Bug 809803
Summary: | let procmail use fusefs_t files if use_fusefs_home_dirs is on | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michael J. Chudobiak <mjc> | ||||||
Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 16 | CC: | dwalsh | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | selinux-policy-3.10.0-84.fc16 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2012-04-22 03:35:27 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Michael J. Chudobiak
2012-04-04 12:32:43 UTC
We need to see raw AVC msgs. grep procmail /var/log/audit/audit.log [root@ulmo ~]# audit2allow -a #============= procmail_t ============== #!!!! The source type 'procmail_t' can write to a 'dir' of the following types: # user_home_dir_t, mail_spool_t, tmp_t, user_home_t, var_log_t, procmail_log_t allow procmail_t home_root_t:dir write; allow procmail_t usr_t:file execute; type=AVC msg=audit(1333542605.554:2545088): avc: denied { write } for pid=14632 comm="procmail" name="Maildir" dev=dm-1 ino=4464365 scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1333542605.554:2545088): arch=c000003e syscall=83 success=no exit=-13 a0=1626480 a1=1ff a2=ffffffffffffffa0 a3=5d items=0 ppid=14628 pid=14632 auid=4294967295 uid=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null) I'll attached a more complete log, which will also have some procmail denials related to bug 809813. Created attachment 575122 [details]
procmail selinux denial log
This is strange since the Maildir is labeled home_root_t. Could you run restorecon -R -v /home To see if this changes labeles. I'm not sure what happened. Anyway, I ran the restorecon, and it shows proper labels now. I'll attach the log in a moment. Here's the summary: [root@ulmo audit]# audit2allow -i mike.log #============= amavis_t ============== allow amavis_t var_yp_t:file { read open }; #============= procmail_t ============== #!!!! The source type 'procmail_t' can write to a 'dir' of the following types: # user_home_dir_t, mail_spool_t, tmp_t, user_home_t, var_log_t allow procmail_t fusefs_t:dir { write remove_name add_name }; #!!!! The source type 'procmail_t' can write to a 'file' of the following types: # mail_spool_t, user_home_t, procmail_tmp_t allow procmail_t fusefs_t:file { write getattr link read create unlink open }; Created attachment 575499 [details]
log with correct labelling for fuse filesystem
Daniel: side issue - how do I force an audit.log rotation in a systemd world? "service auditd rotate" no longer works, of course. I fixed them. Michael I don't know ask on the audit list. selinux-policy-3.10.0-82.fc16 in koji seems to fix everything for me. Thanks! selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16 selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |