FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 01-22-2012, 02:33 AM
David Highley
 
Default Fedora 16 and procmail

module myprocmail 1.0;

require {
type quota_db_t;
type etc_aliases_t;
type procmail_t;
type admin_home_t;
type spamc_t;
type shadow_t;
class file { getattr read open append lock };
class dir { getattr read open write };
class capability { dac_read_search dac_override };
}

#============= procmail_t ==============
allow procmail_t etc_aliases_t:file { getattr read open };
allow procmail_t quota_db_t:file { getattr append open lock };
allow procmail_t admin_home_t:dir write;
allow procmail_t admin_home_t:file open;
allow spamc_t self:capability { dac_read_search dac_override };
allow spamc_t shadow_t:file read;


Then everytime we do a restorecon -vR for a home directory we get the
following and if you repeat the command you will get the same output.
We did do, semanage fcontext -a -e /home /export/home, so selinux knows
that this is a home directory structure for NFS automounting.

restorecon -vR /export/home/chighley
restorecon reset /export/home/chighley/.pyzor context
system_ubject_r:spamc_home_t:s0->system_ubject_ryzor_home_t:s0
restorecon reset /export/home/chighley/.pyzor/servers context
system_ubject_r:spamc_home_t:s0->system_ubject_ryzor_home_t:s0
restorecon reset /export/home/chighley/.razor context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/identity context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/razor-agent.log context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c101.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c102.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c103.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c104.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c105.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c118.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c121.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c122.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c123.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c301.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c302.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c303.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c304.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c305.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.folly.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.joy.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n001.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n002.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n003.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n004.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.catalogue.lst
context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.discovery.lst
context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.nomination.lst
context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.catalogue.lst.lock
context
system_ubject_r:spamc_home_t:s0->system_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/servers.nomination.lst.lock context
system_ubject_r:spamc_home_t:s0->system_ubject_r:razor_home_t:s0
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-22-2012, 02:47 AM
David Highley
 
Default Fedora 16 and procmail

"David Highley wrote:"
>
> module myprocmail 1.0;
>
> require {
> type quota_db_t;
> type etc_aliases_t;
> type procmail_t;
> type admin_home_t;
> type spamc_t;
> type shadow_t;
> class file { getattr read open append lock };
> class dir { getattr read open write };
> class capability { dac_read_search dac_override };
> }
>
> #============= procmail_t ==============
> allow procmail_t etc_aliases_t:file { getattr read open };
> allow procmail_t quota_db_t:file { getattr append open lock };
> allow procmail_t admin_home_t:dir write;
> allow procmail_t admin_home_t:file open;
> allow spamc_t self:capability { dac_read_search dac_override };
> allow spamc_t shadow_t:file read;
>
>
> Then everytime we do a restorecon -vR for a home directory we get the
> following and if you repeat the command you will get the same output.
> We did do, semanage fcontext -a -e /home /export/home, so selinux knows
> that this is a home directory structure for NFS automounting.
>
> restorecon -vR /export/home/chighley
> restorecon reset /export/home/chighley/.pyzor context
> system_ubject_r:spamc_home_t:s0->system_ubject_ryzor_home_t:s0
> restorecon reset /export/home/chighley/.pyzor/servers context
> system_ubject_r:spamc_home_t:s0->system_ubject_ryzor_home_t:s0
> restorecon reset /export/home/chighley/.razor context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset /export/home/chighley/.razor/identity context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset /export/home/chighley/.razor/razor-agent.log context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c101.cloudmark.com.conf context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c102.cloudmark.com.conf context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c103.cloudmark.com.conf context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c104.cloudmark.com.conf context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c105.cloudmark.com.conf context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c118.cloudmark.com.conf context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c121.cloudmark.com.conf context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c122.cloudmark.com.conf context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c123.cloudmark.com.conf context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c301.cloudmark.com.conf context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c302.cloudmark.com.conf context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c303.cloudmark.com.conf context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c304.cloudmark.com.conf context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c305.cloudmark.com.conf context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.folly.cloudmark.com.conf context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.joy.cloudmark.com.conf context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.n001.cloudmark.com.conf context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.n002.cloudmark.com.conf context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.n003.cloudmark.com.conf context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.n004.cloudmark.com.conf context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset /export/home/chighley/.razor/servers.catalogue.lst
> context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset /export/home/chighley/.razor/servers.discovery.lst
> context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset /export/home/chighley/.razor/servers.nomination.lst
> context
> unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
> restorecon reset /export/home/chighley/.razor/servers.catalogue.lst.lock
> context
> system_ubject_r:spamc_home_t:s0->system_ubject_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/servers.nomination.lst.lock context
> system_ubject_r:spamc_home_t:s0->system_ubject_r:razor_home_t:s0
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>

Another thing we just noticed in sending this email. The sent file did
not get a copy of this email, I know it ancient but light weight across
the wide network, sent by elm. No avc thrown so we suspect were not
seeing all the issues.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-23-2012, 03:10 PM
Miroslav Grepl
 
Default Fedora 16 and procmail

On 01/22/2012 03:33 AM, David Highley wrote:

module myprocmail 1.0;

require {
type quota_db_t;
type etc_aliases_t;
type procmail_t;
type admin_home_t;
type spamc_t;
type shadow_t;
class file { getattr read open append lock };
class dir { getattr read open write };
class capability { dac_read_search dac_override };
}

#============= procmail_t ==============
allow procmail_t etc_aliases_t:file { getattr read open };
allow procmail_t quota_db_t:file { getattr append open lock };



allow procmail_t admin_home_t:dir write;
allow procmail_t admin_home_t:file open;
allow spamc_t self:capability { dac_read_search dac_override };
allow spamc_t shadow_t:file read;

Could you attach raw AVC msgs for these rules? What is procmail writing
to admin homedir?



And I think we should add

auth_dontaudit_read_shadow(spamc_t)

Then everytime we do a restorecon -vR for a home directory we get the
following and if you repeat the command you will get the same output.
We did do, semanage fcontext -a -e /home /export/home, so selinux knows
that this is a home directory structure for NFS automounting.

restorecon -vR /export/home/chighley
restorecon reset /export/home/chighley/.pyzor context
system_ubject_r:spamc_home_t:s0->system_ubject_ryzor_home_t:s0
restorecon reset /export/home/chighley/.pyzor/servers context
system_ubject_r:spamc_home_t:s0->system_ubject_ryzor_home_t:s0
restorecon reset /export/home/chighley/.razor context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/identity context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/razor-agent.log context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c101.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c102.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c103.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c104.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c105.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c118.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c121.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c122.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c123.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c301.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c302.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c303.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c304.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.c305.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.folly.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.joy.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n001.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n002.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n003.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/server.n004.cloudmark.com.conf context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.catalogue.lst
context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.discovery.lst
context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.nomination.lst
context
unconfined_ubject_r:spamc_home_t:s0->unconfined_ubject_r:razor_home_t:s0
restorecon reset /export/home/chighley/.razor/servers.catalogue.lst.lock
context
system_ubject_r:spamc_home_t:s0->system_ubject_r:razor_home_t:s0
restorecon reset
/export/home/chighley/.razor/servers.nomination.lst.lock context
system_ubject_r:spamc_home_t:s0->system_ubject_r:razor_home_t:s0
We treat spamc and razor policy together using aliases, this is a reason
why you see it. Nothing is broken.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-25-2012, 01:26 PM
David Highley
 
Default Fedora 16 and procmail

"Miroslav Grepl wrote:"
>
> On 01/22/2012 03:33 AM, David Highley wrote:
> > module myprocmail 1.0;
> >
> > require {
> > type quota_db_t;
> > type etc_aliases_t;
> > type procmail_t;
> > type admin_home_t;
> > type spamc_t;
> > type shadow_t;
> > class file { getattr read open append lock };
> > class dir { getattr read open write };
> > class capability { dac_read_search dac_override };
> > }
> >
> > #============= procmail_t ==============
> > allow procmail_t etc_aliases_t:file { getattr read open };
> > allow procmail_t quota_db_t:file { getattr append open lock };
>
> > allow procmail_t admin_home_t:dir write;
> > allow procmail_t admin_home_t:file open;
> > allow spamc_t self:capability { dac_read_search dac_override };
> > allow spamc_t shadow_t:file read;
> >
> Could you attach raw AVC msgs for these rules? What is procmail writing
> to admin homedir?

After correcting some labels, removing the above policy. We are now only
seeing these AVC:

----
time->Wed Jan 25 03:35:06 2012
type=SYSCALL msg=audit(1327491306.480:1221): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Wed Jan 25 03:35:06 2012
type=SYSCALL msg=audit(1327491306.521:1222): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Wed Jan 25 03:35:07 2012
type=SYSCALL msg=audit(1327491307.991:1224): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-25-2012, 03:51 PM
Miroslav Grepl
 
Default Fedora 16 and procmail

On 01/25/2012 02:26 PM, David Highley wrote:

"Miroslav Grepl wrote:"

On 01/22/2012 03:33 AM, David Highley wrote:

module myprocmail 1.0;

require {
type quota_db_t;
type etc_aliases_t;
type procmail_t;
type admin_home_t;
type spamc_t;
type shadow_t;
class file { getattr read open append lock };
class dir { getattr read open write };
class capability { dac_read_search dac_override };
}

#============= procmail_t ==============
allow procmail_t etc_aliases_t:file { getattr read open };
allow procmail_t quota_db_t:file { getattr append open lock };
allow procmail_t admin_home_t:dir write;
allow procmail_t admin_home_t:file open;
allow spamc_t self:capability { dac_read_search dac_override };
allow spamc_t shadow_t:file read;


Could you attach raw AVC msgs for these rules? What is procmail writing
to admin homedir?

After correcting some labels, removing the above policy. We are now only
seeing these AVC:

----
time->Wed Jan 25 03:35:06 2012
type=SYSCALL msg=audit(1327491306.480:1221): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Wed Jan 25 03:35:06 2012
type=SYSCALL msg=audit(1327491306.521:1222): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Wed Jan 25 03:35:07 2012
type=SYSCALL msg=audit(1327491307.991:1224): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

I guess this relates with

allow spamc_t shadow_t:file read;


Could you re-test it with the following:

Turn on full auditing
$ auditctl -w /etc/shadow -p w

Try to recreate AVC. Then execute
$ ausearch -m avc -ts recent


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-26-2012, 01:30 PM
David Highley
 
Default Fedora 16 and procmail

"Miroslav Grepl wrote:"
>
> On 01/25/2012 02:26 PM, David Highley wrote:
> > "Miroslav Grepl wrote:"
> >> On 01/22/2012 03:33 AM, David Highley wrote:
> >>> module myprocmail 1.0;
> >>>
> >>> require {
> >>> type quota_db_t;
> >>> type etc_aliases_t;
> >>> type procmail_t;
> >>> type admin_home_t;
> >>> type spamc_t;
> >>> type shadow_t;
> >>> class file { getattr read open append lock };
> >>> class dir { getattr read open write };
> >>> class capability { dac_read_search dac_override };
> >>> }
> >>>
> >>> #============= procmail_t ==============
> >>> allow procmail_t etc_aliases_t:file { getattr read open };
> >>> allow procmail_t quota_db_t:file { getattr append open lock };
> >>> allow procmail_t admin_home_t:dir write;
> >>> allow procmail_t admin_home_t:file open;
> >>> allow spamc_t self:capability { dac_read_search dac_override };
> >>> allow spamc_t shadow_t:file read;
> >>>
> >> Could you attach raw AVC msgs for these rules? What is procmail writing
> >> to admin homedir?
> > After correcting some labels, removing the above policy. We are now only
> > seeing these AVC:
> >
> > ----
> > time->Wed Jan 25 03:35:06 2012
> > type=SYSCALL msg=audit(1327491306.480:1221): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
> > type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> > type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> > ----
> > time->Wed Jan 25 03:35:06 2012
> > type=SYSCALL msg=audit(1327491306.521:1222): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
> > type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> > type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> > ----
> > time->Wed Jan 25 03:35:07 2012
> > type=SYSCALL msg=audit(1327491307.991:1224): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
> > type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> > type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> I guess this relates with
>
> allow spamc_t shadow_t:file read;
>
>
> Could you re-test it with the following:
>
> Turn on full auditing
> $ auditctl -w /etc/shadow -p w
>
> Try to recreate AVC. Then execute
> $ ausearch -m avc -ts recent
>
>

----
time->Thu Jan 26 03:09:06 2012
type=SYSCALL msg=audit(1327576146.116:514): arch=c000003e syscall=2 success=no exit=-13 a0=7f6f3a7b4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=15544 pid=15545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327576146.116:514): avc: denied { dac_read_search } for pid=15545 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327576146.116:514): avc: denied { dac_override } for pid=15545 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:09:06 2012
type=SYSCALL msg=audit(1327576146.382:515): arch=c000003e syscall=2 success=no exit=-13 a0=7f6f3a7b4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=15544 pid=15545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327576146.382:515): avc: denied { dac_read_search } for pid=15545 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327576146.382:515): avc: denied { dac_override } for pid=15545 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:09:08 2012
type=SYSCALL msg=audit(1327576148.073:517): arch=c000003e syscall=2 success=no exit=-13 a0=7f6f3a7b4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=15544 pid=15545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327576148.073:517): avc: denied { dac_read_search } for pid=15545 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327576148.073:517): avc: denied { dac_override } for pid=15545 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:12:07 2012
type=SYSCALL msg=audit(1327576327.808:520): arch=c000003e syscall=2 success=no exit=-13 a0=7f2fb56e6b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17479 pid=17480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327576327.808:520): avc: denied { dac_read_search } for pid=17480 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327576327.808:520): avc: denied { dac_override } for pid=17480 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:12:07 2012
type=SYSCALL msg=audit(1327576327.907:521): arch=c000003e syscall=2 success=no exit=-13 a0=7f2fb56e6b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17479 pid=17480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327576327.907:521): avc: denied { dac_read_search } for pid=17480 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327576327.907:521): avc: denied { dac_override } for pid=17480 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:12:09 2012
type=SYSCALL msg=audit(1327576329.329:522): arch=c000003e syscall=2 success=no exit=-13 a0=7f2fb56e6b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17479 pid=17480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327576329.329:522): avc: denied { dac_read_search } for pid=17480 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327576329.329:522): avc: denied { dac_override } for pid=17480 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:29:01 2012
type=SYSCALL msg=audit(1327577341.693:530): arch=c000003e syscall=2 success=no exit=-13 a0=7f3bbe851b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17751 pid=17752 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327577341.693:530): avc: denied { dac_read_search } for pid=17752 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327577341.693:530): avc: denied { dac_override } for pid=17752 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:29:01 2012
type=SYSCALL msg=audit(1327577341.741:531): arch=c000003e syscall=2 success=no exit=-13 a0=7f3bbe851b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17751 pid=17752 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327577341.741:531): avc: denied { dac_read_search } for pid=17752 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327577341.741:531): avc: denied { dac_override } for pid=17752 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jan 26 03:29:02 2012
type=SYSCALL msg=audit(1327577342.749:532): arch=c000003e syscall=2 success=no exit=-13 a0=7f3bbe851b5a a1=80000 a2=1b6 a3=238 items=0 ppid=17751 pid=17752 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1327577342.749:532): avc: denied { dac_read_search } for pid=17752 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
type=AVC msg=audit(1327577342.749:532): avc: denied { dac_override } for pid=17752 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 06:52 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org