Partitions Mounted by fstab

Stephen Smalley sds at tycho.nsa.gov
Wed Mar 5 17:02:40 UTC 2008 

On Wed, 2008-03-05 at 11:59 -0500, Stephen Smalley wrote:
> On Wed, 2008-03-05 at 16:12 +0000, Arthur Dent wrote:
> > On Wed, Mar 05, 2008 at 10:47:15AM -0500, Stephen Smalley wrote:
> > 
> > Hi Stephen,
> > 
> > > > 
> > > > As a mater of interest, I have a procmail recipe which writes a copy of every
> > > > mail I receive to a backup area on my /dev/sda8 partition, mounted as
> > > > /mnt/backup/ by fstab. (It is an ext3 partition).
> > > > 
> > > > I have tried doing:
> > > > "restorecon -v -R /mnt/backup"
> > > > and even:
> > > > "fixfiles relabel"
> > > > 
> > > > on this partition, but I gather this will not work. I think that I must
> > > > somehow define a policy for this (and probably other) partition(s), but I am
> > > > unclear as to how to go about this.
> > > 
> > > You might try something like this, assuming that you only store mail
> > > files under /mnt/backup and only procmail requires access:
> > > 
> > > semanage fcontext -a -t mail_spool_t "/mnt/backup(/.*)?"
> > > restorecon -v -R /mnt/backup
> > > 
> > Thanks! This is really helpful. 
> > 
> > > If you need other things to be able to access it, then we'll have to
> > > know more to decide how to label it, or you could possibly move it to a
> > > subdir of /mnt/backup like /mnt/backup/spool that can be devoted to
> > > procmail's use.
> > > 
> > 
> > Well, before I try the above commands...
> > 
> > Generally it is only procmail that needs access, however, I have this file
> > "rotated" by logrotate (run as root) on a monthly basis. It is rotated with
> > the "date" extension and that file is archived by a cron job (root) to DVD.
> > 
> > Oh, and I have a daily backup routine that uses "tar" run from a cron job that
> > also includes this directory...
> > 
> > Will those things invalidate your suggested solution?
> 
> You'll likely need a local policy module then to permit such access
> in addition to the commands above.
> Maybe something like this:
> 
> # cat mymailbackup.te
> policy_module(mybackup, 1.0)
> require {
> 	# Symbols defined outside of this module.
> 	type system_crond_t;
> 	type user_crond_t;
> 	type mail_spool_t;
> }
> 
> # Mark mail_spool_t as a log file that can be managed by logrotate.
> logging_log_file(mail_spool_t)
> # Let system and user cron jobs read it.
> read_files_pattern(system_crond_t, mail_spool_t, mail_spool_t)
> read_files_pattern(user_crond_t, mail_spool_t, mail_spool_t)
> 
> # make -f /usr/share/selinux/devel/Makefile mybackup.pp
> # semodule -i mybackup.pp

Actually, did you need write access to /mnt/backup from the cron job, or
only read access?  The above only gives read access.

Also, on second thought, I suppose that if you are running these as user
cron jobs, they'll run unconfined_t under the default targeted policy
and thus not require any additional rules at all.  So you may only need
the logging_log_file() part.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list