Bug 809803 - let procmail use fusefs_t files if use_fusefs_home_dirs is on
let procmail use fusefs_t files if use_fusefs_home_dirs is on
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2012-04-04 08:32 EDT by Michael J. Chudobiak
Modified: 2012-04-21 23:35 EDT (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-3.10.0-84.fc16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-04-21 23:35:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
procmail selinux denial log (12.46 KB, text/plain)
2012-04-04 09:00 EDT, Michael J. Chudobiak
no flags Details
log with correct labelling for fuse filesystem (24.20 KB, text/x-log)
2012-04-05 13:05 EDT, Michael J. Chudobiak
no flags Details

  None (edit)
Description Michael J. Chudobiak 2012-04-04 08:32:43 EDT
My home folders are mounted using fuse (from a moosefs server).

procmail can not deliver to the Maildirs in these home folders, even though 
use_fusefs_home_dirs --> on

From the log:

Apr  4 08:19:29 ulmo setroubleshoot: SELinux is preventing /usr/bin/procmail from write access on the directory /home/mailwatch/Maildir. For complete SELinux messages. run sealert -l 7f33ea0d-5e3a-4209-92c9-7e2841cf86cd

This is closely related to the similar dovecot report, now fixed - bug 800458.

- Mike
Comment 1 Miroslav Grepl 2012-04-04 08:49:08 EDT
We need to see raw AVC msgs.

grep procmail /var/log/audit/audit.log
Comment 2 Michael J. Chudobiak 2012-04-04 08:59:16 EDT
[root@ulmo ~]# audit2allow -a
#============= procmail_t ==============
#!!!! The source type 'procmail_t' can write to a 'dir' of the following types:
# user_home_dir_t, mail_spool_t, tmp_t, user_home_t, var_log_t, procmail_log_t

allow procmail_t home_root_t:dir write;
allow procmail_t usr_t:file execute;

type=AVC msg=audit(1333542605.554:2545088): avc:  denied  { write } for  pid=14632 comm="procmail" name="Maildir" dev=dm-1 ino=4464365 scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1333542605.554:2545088): arch=c000003e syscall=83 success=no exit=-13 a0=1626480 a1=1ff a2=ffffffffffffffa0 a3=5d items=0 ppid=14628 pid=14632 auid=4294967295 uid=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)

I'll attached a more complete log, which will also have some procmail denials related to bug 809813.
Comment 3 Michael J. Chudobiak 2012-04-04 09:00:16 EDT
Created attachment 575122 [details]
procmail selinux denial log
Comment 4 Daniel Walsh 2012-04-05 12:13:50 EDT
This is strange since the Maildir is labeled home_root_t.  Could you run 

restorecon -R -v /home

To see if this changes labeles.
Comment 5 Michael J. Chudobiak 2012-04-05 13:04:34 EDT
I'm not sure what happened. Anyway, I ran the restorecon, and it shows proper labels now. I'll attach the log in a moment. Here's the summary:

[root@ulmo audit]# audit2allow -i mike.log 

#============= amavis_t ==============
allow amavis_t var_yp_t:file { read open };

#============= procmail_t ==============
#!!!! The source type 'procmail_t' can write to a 'dir' of the following types:
# user_home_dir_t, mail_spool_t, tmp_t, user_home_t, var_log_t

allow procmail_t fusefs_t:dir { write remove_name add_name };
#!!!! The source type 'procmail_t' can write to a 'file' of the following types:
# mail_spool_t, user_home_t, procmail_tmp_t

allow procmail_t fusefs_t:file { write getattr link read create unlink open };
Comment 6 Michael J. Chudobiak 2012-04-05 13:05:29 EDT
Created attachment 575499 [details]
log with correct labelling for fuse filesystem
Comment 7 Michael J. Chudobiak 2012-04-05 13:13:42 EDT
Daniel: side issue - how do I force an audit.log rotation in a systemd world?

"service auditd rotate" no longer works, of course.
Comment 8 Miroslav Grepl 2012-04-06 02:21:03 EDT
I fixed them.
Comment 9 Daniel Walsh 2012-04-09 15:43:30 EDT
Michael I don't know ask on the audit list.
Comment 10 Michael J. Chudobiak 2012-04-13 11:14:06 EDT
selinux-policy-3.10.0-82.fc16 in koji seems to fix everything for me. Thanks!
Comment 11 Fedora Update System 2012-04-18 08:53:18 EDT
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16.
Comment 12 Fedora Update System 2012-04-21 23:35:27 EDT
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.