FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 01-16-2008, 12:33 PM
Gene Heskett
 
Default procmail vs amanda selinux hits

Greetings;

At about the time the backup program amanda is due to send me an email, I'm
getting popups from selinux.

Amanda is at times trying to send the user gene an email, some of which I do
get, but:

>From setroubleshoot:
SUMMARY
SELinux is preventing /usr/bin/procmail (procmail_t) "search" to (var_log_t).

Detailed Description
SELinux denied access requested by /usr/bin/procmail. It is not expected that
this access is required by /usr/bin/procmail and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for , restorecon -v If this does not
work, there is currently no automatic way to allow this access. Instead, you
can generate a local policy module to allow this access - see FAQ Or you can
disable SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a bug report against this package.
=====================================
Note the space before the comma above, is a name missing?
Also I have not done the restorecon -v as I've used the advice from
setroubleshooter to clear a goodly number of squawks.
=====================================
Additional Information
Source Context: system_u:system_rrocmail_t:s0
Target Context: system_ubject_r:var_log_t:s0
Target Objects: None [ dir ]
Affected RPM Packages: procmail-3.22-20.fc8 [application]
Policy RPM: selinux-policy-3.0.8-74.fc8Selinux
Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Enforcing
Plugin Name: plugins.catchall_file
Host Name: coyote.coyote.den
Platform: Linux coyote.coyote.den 2.6.24-rc7 #1 SMP Mon Jan 14 10:00:40 EST
2008 i686 athlon
Alert Count: 26
First Seen: Wed 09 Jan 2008 05:09:14 AM EST
Last Seen: Wed 16 Jan 2008 05:09:15 AM EST
Local ID: bfec6c3c-7d3b-47f7-9174-a2251b12534a
Line Numbers:
Raw Audit Messages :avc: denied { search } for comm=procmail dev=dm-0 egid=500
euid=500 exe=/usr/bin/procmail exit=-13 fsgid=500 fsuid=500 gid=500 items=0
name=log pid=15219 scontext=system_u:system_rrocmail_t:s0 sgid=0
subj=system_u:system_rrocmail_t:s0 suid=500 tclass=dir
tcontext=system_ubject_r:var_log_t:s0 tty=(none) uid=500

Comments people?

--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
It is better for civilization to be going down the drain than to be
coming up it.
-- Henry Allen

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-16-2008, 12:58 PM
Daniel J Walsh
 
Default procmail vs amanda selinux hits

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gene Heskett wrote:
> Greetings;
>
> At about the time the backup program amanda is due to send me an email, I'm
> getting popups from selinux.
>
> Amanda is at times trying to send the user gene an email, some of which I do
> get, but:
>
>>From setroubleshoot:
> SUMMARY
> SELinux is preventing /usr/bin/procmail (procmail_t) "search" to (var_log_t).
>
> Detailed Description
> SELinux denied access requested by /usr/bin/procmail. It is not expected that
> this access is required by /usr/bin/procmail and this access may signal an
> intrusion attempt. It is also possible that the specific version or
> configuration of the application is causing it to require additional access.
>
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore the default system file context for , restorecon -v If this does not
> work, there is currently no automatic way to allow this access. Instead, you
> can generate a local policy module to allow this access - see FAQ Or you can
> disable SELinux protection altogether. Disabling SELinux protection is not
> recommended. Please file a bug report against this package.
> =====================================
> Note the space before the comma above, is a name missing?
> Also I have not done the restorecon -v as I've used the advice from
> setroubleshooter to clear a goodly number of squawks.
> =====================================
> Additional Information
> Source Context: system_u:system_rrocmail_t:s0
> Target Context: system_ubject_r:var_log_t:s0
> Target Objects: None [ dir ]
> Affected RPM Packages: procmail-3.22-20.fc8 [application]
> Policy RPM: selinux-policy-3.0.8-74.fc8Selinux
> Enabled: True
> Policy Type: targeted
> MLS Enabled: True
> Enforcing Mode: Enforcing
> Plugin Name: plugins.catchall_file
> Host Name: coyote.coyote.den
> Platform: Linux coyote.coyote.den 2.6.24-rc7 #1 SMP Mon Jan 14 10:00:40 EST
> 2008 i686 athlon
> Alert Count: 26
> First Seen: Wed 09 Jan 2008 05:09:14 AM EST
> Last Seen: Wed 16 Jan 2008 05:09:15 AM EST
> Local ID: bfec6c3c-7d3b-47f7-9174-a2251b12534a
> Line Numbers:
> Raw Audit Messages :avc: denied { search } for comm=procmail dev=dm-0 egid=500
> euid=500 exe=/usr/bin/procmail exit=-13 fsgid=500 fsuid=500 gid=500 items=0
> name=log pid=15219 scontext=system_u:system_rrocmail_t:s0 sgid=0
> subj=system_u:system_rrocmail_t:s0 suid=500 tclass=dir
> tcontext=system_ubject_r:var_log_t:s0 tty=(none) uid=500
>
> Comments people?
>
Should be allowed.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkeODY8ACgkQrlYvE4MpobPHKACcDKr66XLSfD V30clJPv1z1tJK
6E0AoOA5tGI518Ftz1r3/nfQrqDWh0HR
=RCOf
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-16-2008, 02:51 PM
Paul Howarth
 
Default procmail vs amanda selinux hits

Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gene Heskett wrote:

Greetings;

At about the time the backup program amanda is due to send me an email, I'm
getting popups from selinux.


Amanda is at times trying to send the user gene an email, some of which I do
get, but:


>From setroubleshoot:
SUMMARY
SELinux is preventing /usr/bin/procmail (procmail_t) "search" to (var_log_t).


On a related matter, I sometimes like to use a system-wide procmail
script (/etc/procmailrc) and have system-wide procmail logs to go with
that, which can be done by putting in /etc/procmailrc something like:


LOGFILE=/var/log/procmail.log
or
LOGFILE=/var/log/procmail/$LOGNAME

Current policy doesn't cater for this, so I added:

::::::::::::::
myprocmail.te
::::::::::::::
policy_module(myprocmail, 0.5.6)

require {
type procmail_t;
type sendmail_t;
};

# log files
type procmail_log_t;
logging_log_file(procmail_log_t)

# Write log to /var/log/procmail.log or /var/log/procmail/.*
allow procmail_t procmail_log_t:dir setattr;
create_files_pattern(procmail_t,procmail_log_t,pro cmail_log_t)
append_files_pattern(procmail_t,procmail_log_t,pro cmail_log_t)
read_lnk_files_pattern(procmail_t,procmail_log_t,p rocmail_log_t)
logging_log_filetrans(procmail_t,procmail_log_t, { file dir })

# ==============================================
# Procmail needs to call sendmail for forwarding
# ==============================================

# Read alternatives link (still not in policy?)
corecmd_read_bin_symlinks(procmail_t)

# Procmail occasionally signals sendmail, e.g. when it times out during
forwarding

sendmail_signal(procmail_t)

::::::::::::::
myprocmail.fc
::::::::::::::
/var/log/procmail.log --
gen_context(system_ubject_rrocmail_log_t,s0)
/var/log/procmail(/.*)?
gen_context(system_ubject_rrocmail_log_t,s0)






The last bits of policy are things I've had locally for a couple of
Fedora releases now; not sure if they're in current policy but I think
they should be.


Cheers, Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-17-2008, 01:12 AM
Gene Heskett
 
Default procmail vs amanda selinux hits

On Wednesday 16 January 2008, Paul Howarth wrote:
>Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Gene Heskett wrote:
>>> Greetings;
>>>
>>> At about the time the backup program amanda is due to send me an email,
>>> I'm getting popups from selinux.
>>>
>>> Amanda is at times trying to send the user gene an email, some of which I
>>> do
>>>
>>> get, but:
>>> >From setroubleshoot:
>>>
>>> SUMMARY
>>> SELinux is preventing /usr/bin/procmail (procmail_t) "search" to
>>> (var_log_t).
>
>On a related matter, I sometimes like to use a system-wide procmail
>script (/etc/procmailrc) and have system-wide procmail logs to go with
>that, which can be done by putting in /etc/procmailrc something like:
>
>LOGFILE=/var/log/procmail.log
>or
>LOGFILE=/var/log/procmail/$LOGNAME
>
>Current policy doesn't cater for this, so I added:
>
>
>myprocmail.te
>
>policy_module(myprocmail, 0.5.6)
>
>require {
> type procmail_t;
> type sendmail_t;
>};
>
># log files
>type procmail_log_t;
>logging_log_file(procmail_log_t)
>
># Write log to /var/log/procmail.log or /var/log/procmail/.*
>allow procmail_t procmail_log_t:dir setattr;
>create_files_pattern(procmail_t,procmail_log_t,pr ocmail_log_t)
>append_files_pattern(procmail_t,procmail_log_t,pr ocmail_log_t)
>read_lnk_files_pattern(procmail_t,procmail_log_t, procmail_log_t)
>logging_log_filetrans(procmail_t,procmail_log_t , { file dir })
>
># ==============================================
># Procmail needs to call sendmail for forwarding
># ==============================================
>
># Read alternatives link (still not in policy?)
>corecmd_read_bin_symlinks(procmail_t)
>
># Procmail occasionally signals sendmail, e.g. when it times out during
>forwarding
>sendmail_signal(procmail_t)
>
>
>myprocmail.fc
>
>/var/log/procmail.log --
>gen_context(system_ubject_rrocmail_log_t,s0 )
>/var/log/procmail(/.*)?
>gen_context(system_ubject_rrocmail_log_t,s0 )
>
>
>
>
>
>The last bits of policy are things I've had locally for a couple of
>Fedora releases now; not sure if they're in current policy but I think
>they should be.
>
>Cheers, Paul.
>
Thanks guys, it sounds like the next release will fix this.

--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If A equals success, then the formula is _A = _X + _Y + _Z. _X is work.
_Y
is play. _Z is keep your mouth shut.
-- Albert Einstein

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 04:14 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org