libreport version: 2.0.8 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.2.2-1.fc16.x86_64 reason: SELinux is preventing /usr/bin/procmail from 'getattr' accesses on the None /var/spool/mail/nieks. time: Mon 30 Jan 2012 03:56:25 PM CET description: :SELinux is preventing /usr/bin/procmail from 'getattr' accesses on the None /var/spool/mail/nieks. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that procmail should be allowed getattr access on the nieks <Unknown> by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep procmail /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:procmail_t:s0 :Target Context system_u:object_r:quota_db_t:s0 :Target Objects /var/spool/mail/nieks [ None ] :Source procmail :Source Path /usr/bin/procmail :Port <Unknown> :Host (removed) :Source RPM Packages :Target RPM Packages :Policy RPM <Unknown> :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.2.2-1.fc16.x86_64 #1 : SMP Thu Jan 26 03:21:58 UTC 2012 x86_64 x86_64 :Alert Count 5 :First Seen Mon 30 Jan 2012 03:28:08 PM CET :Last Seen Mon 30 Jan 2012 03:28:10 PM CET :Local ID 0aae3bba-4acd-4870-b930-cfe862fc5a7a : :Raw Audit Messages :type=AVC msg=audit(1327933690.369:1547): avc: denied { getattr } for pid=16340 comm="procmail" path="/var/spool/mail/nieks" dev=dm-2 ino=13894602 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:quota_db_t:s0 tclass=filenode=(removed) type=SYSCALL msg=audit(1327933690.369:1547): arch=c000003e syscall=6 success=no exit=-13 a0=24883e0 a1=7fff50151fc0 a2=7fff50151fc0 a3=2e items=0 ppid=16224 pid=16340 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=12 fsgid=1000 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null) : : :Hash: procmail,procmail_t,quota_db_t,None,getattr : :audit2allow : : :audit2allow -R : :
This looks like /var/spool/mail/nieks is mislabeled, why is it labeled quota_db_t?
$ runcon -u system_u -r system_r -t initrc_t -- runcon -t quota_t -- touch /var/spool/mail/test_bad_label $ ls -lZ /var/spool/mail/test_bad_label -rw-r--r--. root root system_u:object_r:quota_db_t:s0 /var/spool/mail/test_bad_label optional_policy(` mta_spool_filetrans(quota_t, quota_db_t, file) mta_spool_filetrans(quota_t, quota_db_t, file) mta_spool_filetrans_queue(quota_t, quota_db_t,file) ') I guess it relates with user quota on /var/spool/mail directory. Niclas, did you setup it?
I didn't do anything special in /var/spool. I get this on a fresh F16 install. Interestingly, root's labels are correct. $ ls -lZ /var/spool/mail/ -rw-rw----. amit mail system_u:object_r:quota_db_t:s0 amit -rw-------. root root system_u:object_r:mail_spool_t:s0 root -rw-rw----. rpc mail system_u:object_r:mail_spool_t:s0 rpc
Strange. You can fix it using # restorecon -R -v /var/spool/mail/amit
*** Bug 788261 has been marked as a duplicate of this bug. ***
Is bug 758529 a dupe as well?
On my Fedora 16 with selinux-policy-targeted-3.10.0-75.fc16.noarch selinux-policy-3.10.0-75.fc16.noarch I see output # sesearch --all -C | grep quota_db_t | grep mail_spool_t ERROR: Cannot get avrules: Neverallow rules requested but not available type_transition fsadm_t mail_spool_t : file quota_db_t; type_transition mono_t mail_spool_t : file quota_db_t; type_transition nova_vncproxy_t mail_spool_t : file quota_db_t; type_transition devicekit_disk_t mail_spool_t : file quota_db_t; type_transition depmod_t mail_spool_t : file quota_db_t; type_transition crond_t mail_spool_t : file quota_db_t; type_transition nagios_unconfined_plugin_t mail_spool_t : file quota_db_t; type_transition wine_t mail_spool_t : file quota_db_t; type_transition anaconda_t mail_spool_t : file quota_db_t; type_transition httpd_unconfined_script_t mail_spool_t : file quota_db_t; type_transition udev_t mail_spool_t : file quota_db_t; type_transition bootloader_t mail_spool_t : file quota_db_t; type_transition unconfined_cronjob_t mail_spool_t : file quota_db_t; type_transition puppet_t mail_spool_t : file quota_db_t; type_transition unconfined_execmem_t mail_spool_t : file quota_db_t; type_transition rgmanager_t mail_spool_t : file quota_db_t; type_transition devicekit_t mail_spool_t : file quota_db_t; type_transition nova_direct_t mail_spool_t : file quota_db_t; type_transition nova_api_t mail_spool_t : file quota_db_t; type_transition ada_t mail_spool_t : file quota_db_t; type_transition rpm_t mail_spool_t : file quota_db_t; type_transition unconfined_java_t mail_spool_t : file quota_db_t; type_transition nova_network_t mail_spool_t : file quota_db_t; type_transition unconfined_mono_t mail_spool_t : file quota_db_t; type_transition samba_unconfined_script_t mail_spool_t : file quota_db_t; type_transition nova_objectstore_t mail_spool_t : file quota_db_t; type_transition abrt_handle_event_t mail_spool_t : file quota_db_t; type_transition system_cronjob_t mail_spool_t : file quota_db_t; type_transition samba_unconfined_net_t mail_spool_t : file quota_db_t; type_transition setfiles_mac_t mail_spool_t : file quota_db_t; type_transition insmod_t mail_spool_t : file quota_db_t; type_transition nova_scheduler_t mail_spool_t : file quota_db_t; type_transition rpm_script_t mail_spool_t : file quota_db_t; type_transition inetd_child_t mail_spool_t : file quota_db_t; type_transition unconfined_dbusd_t mail_spool_t : file quota_db_t; type_transition nova_volume_t mail_spool_t : file quota_db_t; type_transition kernel_t mail_spool_t : file quota_db_t; type_transition initrc_t mail_spool_t : file quota_db_t; type_transition lvm_t mail_spool_t : file quota_db_t; type_transition virtd_t mail_spool_t : file quota_db_t; type_transition devicekit_power_t mail_spool_t : file quota_db_t; type_transition prelink_t mail_spool_t : file quota_db_t; type_transition sosreport_t mail_spool_t : file quota_db_t; type_transition nova_ajax_t mail_spool_t : file quota_db_t; type_transition unconfined_t mail_spool_t : file quota_db_t; type_transition dirsrvadmin_unconfined_script_t mail_spool_t : file quota_db_t; type_transition mdadm_t mail_spool_t : file quota_db_t; type_transition firstboot_t mail_spool_t : file quota_db_t; type_transition livecd_t mail_spool_t : file quota_db_t; type_transition inetd_t mail_spool_t : file quota_db_t; type_transition xserver_t mail_spool_t : file quota_db_t; type_transition quota_t mail_spool_t : file quota_db_t; type_transition clvmd_t mail_spool_t : file quota_db_t; type_transition init_t mail_spool_t : file quota_db_t; So it looks like virtually anything which writes to /var/spool/mail would create file as quota_db_t. Is that correct?
I picked unconfined_mono_t: # runcon -u system_u -r system_r -t unconfined_mono_t -- touch /var/spool/mail/test_unconfined_mono_t # ls -ldZ /var/spool/mail /var/spool/mail/test_unconfined_mono_t drwxrwxr-x. root mail system_u:object_r:mail_spool_t:s0 /var/spool/mail -rw-r--r--. root root system_u:object_r:quota_db_t:s0 /var/spool/mail/test_unconfined_mono_t # When I took selinux-policy-3.10.0-75.fc16.src.rpm and run rpmbuild -bp on it, grep shows only two occurrences of unconfined_mono_t: ./policy/modules/roles/unconfineduser.te: unconfined_domain_noaudit(unconfined_mono_t) ./policy/modules/roles/unconfineduser.te: role system_r types unconfined_mono_t; Yet, these two occurrences are enough to cause the system_u:system_r:unconfined_mono_t:s0-s0:c0.c1023 process to create quota_db_t file in /var/spool/mail.
You GOT it. Nice catch. commit bb3f364a9b3120f65540120784d535e5ef0e77bf Author: Miroslav Grepl <mgrepl> Date: Tue Feb 21 12:12:04 2012 +0000 Fix mta_spool_filetrans() interface
Nice job Miroslav and Jan. That is strange that the interface would generate quotadb_t...
selinux-policy-3.10.0-78.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-78.fc16
Package selinux-policy-3.10.0-78.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-78.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-78.fc16 then log in and leave karma (feedback).
*** Bug 758529 has been marked as a duplicate of this bug. ***
Package selinux-policy-3.10.0-80.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-80.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-80.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-80.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
I'm still seeing this bug on Fedora 17. I used the kerberos krb5-send-pr program to send a bug report to the MIT kerberos project. Bug report output: SELinux is preventing /usr/bin/procmail from 'getattr' accesses on the file /var/spool/mail/stef. ***** Plugin restorecon (99.5 confidence) suggests ************************* If you want to fix the label. /var/spool/mail/stef default label should be mail_spool_t. Then you can run restorecon. Do # /sbin/restorecon -v /var/spool/mail/stef ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that procmail should be allowed getattr access on the stef file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep procmail /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:procmail_t:s0 Target Context system_u:object_r:quota_db_t:s0 Target Objects /var/spool/mail/stef [ file ] Source procmail Source Path /usr/bin/procmail Port <Unknown> Host (removed) Source RPM Packages procmail-3.22-29.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-106.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux stef-desktop.thewalter.lan 3.3.0-8.fc17.x86_64 #1 SMP Thu Mar 29 18:18:26 UTC 2012 x86_64 x86_64 Alert Count 2 First Seen 2012-04-05T08:11:11 CEST Last Seen 2012-04-05T08:11:11 CEST Local ID a052bd95-7e4b-48fb-87d2-02d39b543014 Raw Audit Messages type=AVC msg=audit(1333606271.120:329): avc: denied { getattr } for pid=3723 comm="procmail" path="/var/spool/mail/stef" dev="sda1" ino=62189 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:quota_db_t:s0 tclass=file type=SYSCALL msg=audit(1333606271.120:329): arch=x86_64 syscall=lstat success=no exit=EACCES a0=1462430 a1=7fff17c2aa10 a2=7fff17c2aa10 a3=2e items=0 ppid=3712 pid=3723 auid=4294967295 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=12 fsgid=100 tty=(none) ses=4294967295 comm=procmail exe=/usr/bin/procmail subj=system_u:system_r:procmail_t:s0 key=(null) Hash: procmail,procmail_t,quota_db_t,file,getattr audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied
Stef, I think you need to fix labeling and then it should be ok. $ restorecon -v /var/spool/mail/stef and if you get it again, reopen the bug. Thanks.
Yes, that did the trick. Thanks.