Red Hat Bugzilla – Bug 809803
let procmail use fusefs_t files if use_fusefs_home_dirs is on
Last modified: 2012-04-21 23:35:27 EDT
My home folders are mounted using fuse (from a moosefs server). procmail can not deliver to the Maildirs in these home folders, even though use_fusefs_home_dirs --> on From the log: Apr 4 08:19:29 ulmo setroubleshoot: SELinux is preventing /usr/bin/procmail from write access on the directory /home/mailwatch/Maildir. For complete SELinux messages. run sealert -l 7f33ea0d-5e3a-4209-92c9-7e2841cf86cd This is closely related to the similar dovecot report, now fixed - bug 800458. - Mike
We need to see raw AVC msgs. grep procmail /var/log/audit/audit.log
[root@ulmo ~]# audit2allow -a #============= procmail_t ============== #!!!! The source type 'procmail_t' can write to a 'dir' of the following types: # user_home_dir_t, mail_spool_t, tmp_t, user_home_t, var_log_t, procmail_log_t allow procmail_t home_root_t:dir write; allow procmail_t usr_t:file execute; type=AVC msg=audit(1333542605.554:2545088): avc: denied { write } for pid=14632 comm="procmail" name="Maildir" dev=dm-1 ino=4464365 scontext=system_u:system_r:procmail_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1333542605.554:2545088): arch=c000003e syscall=83 success=no exit=-13 a0=1626480 a1=1ff a2=ffffffffffffffa0 a3=5d items=0 ppid=14628 pid=14632 auid=4294967295 uid=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null) I'll attached a more complete log, which will also have some procmail denials related to bug 809813.
Created attachment 575122 [details] procmail selinux denial log
This is strange since the Maildir is labeled home_root_t. Could you run restorecon -R -v /home To see if this changes labeles.
I'm not sure what happened. Anyway, I ran the restorecon, and it shows proper labels now. I'll attach the log in a moment. Here's the summary: [root@ulmo audit]# audit2allow -i mike.log #============= amavis_t ============== allow amavis_t var_yp_t:file { read open }; #============= procmail_t ============== #!!!! The source type 'procmail_t' can write to a 'dir' of the following types: # user_home_dir_t, mail_spool_t, tmp_t, user_home_t, var_log_t allow procmail_t fusefs_t:dir { write remove_name add_name }; #!!!! The source type 'procmail_t' can write to a 'file' of the following types: # mail_spool_t, user_home_t, procmail_tmp_t allow procmail_t fusefs_t:file { write getattr link read create unlink open };
Created attachment 575499 [details] log with correct labelling for fuse filesystem
Daniel: side issue - how do I force an audit.log rotation in a systemd world? "service auditd rotate" no longer works, of course.
I fixed them.
Michael I don't know ask on the audit list.
selinux-policy-3.10.0-82.fc16 in koji seems to fix everything for me. Thanks!
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.