Re: Fedora 16 and procmail

Miroslav Grepl <mgrepl@xxxxxxxxxx> · Wed, 25 Jan 2012 16:51:36 +0000

On 01/25/2012 02:26 PM, David Highley wrote:
"Miroslav Grepl wrote:"
On 01/22/2012 03:33 AM, David Highley wrote:
module myprocmail 1.0;

require {
          type quota_db_t;
          type etc_aliases_t;
          type procmail_t;
          type admin_home_t;
          type spamc_t;
          type shadow_t;
          class file { getattr read open append lock };
          class dir  { getattr read open write };
          class capability { dac_read_search dac_override };
}

#============= procmail_t ==============
allow procmail_t etc_aliases_t:file { getattr read open };
allow procmail_t quota_db_t:file { getattr append open lock };
allow procmail_t admin_home_t:dir write;
allow procmail_t admin_home_t:file open;
allow spamc_t self:capability { dac_read_search dac_override };
allow spamc_t shadow_t:file read;

Could you attach raw AVC msgs for these rules? What is procmail writing
to admin homedir?
After correcting some labels, removing the above policy. We are now only
seeing these AVC:

----
time->Wed Jan 25 03:35:06 2012
type=SYSCALL msg=audit(1327491306.480:1221): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327491306.480:1221): avc:  denied  { dac_read_search } for  pid=1129 comm="spamassassin" capability=2  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327491306.480:1221): avc:  denied  { dac_override } for  pid=1129 comm="spamassassin" capability=1  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Wed Jan 25 03:35:06 2012
type=SYSCALL msg=audit(1327491306.521:1222): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327491306.521:1222): avc:  denied  { dac_read_search } for  pid=1129 comm="spamassassin" capability=2  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327491306.521:1222): avc:  denied  { dac_override } for  pid=1129 comm="spamassassin" capability=1  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Wed Jan 25 03:35:07 2012
type=SYSCALL msg=audit(1327491307.991:1224): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327491307.991:1224): avc:  denied  { dac_read_search } for  pid=1129 comm="spamassassin" capability=2  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327491307.991:1224): avc:  denied  { dac_override } for  pid=1129 comm="spamassassin" capability=1  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
I guess this relates with

allow spamc_t shadow_t:file read;

Could you re-test it with the following:

Turn on full auditing
$ auditctl -w /etc/shadow -p w

Try to recreate AVC. Then execute
$ ausearch -m avc -ts recent

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux