Bug 492552

Miroslav please add

/var/lib/dcc(/.*)?			gen_context(system_u:object_r:dcc_var_t,s0

Eddie, if you add this context until we get updated policy your app should work

chcon -R -t dcc_var_t /var/lib/dcc

I did what you said. But I am still seeing these messages:

Mar 29 04:51:49 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "write" to ./map (dcc_var_t). For complete SELinux messages. run sealert -l 5b6b2eb4-3ea6-4e09-a620-2e3dc660d654
Mar 29 05:10:03 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "write" to ./map (dcc_var_t). For complete SELinux messages. run sealert -l 5b6b2eb4-3ea6-4e09-a620-2e3dc660d654
Mar 29 07:08:40 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "write" to ./map (dcc_var_t). For complete SELinux messages. run sealert -l 5b6b2eb4-3ea6-4e09-a620-2e3dc660d654
Mar 29 10:02:30 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "write" to ./map (dcc_var_t). For complete SELinux messages. run sealert -l 5b6b2eb4-3ea6-4e09-a620-2e3dc660d654
Mar 29 13:06:54 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "write" to ./map (dcc_var_t). For complete SELinux messages. run sealert -l 5b6b2eb4-3ea6-4e09-a620-2e3dc660d654
Mar 29 16:02:29 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "write" to ./map (dcc_var_t). For complete SELinux messages. run sealert -l 5b6b2eb4-3ea6-4e09-a620-2e3dc660d654
Mar 29 18:01:51 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "write" to ./map (dcc_var_t). For complete SELinux messages. run sealert -l 5b6b2eb4-3ea6-4e09-a620-2e3dc660d654
Mar 29 21:38:10 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "write" to ./map (dcc_var_t). For complete SELinux messages. run sealert -l 5b6b2eb4-3ea6-4e09-a620-2e3dc660d654

Dan, 
probably we should also add

manage_dirs_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
manage_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)

The only question I have is whether this access is needed or is the a leaked file descriptor?  Is this a fedora package?  dcc_client?

Sorry, my bad, it is not. However it used to be in the past.

DCC is used for spamfiltering although it is by default disabled in spamassassin:

/etc/mail/spamassassin/v310.pre:

# DCC - perform DCC message checks.
#
# DCC is disabled here because it is not open source.  See the DCC
# license for more details.
#
#loadplugin Mail::SpamAssassin::Plugin::DCC


It is however a great addition to spamassassin and thatswhy I downloaded and compiled the dcc package and enabled it to be used by spamassassin.

Is that a problem?

Regards,

Eddie.

No this is not a problem, I just do not know if the dcc_client needs to be able to read/write the map file or this is just the service leaking an open file descriptor.  (I actually know almost nothing about dcc.)

As far as i can tell, it should be read/writable

It is used to map the dcc servers and regularly updated by the tool itself.

From the dcc homepage: http://www.dcc-servers.net/dcc/


DCC clients pick the nearest working DCC server using a small shared or
     memory mapped file, /var/lib//dcc/map.  It contains server names, port num-
     bers, passwords, recent performance measures, and so forth.  This file
     allows clients to use quick retransmission timeouts and to waste little
     time on servers that have temporarily stopped working or become unreach-
     able.  The utility program cdcc(8) is used to maintain this file as well
     as to check the health of servers.

Cdcc is used to clear, control, and query the control file used by Dis-
     tributed Checksum Clearinghouse clients such as dccm(8).  The host names,
     UDP port numbers, IDs, and passwords local clients use to talk to servers
     as well as IP addresses, round trip times, and other information are con-
     tained in the map file.  While cdcc is set-UID, it uses the real UID only
     when accessing the map file.  It refuses to display sensitive information
     such as passwords unless the real UID is the same as the effective UID.
     Note that cdcc needs to be set to a UID that can read and write the map
     file, but that UID need not be 0.

Ok are there any other files in that directory, That the client should not be able to write?

(In reply to comment #9)
> Ok are there any other files in that directory, That the client should not be
> able to write?  

The ./map file seems to be the only file that needs to be accessed by the client.

[root@ls2ka dcc]# ls -lisa
total 80
1677159 4 drwxr-xr-x  5 root bin  4096 2009-03-02 11:31 .
1267282 4 drwxr-xr-x 48 root root 4096 2009-03-17 19:49 ..
1677203 4 drwxr-xr-x  3 root root 4096 2009-03-02 11:31 build
1677192 4 drwxr-xr-x  2 root bin  4096 2009-03-02 11:31 cgi-bin
1677161 8 -rw-r--r--  1 root bin  5452 2009-03-02 11:28 dcc_conf
1677158 8 -rw-r--r--  1 root root 5452 2009-03-02 11:31 dcc_conf-new
1677162 4 -rw-r--r--  1 root bin   797 2009-03-02 11:28 flod
1677163 4 -rw-r--r--  1 root bin   427 2009-03-02 11:28 grey_flod
1677165 4 -rw-r--r--  1 root bin   496 2009-03-02 11:28 grey_whitelist
1677168 4 -rw-------  1 root root 2430 2009-03-02 11:28 ids
1677160 4 drwx--x---  2 root bin  4096 2009-03-02 11:28 log
1677169 8 -rw-------  1 root root 7564 2009-03-30 20:35 map
1677170 4 -rw-------  1 root root  403 2009-03-02 11:28 map.txt
1677166 8 -rw-r--r--  1 root bin  4138 2009-03-02 11:28 whiteclnt
1677167 4 -rw-r--r--  1 root bin  1667 2009-03-02 11:28 whitecommon
1677164 4 -rw-r--r--  1 root bin   864 2009-03-02 11:28 whitelist
[root@ls2ka dcc]# pwd
/var/lib/dcc

Eddie, 

could you also try to execute

# chcon -t dcc_client_map_t /var/lib/dcc/map


It should work.

Yes, I believe it works.

Fixed in selinux-policy-3.5.13-55.fc10

close bug?