Does SETroubleshoot speak to SEBool?
Arthur Dent
selinux.list at troodos.demon.co.uk
Mon Feb 2 20:52:33 UTC 2009
On Mon, Feb 02, 2009 at 07:27:25PM +0000, Arthur Dent wrote:
> On Mon, Feb 02, 2009 at 01:52:36PM -0500, Daniel J Walsh wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Arthur Dent wrote:
> > > On Mon, Feb 02, 2009 at 07:01:16PM +0100, Dominick Grift wrote:
> > > #============= spamd_t ==============
> > > allow spamd_t admin_home_t:dir { read write add_name remove_name };
> > > allow spamd_t admin_home_t:file { write getattr read create unlink ioctl
> > > append };
> > This is spamd creating stuff in the /root directory. Not sure if you
> > want to actually allow this. Might want to setup the directory with
> > properly lableing to allow spamd to write there.
> > userdom_read_sysadm_home_content_files(spamd_t)
>
> Hmmm... I was about to say that nothing is run as root WRT spamassassin
> or spamd, but then I looked at the avcs. It seems that razor is the
> offender here:
> avc: denied { getattr } for pid=2200 comm="spamd"
> path="/root/.razor/razor-agent.conf"
>
> (and several others like it)
>
> I don't know if razor can be installed by a non-root user. If not, can I
> (should I?) just do what you suggest below?
>
> >
> > What directory?
>
> Could this be /root/.razor/ ?
>
> > You could setup labeling of
> >
> > # semanage fcontext -a -t spamassassin_home_t '/root/.spamassassin(/.*)?'
> > #restorecon -R -v /root
>
> Does this make the command:
> # semanage fcontext -a -t spamassassin_home_t '/root/.razor(/.*)?'
> # restorecon -R -v /root
OK. Forget this... I poked around my filesystem and found that actually I
*did* have razor in my non-privileged user area. However, strangely, I also
had it in /root. The odd thing is that it seems that for the most part razor
would use the /home/mark/.razor files, but on this occasion (and others
clearly) - on a whim - must have used the /root/.razor files to do its stuff.
I have removed the /root/.razor directory and also removed those items from my
local policy. So far (touching wood here) it seems OK...
Thanks for your help on this...
Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090202/353e72e5/attachment.sig>
More information about the fedora-selinux-list
mailing list