Logrotate on mounted partition

Arthur Dent misc.lists at blueyonder.co.uk
Sat Aug 15 10:50:53 UTC 2009 

I have a procmail recipe which writes a copy of every mail I receive
(just because I'm paranoid it doesn't mean they aren't out to get me!)
to a backup area on my /dev/sda9 partition, mounted as
/mnt/backup/ by fstab. (It is an ext3 partition).

Back in March 2008 when I was on F8 Stephen Smalley kindly helped me to
prevent the hundreds of avcs by suggesting the following:

semanage fcontext -a -t mail_spool_t "/mnt/backup(/.*)?"
restorecon -v -R /mnt/backup

This worked perfectly. It also held true throughout my time with F9. I
have now upgraded to F11 (I skipped F10) and it still kind of works. I
get an avc when logrotate tries to access these files.

The strange thing is this didn't happen under F8 or F9.

Is there an elegant solution to this problem or should I write a policy
module?

This is what audit2allow proposes:

module rawmail 1.0;

require {
	type mail_spool_t;
	type logrotate_t;
	class file getattr;
}

#============= logrotate_t ==============
allow logrotate_t mail_spool_t:file getattr;


The full avc is below.

Many thanks for all your help....

Mark



Summary
SELinux is preventing logrotate (logrotate_t) "getattr" mail_spool_t. 
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but
was permitted due to permissive mode.]

SELinux denied access requested by logrotate. It is not expected that
this access is required by logrotate and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional
access. 



Allowing Access
You can generate a local policy module to allow this access - see FAQ Or
you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report against this
package. 
Additional Information


Source Context:  
system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context:  
system_u:object_r:mail_spool_t:s0
Target Objects:  
/mnt/backup/mail/rawmail [ file ]
Source:  
logrotate
Source Path:  
/usr/sbin/logrotate
Port:  
<Unknown>
Host:  
troodos.org.uk
Source RPM Packages:  
logrotate-3.7.8-2.fc11
Target RPM Packages:  


Policy RPM:  
selinux-policy-3.6.12-72.fc11
Selinux Enabled:  
True
Policy Type:  
targeted
MLS Enabled:  
True
Enforcing Mode:  
Permissive
Plugin Name:  
catchall
Host Name:  
mydomain
Platform:  
Linux mydomain
2.6.29.6-217.2.3.fc11.i686.PAE #1
SMP Wed Jul 29 16:05:22 EDT 2009
i686 i686
Alert Count:  
3
First Seen:  
Thu Aug 13 03:45:40 2009
Last Seen:  
Sat Aug 15 03:26:41 2009
Local ID:  
3a8c20b3-ff25-43ea-8214-bd926c28215b
Line Numbers:  



Raw Audit Messages :

node=mydomain type=AVC msg=audit(1250303201.472:2436): avc: denied
{ getattr } for pid=15100 comm="logrotate"
path="/mnt/backup/mail/rawmail" dev=sda9 ino=2490369
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mail_spool_t:s0 tclass=file 
node=troodos.org.uk type=SYSCALL msg=audit(1250303201.472:2436):
arch=40000003 syscall=196 success=yes exit=0 a0=8a7d598 a1=bfe1faa4
a2=77cff4 a3=1 items=0 ppid=15098 pid=15100 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=513 comm="logrotate"
exe="/usr/sbin/logrotate"
subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090815/ea48ea20/attachment.sig>

More information about the fedora-selinux-list mailing list