Bug 809803 - let procmail use fusefs_t files if use_fusefs_home_dirs is on
Summary: let procmail use fusefs_t files if use_fusefs_home_dirs is on
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-04 12:32 UTC by Michael J. Chudobiak
Modified: 2012-04-22 03:35 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.10.0-84.fc16
Clone Of:
Environment:
Last Closed: 2012-04-22 03:35:27 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
procmail selinux denial log (12.46 KB, text/plain)
2012-04-04 13:00 UTC, Michael J. Chudobiak
no flags Details
log with correct labelling for fuse filesystem (24.20 KB, text/x-log)
2012-04-05 17:05 UTC, Michael J. Chudobiak
no flags Details

Description Michael J. Chudobiak 2012-04-04 12:32:43 UTC
My home folders are mounted using fuse (from a moosefs server).

procmail can not deliver to the Maildirs in these home folders, even though 
use_fusefs_home_dirs --> on

From the log:

Apr  4 08:19:29 ulmo setroubleshoot: SELinux is preventing /usr/bin/procmail from write access on the directory /home/mailwatch/Maildir. For complete SELinux messages. run sealert -l 7f33ea0d-5e3a-4209-92c9-7e2841cf86cd

This is closely related to the similar dovecot report, now fixed - bug 800458.

- Mike

Comment 1 Miroslav Grepl 2012-04-04 12:49:08 UTC
We need to see raw AVC msgs.

grep procmail /var/log/audit/audit.log

Comment 2 Michael J. Chudobiak 2012-04-04 12:59:16 UTC
[root@ulmo ~]# audit2allow -a
#============= procmail_t ==============
#!!!! The source type 'procmail_t' can write to a 'dir' of the following types:
# user_home_dir_t, mail_spool_t, tmp_t, user_home_t, var_log_t, procmail_log_t

allow procmail_t home_root_t:dir write;
allow procmail_t usr_t:file execute;


type=AVC msg=audit(1333542605.554:2545088): avc:  denied  { write } for  pid=14632 comm="procmail" name="Maildir" dev=dm-1 ino=4464365 scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1333542605.554:2545088): arch=c000003e syscall=83 success=no exit=-13 a0=1626480 a1=1ff a2=ffffffffffffffa0 a3=5d items=0 ppid=14628 pid=14632 auid=4294967295 uid=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)

I'll attached a more complete log, which will also have some procmail denials related to bug 809813.

Comment 3 Michael J. Chudobiak 2012-04-04 13:00:16 UTC
Created attachment 575122 [details]
procmail selinux denial log

Comment 4 Daniel Walsh 2012-04-05 16:13:50 UTC
This is strange since the Maildir is labeled home_root_t.  Could you run 

restorecon -R -v /home

To see if this changes labeles.

Comment 5 Michael J. Chudobiak 2012-04-05 17:04:34 UTC
I'm not sure what happened. Anyway, I ran the restorecon, and it shows proper labels now. I'll attach the log in a moment. Here's the summary:

[root@ulmo audit]# audit2allow -i mike.log 

#============= amavis_t ==============
allow amavis_t var_yp_t:file { read open };

#============= procmail_t ==============
#!!!! The source type 'procmail_t' can write to a 'dir' of the following types:
# user_home_dir_t, mail_spool_t, tmp_t, user_home_t, var_log_t

allow procmail_t fusefs_t:dir { write remove_name add_name };
#!!!! The source type 'procmail_t' can write to a 'file' of the following types:
# mail_spool_t, user_home_t, procmail_tmp_t

allow procmail_t fusefs_t:file { write getattr link read create unlink open };

Comment 6 Michael J. Chudobiak 2012-04-05 17:05:29 UTC
Created attachment 575499 [details]
log with correct labelling for fuse filesystem

Comment 7 Michael J. Chudobiak 2012-04-05 17:13:42 UTC
Daniel: side issue - how do I force an audit.log rotation in a systemd world?

"service auditd rotate" no longer works, of course.

Comment 8 Miroslav Grepl 2012-04-06 06:21:03 UTC
I fixed them.

Comment 9 Daniel Walsh 2012-04-09 19:43:30 UTC
Michael I don't know ask on the audit list.

Comment 10 Michael J. Chudobiak 2012-04-13 15:14:06 UTC
selinux-policy-3.10.0-82.fc16 in koji seems to fix everything for me. Thanks!

Comment 11 Fedora Update System 2012-04-18 12:53:18 UTC
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16

Comment 12 Fedora Update System 2012-04-22 03:35:27 UTC
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.