fedora-selinux January 2012 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: Fedora 16 and procmail

Re: Fedora 16 and procmail

From: Miroslav Grepl <mgrepl_at_nospam>
Date: Wed Jan 25 2012 - 16:51:36 GMT
To: David Highley <dhighley@highley-recommended.com>

On 01/25/2012 02:26 PM, David Highley wrote:
> "Miroslav Grepl wrote:"
>> On 01/22/2012 03:33 AM, David Highley wrote:
>>> module myprocmail 1.0;
>>>
>>> require {
>>> type quota_db_t;
>>> type etc_aliases_t;
>>> type procmail_t;
>>> type admin_home_t;
>>> type spamc_t;
>>> type shadow_t;
>>> class file { getattr read open append lock };
>>> class dir { getattr read open write };
>>> class capability { dac_read_search dac_override };
>>> }
>>>
>>> #============= procmail_t ==============
>>> allow procmail_t etc_aliases_t:file { getattr read open };
>>> allow procmail_t quota_db_t:file { getattr append open lock };
>>> allow procmail_t admin_home_t:dir write;
>>> allow procmail_t admin_home_t:file open;
>>> allow spamc_t self:capability { dac_read_search dac_override };
>>> allow spamc_t shadow_t:file read;
>>>
>> Could you attach raw AVC msgs for these rules? What is procmail writing
>> to admin homedir?
> After correcting some labels, removing the above policy. We are now only
> seeing these AVC:
>
> ----
> time->Wed Jan 25 03:35:06 2012
> type=SYSCALL msg=audit(1327491306.480:1221): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
> type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> type=AVC msg=audit(1327491306.480:1221): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> ----
> time->Wed Jan 25 03:35:06 2012
> type=SYSCALL msg=audit(1327491306.521:1222): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
> type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> type=AVC msg=audit(1327491306.521:1222): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> ----
> time->Wed Jan 25 03:35:07 2012
> type=SYSCALL msg=audit(1327491307.991:1224): arch=c000003e syscall=2 success=no exit=-13 a0=7f62754a4b5a a1=80000 a2=1b6 a3=238 items=0 ppid=1128 pid=1129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
> type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_read_search } for pid=1129 comm="spamassassin" capability=2 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> type=AVC msg=audit(1327491307.991:1224): avc: denied { dac_override } for pid=1129 comm="spamassassin" capability=1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
I guess this relates with

allow spamc_t shadow_t:file read;

Could you re-test it with the following:

Turn on full auditing
$ auditctl -w /etc/shadow -p w

Try to recreate AVC. Then execute
$ ausearch -m avc -ts recent

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux