Bug 809803
| Summary: | let procmail use fusefs_t files if use_fusefs_home_dirs is on | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Michael J. Chudobiak <mjc> | ||||||
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 16 | CC: | dwalsh | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | selinux-policy-3.10.0-84.fc16 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-04-22 03:35:27 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Michael J. Chudobiak
2012-04-04 12:32:43 UTC
We need to see raw AVC msgs. grep procmail /var/log/audit/audit.log [root@ulmo ~]# audit2allow -a
#============= procmail_t ==============
#!!!! The source type 'procmail_t' can write to a 'dir' of the following types:
# user_home_dir_t, mail_spool_t, tmp_t, user_home_t, var_log_t, procmail_log_t
allow procmail_t home_root_t:dir write;
allow procmail_t usr_t:file execute;
type=AVC msg=audit(1333542605.554:2545088): avc: denied { write } for pid=14632 comm="procmail" name="Maildir" dev=dm-1 ino=4464365 scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1333542605.554:2545088): arch=c000003e syscall=83 success=no exit=-13 a0=1626480 a1=1ff a2=ffffffffffffffa0 a3=5d items=0 ppid=14628 pid=14632 auid=4294967295 uid=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
I'll attached a more complete log, which will also have some procmail denials related to bug 809813.
Created attachment 575122 [details]
procmail selinux denial log
This is strange since the Maildir is labeled home_root_t. Could you run restorecon -R -v /home To see if this changes labeles. I'm not sure what happened. Anyway, I ran the restorecon, and it shows proper labels now. I'll attach the log in a moment. Here's the summary:
[root@ulmo audit]# audit2allow -i mike.log
#============= amavis_t ==============
allow amavis_t var_yp_t:file { read open };
#============= procmail_t ==============
#!!!! The source type 'procmail_t' can write to a 'dir' of the following types:
# user_home_dir_t, mail_spool_t, tmp_t, user_home_t, var_log_t
allow procmail_t fusefs_t:dir { write remove_name add_name };
#!!!! The source type 'procmail_t' can write to a 'file' of the following types:
# mail_spool_t, user_home_t, procmail_tmp_t
allow procmail_t fusefs_t:file { write getattr link read create unlink open };
Created attachment 575499 [details]
log with correct labelling for fuse filesystem
Daniel: side issue - how do I force an audit.log rotation in a systemd world? "service auditd rotate" no longer works, of course. I fixed them. Michael I don't know ask on the audit list. selinux-policy-3.10.0-82.fc16 in koji seems to fix everything for me. Thanks! selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16 selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |