fedora-selinux January 2012 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: Fedora 16 and procmail

Re: Fedora 16 and procmail

From: Miroslav Grepl <mgrepl_at_nospam>
Date: Mon Jan 23 2012 - 16:10:20 GMT
To: David Highley <dhighley@highley-recommended.com>

On 01/22/2012 03:33 AM, David Highley wrote:
> module myprocmail 1.0;
>
> require {
> type quota_db_t;
> type etc_aliases_t;
> type procmail_t;
> type admin_home_t;
> type spamc_t;
> type shadow_t;
> class file { getattr read open append lock };
> class dir { getattr read open write };
> class capability { dac_read_search dac_override };
> }
>
> #============= procmail_t ==============
> allow procmail_t etc_aliases_t:file { getattr read open };
> allow procmail_t quota_db_t:file { getattr append open lock };

> allow procmail_t admin_home_t:dir write;
> allow procmail_t admin_home_t:file open;
> allow spamc_t self:capability { dac_read_search dac_override };
> allow spamc_t shadow_t:file read;
>
Could you attach raw AVC msgs for these rules? What is procmail writing
to admin homedir?

And I think we should add

auth_dontaudit_read_shadow(spamc_t)
> Then everytime we do a restorecon -vR for a home directory we get the
> following and if you repeat the command you will get the same output.
> We did do, semanage fcontext -a -e /home /export/home, so selinux knows
> that this is a home directory structure for NFS automounting.
>
> restorecon -vR /export/home/chighley
> restorecon reset /export/home/chighley/.pyzor context
> system_u:object_r:spamc_home_t:s0->system_u:object_r:pyzor_home_t:s0
> restorecon reset /export/home/chighley/.pyzor/servers context
> system_u:object_r:spamc_home_t:s0->system_u:object_r:pyzor_home_t:s0
> restorecon reset /export/home/chighley/.razor context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset /export/home/chighley/.razor/identity context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset /export/home/chighley/.razor/razor-agent.log context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c101.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c102.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c103.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c104.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c105.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c118.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c121.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c122.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c123.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c301.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c302.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c303.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c304.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.c305.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.folly.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.joy.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.n001.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.n002.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.n003.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/server.n004.cloudmark.com.conf context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset /export/home/chighley/.razor/servers.catalogue.lst
> context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset /export/home/chighley/.razor/servers.discovery.lst
> context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset /export/home/chighley/.razor/servers.nomination.lst
> context
> unconfined_u:object_r:spamc_home_t:s0->unconfined_u:object_r:razor_home_t:s0
> restorecon reset /export/home/chighley/.razor/servers.catalogue.lst.lock
> context
> system_u:object_r:spamc_home_t:s0->system_u:object_r:razor_home_t:s0
> restorecon reset
> /export/home/chighley/.razor/servers.nomination.lst.lock context
> system_u:object_r:spamc_home_t:s0->system_u:object_r:razor_home_t:s0
We treat spamc and razor policy together using aliases, this is a reason
why you see it. Nothing is broken.
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux