dominick Grift wrote:
> On 03/05/2010 07:04 PM, Robert Nichols wrote:
>> Actually, let me ask that another way. How should I go about finding
>> the contexts where procmail_t is allowed to create/delete/rename files?
>> I'm getting a flood of AVCs like the ones below and need to figure out
>> an appropriate context for some directories that, FWIW, are deep down
>> under /srv.
>
> # sesearch --allow -s procmail_t -c file -p create
> Found 6 semantic av rules:
> allow procmail_t procmail_log_t : file { ioctl create getattr lock
> append open } ;
> allow procmail_t procmail_tmp_t : file { ioctl read write create
> getattr setattr lock append unlink link rename open } ;
> allow procmail_t mail_spool_t : file { ioctl read write create
> getattr setattr lock append unlink link rename open } ;
> allow procmail_t user_home_t : file { ioctl read write create getattr
> setattr lock append unlink link rename open } ;
> allow procmail_t cifs_t : file { ioctl read write create getattr
> setattr lock append unlink link rename open } ;
> allow procmail_t nfs_t : file { ioctl read write create getattr
> setattr lock append unlink link rename open } ;
>
> Try /tmp.
Wrong answer. Those files are not moving. Nor are they going to
labeled tmp_t.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
