Summary:

SELinux is preventing /usr/bin/procmail "read" access on /root/.procmailrc.


Additional Information:

Source Context system_u:system_rrocmail_t:s0
Target Context unconfined_ubject_r:admin_home_t:s0
Target Objects /root/.procmailrc [ file ]
Source procmail
Source Path /usr/bin/procmail
Port <Unknown>
Host omega-3a.local
Source RPM Packages procmail-3.22-25.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-106.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Plugin Name catchall
Host Name omega-3a.local
Platform Linux omega-3a.local 2.6.32.10-90.fc12.x86_64 #1
SMP Tue Mar 23 09:47:08 UTC 2010 x86_64 x86_64
Alert Count 2
First Seen Sun 04 Apr 2010 12:40:06 PM CDT
Last Seen Sun 04 Apr 2010 12:40:06 PM CDT
Local ID 3c358dab-c665-4cd2-83e1-f53bde028ed6
Line Numbers

Raw Audit Messages

node=omega-3a.local type=AVC msg=audit(1270402806.932:37129): avc: denied {
read } for pid=13981 comm="procmail" name=".procmailrc" dev=sda2 ino=838
scontext=system_u:system_rrocmail_t:s0
tcontext=unconfined_ubject_r:admin_home_t:s0 tclass=file

node=omega-3a.local type=AVC msg=audit(1270402806.932:37129): avc: denied {
open } for pid=13981 comm="procmail" name=".procmailrc" dev=sda2 ino=838
scontext=system_u:system_rrocmail_t:s0
tcontext=unconfined_ubject_r:admin_home_t:s0 tclass=file

node=omega-3a.local type=SYSCALL msg=audit(1270402806.932:37129): arch=c000003e
syscall=2 success=yes exit=4 a0=23ef320 a1=0 a2=0 a3=3a358800f0 items=0
ppid=13980 pid=13981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail"
subj=system_u:system_rrocmail_t:s0 key=(null)




Summary:

SELinux is preventing /usr/bin/procmail "open" access on
/root/mail/procmail.log.


Additional Information:

Source Context system_u:system_rrocmail_t:s0
Target Context system_ubject_r:admin_home_t:s0
Target Objects /root/mail/procmail.log [ file ]
Source procmail
Source Path /usr/bin/procmail
Port <Unknown>
Host omega-3a.local
Source RPM Packages procmail-3.22-25.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-106.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Plugin Name catchall
Host Name omega-3a.local
Platform Linux omega-3a.local 2.6.32.10-90.fc12.x86_64 #1
SMP Tue Mar 23 09:47:08 UTC 2010 x86_64 x86_64
Alert Count 1
First Seen Sun 04 Apr 2010 12:40:06 PM CDT
Last Seen Sun 04 Apr 2010 12:40:06 PM CDT
Local ID b8607748-23c6-4ca1-a82f-2ad2ee1c5ac6
Line Numbers

Raw Audit Messages

node=omega-3a.local type=AVC msg=audit(1270402806.966:37130): avc: denied {
open } for pid=13981 comm="procmail" name="procmail.log" dev=sda2 ino=27007
scontext=system_u:system_rrocmail_t:s0
tcontext=system_ubject_r:admin_home_t:s0 tclass=file

node=omega-3a.local type=SYSCALL msg=audit(1270402806.966:37130): arch=c000003e
syscall=2 success=yes exit=6 a0=23f1200 a1=441 a2=1b7 a3=28 items=0 ppid=13980
pid=13981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail"
subj=system_u:system_rrocmail_t:s0 key=(null)


--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

On 04/04/2010 12:48 PM, Robert Nichols wrote:
>
> node=omega-3a.local type=AVC msg=audit(1270402806.932:37129): avc: denied {
> read } for pid=13981 comm="procmail" name=".procmailrc" dev=sda2 ino=838
> scontext=system_u:system_rrocmail_t:s0
> tcontext=unconfined_ubject_r:admin_home_t:s0 tclass=file
>
> node=omega-3a.local type=AVC msg=audit(1270402806.932:37129): avc: denied {
> open } for pid=13981 comm="procmail" name=".procmailrc" dev=sda2 ino=838
> scontext=system_u:system_rrocmail_t:s0
> tcontext=unconfined_ubject_r:admin_home_t:s0 tclass=file
>
> node=omega-3a.local type=SYSCALL msg=audit(1270402806.932:37129): arch=c000003e
> syscall=2 success=yes exit=4 a0=23ef320 a1=0 a2=0 a3=3a358800f0 items=0
> ppid=13980 pid=13981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail"
> subj=system_u:system_rrocmail_t:s0 key=(null)
>
>
>
>
> node=omega-3a.local type=AVC msg=audit(1270402806.966:37130): avc: denied {
> open } for pid=13981 comm="procmail" name="procmail.log" dev=sda2 ino=27007
> scontext=system_u:system_rrocmail_t:s0
> tcontext=system_ubject_r:admin_home_t:s0 tclass=file
>
> node=omega-3a.local type=SYSCALL msg=audit(1270402806.966:37130): arch=c000003e
> syscall=2 success=yes exit=6 a0=23f1200 a1=441 a2=1b7 a3=28 items=0 ppid=13980
> pid=13981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail"
> subj=system_u:system_rrocmail_t:s0 key=(null)

FWIW, here's the policy I installed to allow this:

module procmailroot1 1.0;

require {
type admin_home_t;
type procmail_t;
class file { ioctl read write create getattr setattr lock append unlink link
rename open };
class dir { ioctl read write create getattr setattr lock unlink link rename
add_name remove_name reparent search rmdir open };
}

#============= procmail_t ==============

allow procmail_t admin_home_t:dir { ioctl read write create getattr setattr
lock unlink link rename add_name remove_name reparent search rmdir open };
allow procmail_t admin_home_t:file { ioctl read write create getattr setattr
lock append unlink link rename open };


--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

On Sun, Apr 04, 2010 at 10:56:43PM -0500, Robert Nichols wrote:
> On 04/04/2010 12:48 PM, Robert Nichols wrote:
> >
> > node=omega-3a.local type=AVC msg=audit(1270402806.932:37129): avc: denied {
> > read } for pid=13981 comm="procmail" name=".procmailrc" dev=sda2 ino=838
> > scontext=system_u:system_rrocmail_t:s0
> > tcontext=unconfined_ubject_r:admin_home_t:s0 tclass=file
> >
> > node=omega-3a.local type=AVC msg=audit(1270402806.932:37129): avc: denied {
> > open } for pid=13981 comm="procmail" name=".procmailrc" dev=sda2 ino=838
> > scontext=system_u:system_rrocmail_t:s0
> > tcontext=unconfined_ubject_r:admin_home_t:s0 tclass=file
> >
> > node=omega-3a.local type=SYSCALL msg=audit(1270402806.932:37129): arch=c000003e
> > syscall=2 success=yes exit=4 a0=23ef320 a1=0 a2=0 a3=3a358800f0 items=0
> > ppid=13980 pid=13981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail"
> > subj=system_u:system_rrocmail_t:s0 key=(null)
> >
> >
> >
> >
> > node=omega-3a.local type=AVC msg=audit(1270402806.966:37130): avc: denied {
> > open } for pid=13981 comm="procmail" name="procmail.log" dev=sda2 ino=27007
> > scontext=system_u:system_rrocmail_t:s0
> > tcontext=system_ubject_r:admin_home_t:s0 tclass=file
> >
> > node=omega-3a.local type=SYSCALL msg=audit(1270402806.966:37130): arch=c000003e
> > syscall=2 success=yes exit=6 a0=23f1200 a1=441 a2=1b7 a3=28 items=0 ppid=13980
> > pid=13981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail"
> > subj=system_u:system_rrocmail_t:s0 key=(null)
>
> FWIW, here's the policy I installed to allow this:
>
> module procmailroot1 1.0;
>
> require {
> type admin_home_t;
> type procmail_t;
> class file { ioctl read write create getattr setattr lock append unlink link
> rename open };
> class dir { ioctl read write create getattr setattr lock unlink link rename
> add_name remove_name reparent search rmdir open };
> }
>
> #============= procmail_t ==============
>
> allow procmail_t admin_home_t:dir { ioctl read write create getattr setattr
> lock unlink link rename add_name remove_name reparent search rmdir open };
> allow procmail_t admin_home_t:file { ioctl read write create getattr setattr
> lock append unlink link rename open };
>

I would probably declare a new type for procmail in $home if possible.

myprocmail.te:

policy_module(myprocmail, 1.0.0)

type procmail_home_t;
userdom_user_home_content(procmail_home_t)

optional_policy(`
gen_require(`
type procmail_t;
')

manage_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
manage_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
userdom_user_home_dir_filetrans(procmail_t, procmail_home_t, { dir file })
userdom_admin_home_dir_filetrans(procmail_t, procmail_home_t, { dir file })
userdom_search_user_home_dirs(procmail_t)
userdom_search_admin_dir(procmail_t)
')

myprocmail.fc:

HOME_DIR/.procmailrc -- gen_context(system_ubject_rrocmail_home_t, s0)
/root/.procmailrc -- gen_context(system_ubject_rrocmail_home_t, s0)

make -f /usr/share/selinux/devel/Makefile myprocmail.pp
sudo semodule -i myprocmail.pp
sudo restorecon -v /root/.procmailrc

>
> --
> Bob Nichols "NOSPAM" is really part of my email address.
> Do NOT delete it.
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

On 04/05/2010 04:47 AM, Dominick Grift wrote:

type procmail_home_t;
userdom_user_home_content(procmail_home_t)

optional_policy(`
gen_require(`
type procmail_t;
')

manage_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
manage_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
userdom_user_home_dir_filetrans(procmail_t, procmail_home_t, { dir file })
userdom_admin_home_dir_filetrans(procmail_t, procmail_home_t, { dir file })
userdom_search_user_home_dirs(procmail_t)
userdom_search_admin_dir(procmail_t)
')

myprocmail.fc:

HOME_DIR/.procmailrc -- gen_context(system_ubject_rrocmail_home_t, s0)
/root/.procmailrc -- gen_context(system_ubject_rrocmail_home_t, s0)

make -f /usr/share/selinux/devel/Makefile myprocmail.pp
sudo semodule -i myprocmail.pp
sudo restorecon -v /root/.procmailrc



I will add this, but there is a comment in the current policy



# only works until we define a different type for maildir

userdom_manage_user_home_content_dirs(procmail_t)

userdom_manage_user_home_content_files(procmail_t)

userdom_manage_user_home_content_symlinks(procmail _t)

userdom_manage_user_home_content_pipes(procmail_t)

userdom_manage_user_home_content_sockets(procmail_ t)

userdom_user_home_dir_filetrans_user_home_content( procmail_t, { dir
file lnk_file fifo_file sock_file })





Should we add a file context for maildir and add the symlinks,
pipes,sockets for procmail_home_t?





--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

On Mon, Apr 05, 2010 at 08:22:14AM -0400, Daniel J Walsh wrote:
> On 04/05/2010 04:47 AM, Dominick Grift wrote:
> >type procmail_home_t;
> >userdom_user_home_content(procmail_home_t)
> >
> >optional_policy(`
> >gen_require(`
> > type procmail_t;
> >')
> >
> >manage_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
> >manage_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
> >userdom_user_home_dir_filetrans(procmail_t, procmail_home_t, { dir file })
> >userdom_admin_home_dir_filetrans(procmail_t, procmail_home_t, { dir file })
> >userdom_search_user_home_dirs(procmail_t)
> >userdom_search_admin_dir(procmail_t)
> >')
> >
> >myprocmail.fc:
> >
> >HOME_DIR/.procmailrc -- gen_context(system_ubject_rrocmail_home_t, s0)
> >/root/.procmailrc -- gen_context(system_ubject_rrocmail_home_t, s0)
> >
> >make -f /usr/share/selinux/devel/Makefile myprocmail.pp
> >sudo semodule -i myprocmail.pp
> >sudo restorecon -v/root/.procmailrc
> >
> I will add this, but there is a comment in the current policy
>
> # only works until we define a different type for maildir
> userdom_manage_user_home_content_dirs(procmail_t)
> userdom_manage_user_home_content_files(procmail_t)
> userdom_manage_user_home_content_symlinks(procmail _t)
> userdom_manage_user_home_content_pipes(procmail_t)
> userdom_manage_user_home_content_sockets(procmail_ t)
> userdom_user_home_dir_filetrans_user_home_content( procmail_t, { dir
> file lnk_file fifo_file sock_file })
>
>
> Should we add a file context for maildir and add the symlinks,
> pipes,sockets for procmail_home_t?

I later noticed that comment as well and this probably complicates matters as procmail
is likely not the only service that needs access to maildir. Also i believe there are different methods of
storing e-mail. One of which is maildir another mbox i believe. There are probably more.

So i think we should figure out the locations and formats for storing e-mail and i think we should use a generic type for mail content in the user dirs.

I wonder what the reason is that this has not been implemented yet (who made the comment in refpolicy and why?)

>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

On Mon, 5 Apr 2010 14:46:00 +0200
Dominick Grift <domg472@gmail.com> wrote:

> On Mon, Apr 05, 2010 at 08:22:14AM -0400, Daniel J Walsh wrote:
> > On 04/05/2010 04:47 AM, Dominick Grift wrote:
> > >type procmail_home_t;
> > >userdom_user_home_content(procmail_home_t)
> > >
> > >optional_policy(`
> > >gen_require(`
> > > type procmail_t;
> > >')
> > >
> > >manage_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
> > >manage_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
> > >userdom_user_home_dir_filetrans(procmail_t, procmail_home_t, { dir
> > >file }) userdom_admin_home_dir_filetrans(procmail_t,
> > >procmail_home_t, { dir file })
> > >userdom_search_user_home_dirs(procmail_t)
> > >userdom_search_admin_dir(procmail_t) ')
> > >
> > >myprocmail.fc:
> > >
> > >HOME_DIR/.procmailrc --
> > >gen_context(system_ubject_rrocmail_home_t,
> > >s0) /root/.procmailrc --
> > >gen_context(system_ubject_rrocmail_home_t, s0)
> > >
> > >make -f /usr/share/selinux/devel/Makefile myprocmail.pp
> > >sudo semodule -i myprocmail.pp
> > >sudo restorecon -v/root/.procmailrc
> > >
> > I will add this, but there is a comment in the current policy
> >
> > # only works until we define a different type for maildir
> > userdom_manage_user_home_content_dirs(procmail_t)
> > userdom_manage_user_home_content_files(procmail_t)
> > userdom_manage_user_home_content_symlinks(procmail _t)
> > userdom_manage_user_home_content_pipes(procmail_t)
> > userdom_manage_user_home_content_sockets(procmail_ t)
> > userdom_user_home_dir_filetrans_user_home_content( procmail_t, { dir
> > file lnk_file fifo_file sock_file })
> >
> >
> > Should we add a file context for maildir and add the symlinks,
> > pipes,sockets for procmail_home_t?
>
> I later noticed that comment as well and this probably complicates
> matters as procmail is likely not the only service that needs access
> to maildir.

Indeed it isn't. I use dovecot IMAP server, which is configured to
serve mail delivered to maildir directories within users' home
directories (and it could handle mbox and possibly other formats too,
though maildir is faster and better from a backup perspective).

Paul.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux