Re: Root not allowed to use procmail??????

Robert Nichols <rnicholsNOSPAM@xxxxxxxxxxx> · Sun, 04 Apr 2010 22:56:43 -0500

On 04/04/2010 12:48 PM, Robert Nichols wrote:
>
> node=omega-3a.local type=AVC msg=audit(1270402806.932:37129): avc:  denied  {
> read } for  pid=13981 comm="procmail" name=".procmailrc" dev=sda2 ino=838
> scontext=system_u:system_r:procmail_t:s0
> tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
>
> node=omega-3a.local type=AVC msg=audit(1270402806.932:37129): avc:  denied  {
> open } for  pid=13981 comm="procmail" name=".procmailrc" dev=sda2 ino=838
> scontext=system_u:system_r:procmail_t:s0
> tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
>
> node=omega-3a.local type=SYSCALL msg=audit(1270402806.932:37129): arch=c000003e
> syscall=2 success=yes exit=4 a0=23ef320 a1=0 a2=0 a3=3a358800f0 items=0
> ppid=13980 pid=13981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail"
> subj=system_u:system_r:procmail_t:s0 key=(null)
>
>
>
>
> node=omega-3a.local type=AVC msg=audit(1270402806.966:37130): avc:  denied  {
> open } for  pid=13981 comm="procmail" name="procmail.log" dev=sda2 ino=27007
> scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:object_r:admin_home_t:s0 tclass=file
>
> node=omega-3a.local type=SYSCALL msg=audit(1270402806.966:37130): arch=c000003e
> syscall=2 success=yes exit=6 a0=23f1200 a1=441 a2=1b7 a3=28 items=0 ppid=13980
> pid=13981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail"
> subj=system_u:system_r:procmail_t:s0 key=(null)

FWIW, here's the policy I installed to allow this:

   module procmailroot1 1.0;

   require {
   	type admin_home_t;
   	type procmail_t;
   	class file { ioctl read write create getattr setattr lock append unlink link 
rename open };
   	class dir { ioctl read write create getattr setattr lock unlink link rename 
add_name remove_name reparent search rmdir open };
   }

   #============= procmail_t ==============

   allow procmail_t admin_home_t:dir { ioctl read write create getattr setattr 
lock unlink link rename add_name remove_name reparent search rmdir open };
   allow procmail_t admin_home_t:file { ioctl read write create getattr setattr 
lock append unlink link rename open };

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux