On Sun, Apr 04, 2010 at 10:56:43PM -0500, Robert Nichols wrote:
> On 04/04/2010 12:48 PM, Robert Nichols wrote:
> >
> > node=omega-3a.local type=AVC msg=audit(1270402806.932:37129): avc: denied {
> > read } for pid=13981 comm="procmail" name=".procmailrc" dev=sda2 ino=838
> > scontext=system_u:system_r:procmail_t:s0
> > tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
> >
> > node=omega-3a.local type=AVC msg=audit(1270402806.932:37129): avc: denied {
> > open } for pid=13981 comm="procmail" name=".procmailrc" dev=sda2 ino=838
> > scontext=system_u:system_r:procmail_t:s0
> > tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
> >
> > node=omega-3a.local type=SYSCALL msg=audit(1270402806.932:37129): arch=c000003e
> > syscall=2 success=yes exit=4 a0=23ef320 a1=0 a2=0 a3=3a358800f0 items=0
> > ppid=13980 pid=13981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail"
> > subj=system_u:system_r:procmail_t:s0 key=(null)
> >
> >
> >
> >
> > node=omega-3a.local type=AVC msg=audit(1270402806.966:37130): avc: denied {
> > open } for pid=13981 comm="procmail" name="procmail.log" dev=sda2 ino=27007
> > scontext=system_u:system_r:procmail_t:s0
> > tcontext=system_u:object_r:admin_home_t:s0 tclass=file
> >
> > node=omega-3a.local type=SYSCALL msg=audit(1270402806.966:37130): arch=c000003e
> > syscall=2 success=yes exit=6 a0=23f1200 a1=441 a2=1b7 a3=28 items=0 ppid=13980
> > pid=13981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail"
> > subj=system_u:system_r:procmail_t:s0 key=(null)
>
> FWIW, here's the policy I installed to allow this:
>
> module procmailroot1 1.0;
>
> require {
> type admin_home_t;
> type procmail_t;
> class file { ioctl read write create getattr setattr lock append unlink link
> rename open };
> class dir { ioctl read write create getattr setattr lock unlink link rename
> add_name remove_name reparent search rmdir open };
> }
>
> #============= procmail_t ==============
>
> allow procmail_t admin_home_t:dir { ioctl read write create getattr setattr
> lock unlink link rename add_name remove_name reparent search rmdir open };
> allow procmail_t admin_home_t:file { ioctl read write create getattr setattr
> lock append unlink link rename open };
>
I would probably declare a new type for procmail in $home if possible.
myprocmail.te:
policy_module(myprocmail, 1.0.0)
type procmail_home_t;
userdom_user_home_content(procmail_home_t)
optional_policy(`
gen_require(`
type procmail_t;
')
manage_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
manage_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
userdom_user_home_dir_filetrans(procmail_t, procmail_home_t, { dir file })
userdom_admin_home_dir_filetrans(procmail_t, procmail_home_t, { dir file })
userdom_search_user_home_dirs(procmail_t)
userdom_search_admin_dir(procmail_t)
')
myprocmail.fc:
HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
make -f /usr/share/selinux/devel/Makefile myprocmail.pp
sudo semodule -i myprocmail.pp
sudo restorecon -v /root/.procmailrc
>
> --
> Bob Nichols "NOSPAM" is really part of my email address.
> Do NOT delete it.
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
pgpllZ5H6m9B4.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
