Re: New procmail avc

David Highley <dhighley@xxxxxxxxxxxxxxxxxxxxxxx> · Fri, 17 Jun 2016 19:45:14 -0700 (PDT)

"Miroslav Grepl wrote:"
> 
> On 06/17/2016 02:34 AM, Robert Nichols wrote:
> > On 06/13/2016 09:44 PM, David Highley wrote:
> >> Should we file a report on the issue below?
> >>
> >> time->Mon Jun 13 08:50:37 2016
> >> type=AVC msg=audit(1465833037.215:3116): avc:  denied  { create } for
> >> pid=5356 comm="procmail" name="_sTB.NZtXXB.douglas"
> >> scontext=system_u:system_r:procmail_t:s0
> >> tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0
> >> ----
> >> time->Mon Jun 13 08:50:37 2016
> >> type=AVC msg=audit(1465833037.215:3117): avc:  denied  { create } for
> >> pid=5356 comm="procmail" name="spamlog"
> >> scontext=system_u:system_r:procmail_t:s0
> >> tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0
> >> ----
> >> time->Mon Jun 13 08:50:37 2016
> >> type=AVC msg=audit(1465833037.215:3118): avc:  denied  { create } for
> >> pid=5356 comm="procmail" name="_sTB,NZtXXB.douglas"
> >> scontext=system_u:system_r:procmail_t:s0
> >> tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0
> >> ----
> >> time->Mon Jun 13 08:50:37 2016
> >> type=AVC msg=audit(1465833037.215:3119): avc:  denied  { create } for
> >> pid=5356 comm="procmail" name="spamlog"
> >> scontext=system_u:system_r:procmail_t:s0
> >> tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=0
> >> -- 
> >> selinux mailing list
> >> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> >> https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
> >>
> > 
> > Here's a 6-year-old thread discussing this same issue. Apparently it's
> > still unresolved since I'm still using the local policy mentioned in the
> > thread.
> 
> It is a valid point. Previously, we was not able to fix it in an easy
> way. Currently, we have filename transitions rules where we can define
> file type transitions for specific files or directories.
> 
> Thank you.
> 
> > 
> > https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx/thread/XEFMGBHPWHLCZWB6EE3JYVRJZKQBN4H2/#XEFMGBHPWHLCZWB6EE3JYVRJZKQBN4H2
> > 
> > 

Problem report has been submitted. It took a little while to get an AVC
in the Permissive mode and then bugzilla seem to be having issues.
https://bugzilla.redhat.com/show_bug.cgi?id=1347901

> 
> 
> -- 
> Miroslav Grepl
> Senior Software Engineer, SELinux Solutions
> Red Hat, Inc.
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
> 
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx