Re: Fedora 16 and procmail

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

"Miroslav Grepl wrote:"
> 
> On 01/25/2012 02:26 PM, David Highley wrote:
> > "Miroslav Grepl wrote:"
> >> On 01/22/2012 03:33 AM, David Highley wrote:
> >>> module myprocmail 1.0;
> >>>
> >>> require {
> >>>           type quota_db_t;
> >>>           type etc_aliases_t;
> >>>           type procmail_t;
> >>>           type admin_home_t;
> >>>           type spamc_t;
> >>>           type shadow_t;
> >>>           class file { getattr read open append lock };
> >>>           class dir  { getattr read open write };
> >>>           class capability { dac_read_search dac_override };
> >>> }
> >>>
> >>> #============= procmail_t ==============
> >>> allow procmail_t etc_aliases_t:file { getattr read open };
> >>> allow procmail_t quota_db_t:file { getattr append open lock };
> >>> allow procmail_t admin_home_t:dir write;
> >>> allow procmail_t admin_home_t:file open;
> >>> allow spamc_t self:capability { dac_read_search dac_override };
> >>> allow spamc_t shadow_t:file read;
> >>>
> >> Could you attach raw AVC msgs for these rules? What is procmail writing
> >> to admin homedir?
> > After correcting some labels, removing the above policy. We are now only
> > seeing these AVC:
> >
> > ----
> > time->Wed Jan 25 03:35:06 2012
> > type=SYSCALL msg=audit(1327491306.480:1221): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
> > type=AVC msg=audit(1327491306.480:1221): avc:  denied  { dac_read_search } for  pid=1129 comm="spamassassin" capability=2  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> > type=AVC msg=audit(1327491306.480:1221): avc:  denied  { dac_override } for  pid=1129 comm="spamassassin" capability=1  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> > ----
> > time->Wed Jan 25 03:35:06 2012
> > type=SYSCALL msg=audit(1327491306.521:1222): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
> > type=AVC msg=audit(1327491306.521:1222): avc:  denied  { dac_read_search } for  pid=1129 comm="spamassassin" capability=2  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> > type=AVC msg=audit(1327491306.521:1222): avc:  denied  { dac_override } for  pid=1129 comm="spamassassin" capability=1  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> > ----
> > time->Wed Jan 25 03:35:07 2012
> > type=SYSCALL msg=audit(1327491307.991:1224): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
> > type=AVC msg=audit(1327491307.991:1224): avc:  denied  { dac_read_search } for  pid=1129 comm="spamassassin" capability=2  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> > type=AVC msg=audit(1327491307.991:1224): avc:  denied  { dac_override } for  pid=1129 comm="spamassassin" capability=1  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> > --
> > selinux mailing list
> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> I guess this relates with
> 
> allow spamc_t shadow_t:file read;
> 
> 
> Could you re-test it with the following:
> 
> Turn on full auditing
> $ auditctl -w /etc/shadow -p w
> 
> Try to recreate AVC. Then execute
> $ ausearch -m avc -ts recent
> 
> 

----
time->Thu Jan 26 03:09:06 2012
type=SYSCALL msg=audit(1327576146.116:514): arch=c000003e syscall=2 success=no exit=-13 a0=7f6f3a7b4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=15544 pid=15545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327576146.116:514): avc:  denied  { dac_read_search } for  pid=15545 comm="spamassassin" capability=2  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327576146.116:514): avc:  denied  { dac_override } for  pid=15545 comm="spamassassin" capability=1  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:09:06 2012
type=SYSCALL msg=audit(1327576146.382:515): arch=c000003e syscall=2 success=no exit=-13 a0=7f6f3a7b4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=15544 pid=15545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327576146.382:515): avc:  denied  { dac_read_search } for  pid=15545 comm="spamassassin" capability=2  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327576146.382:515): avc:  denied  { dac_override } for  pid=15545 comm="spamassassin" capability=1  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:09:08 2012
type=SYSCALL msg=audit(1327576148.073:517): arch=c000003e syscall=2 success=no exit=-13 a0=7f6f3a7b4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=15544 pid=15545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327576148.073:517): avc:  denied  { dac_read_search } for  pid=15545 comm="spamassassin" capability=2  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327576148.073:517): avc:  denied  { dac_override } for  pid=15545 comm="spamassassin" capability=1  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:12:07 2012
type=SYSCALL msg=audit(1327576327.808:520): arch=c000003e syscall=2 success=no exit=-13 a0=7f2fb56e6b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17479 pid=17480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327576327.808:520): avc:  denied  { dac_read_search } for  pid=17480 comm="spamassassin" capability=2  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327576327.808:520): avc:  denied  { dac_override } for  pid=17480 comm="spamassassin" capability=1  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:12:07 2012
type=SYSCALL msg=audit(1327576327.907:521): arch=c000003e syscall=2 success=no exit=-13 a0=7f2fb56e6b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17479 pid=17480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327576327.907:521): avc:  denied  { dac_read_search } for  pid=17480 comm="spamassassin" capability=2  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327576327.907:521): avc:  denied  { dac_override } for  pid=17480 comm="spamassassin" capability=1  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:12:09 2012
type=SYSCALL msg=audit(1327576329.329:522): arch=c000003e syscall=2 success=no exit=-13 a0=7f2fb56e6b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17479 pid=17480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327576329.329:522): avc:  denied  { dac_read_search } for  pid=17480 comm="spamassassin" capability=2  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327576329.329:522): avc:  denied  { dac_override } for  pid=17480 comm="spamassassin" capability=1  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:29:01 2012
type=SYSCALL msg=audit(1327577341.693:530): arch=c000003e syscall=2 success=no exit=-13 a0=7f3bbe851b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17751 pid=17752 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327577341.693:530): avc:  denied  { dac_read_search } for  pid=17752 comm="spamassassin" capability=2  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327577341.693:530): avc:  denied  { dac_override } for  pid=17752 comm="spamassassin" capability=1  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:29:01 2012
type=SYSCALL msg=audit(1327577341.741:531): arch=c000003e syscall=2 success=no exit=-13 a0=7f3bbe851b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17751 pid=17752 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327577341.741:531): avc:  denied  { dac_read_search } for  pid=17752 comm="spamassassin" capability=2  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327577341.741:531): avc:  denied  { dac_override } for  pid=17752 comm="spamassassin" capability=1  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:29:02 2012
type=SYSCALL msg=audit(1327577342.749:532): arch=c000003e syscall=2 success=no exit=-13 a0=7f3bbe851b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17751 pid=17752 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327577342.749:532): avc:  denied  { dac_read_search } for  pid=17752 comm="spamassassin" capability=2  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327577342.749:532): avc:  denied  { dac_override } for  pid=17752 comm="spamassassin" capability=1  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux