<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
After some trouble getting the file-system relabelled - which was
eventually solved by Daniel's suggestion to change to a 5.3 preview
release of the policy packages - I now have (only) a couple of
intractable denials.<br>
<br>
One seems to be related to procmail running spamc. The other seems to
be webalizer being denied access to squid logs. Here is some
representative troubledhooter output: <br>
<br>
<div class="moz-text-html" lang="x-unicode">
<table bgcolor="#ffffff">
<tbody>
<tr>
<td>
<table cellpadding="1" cellspacing="1" width="100%">
<tbody>
<tr bgcolor="#000000">
<td><font color="#ffffff">Summary</font></td>
</tr>
<tr>
<td><font color="#000000"> SELinux is preventing spamc
(procmail_t) "execute" to ./spamc (spamc_exec_t). </font></td>
</tr>
<tr bgcolor="#000000">
<td><font color="#ffffff">Detailed Description</font></td>
</tr>
<tr>
<td><font color="#000000"><font color="#ff0000">[SELinux is
in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]</font></font>
<p><font color="#000000"> SELinux denied access requested
by spamc. It is not expected that this access is required by spamc and
this access may signal an intrusion attempt. It is also possible that
the specific version or configuration of the application is causing it
to require additional access. </font></p>
</td>
</tr>
<tr bgcolor="#000000">
<td><font color="#ffffff">Allowing Access</font></td>
</tr>
<tr>
<td><font color="#000000"> Sometimes labeling problems can
cause SELinux denials. You could try to restore the default system file
context for ./spamc, </font>
<p><font color="#000000"> restorecon -v './spamc' </font></p>
<p><font color="#000000"> If this does not work, there is
currently no automatic way to allow this access. Instead, you can
generate a local policy module to allow this access - see <a
href="http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385">FAQ</a>
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a <a
href="http://bugzilla.redhat.com/bugzilla/enter_bug.cgi">bug report</a>
against this package. </font></p>
</td>
</tr>
<tr bgcolor="#000000">
<td><font color="#ffffff">Additional Information</font></td>
</tr>
<tr>
<td><br>
</td>
</tr>
</tbody>
</table>
<table border="0" cellpadding="1" cellspacing="1">
<tbody>
<tr>
<td><font color="#000000">Source Context: </font></td>
<td>system_u:system_r:procmail_t</td>
</tr>
<tr>
<td><font color="#000000">Target Context: </font></td>
<td>system_u:object_r:spamc_exec_t</td>
</tr>
<tr>
<td><font color="#000000">Target Objects: </font></td>
<td>./spamc [ file ]</td>
</tr>
<tr>
<td><font color="#000000">Source: </font></td>
<td>spamc</td>
</tr>
<tr>
<td><font color="#000000">Source Path: </font></td>
<td>/usr/bin/spamc</td>
</tr>
<tr>
<td><font color="#000000">Port: </font></td>
<td><Unknown></td>
</tr>
<tr>
<td><font color="#000000">Host: </font></td>
<td>C5.aardvark.com.au</td>
</tr>
<tr>
<td><font color="#000000">Source RPM Packages: </font></td>
<td>spamassassin-3.2.4-1.el5</td>
</tr>
<tr>
<td><font color="#000000">Target RPM Packages: </font></td>
<td><br>
</td>
</tr>
<tr>
<td><font color="#000000">Policy RPM: </font></td>
<td>selinux-policy-2.4.6-203.el5</td>
</tr>
<tr>
<td><font color="#000000">Selinux Enabled: </font></td>
<td>True</td>
</tr>
<tr>
<td><font color="#000000">Policy Type: </font></td>
<td>targeted</td>
</tr>
<tr>
<td><font color="#000000">MLS Enabled: </font></td>
<td>True</td>
</tr>
<tr>
<td><font color="#000000">Enforcing Mode: </font></td>
<td>Permissive</td>
</tr>
<tr>
<td><font color="#000000">Plugin Name: </font></td>
<td>catchall_file</td>
</tr>
<tr>
<td><font color="#000000">Host Name: </font></td>
<td>C5.aardvark.com.au</td>
</tr>
<tr>
<td><font color="#000000">Platform: </font></td>
<td>Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue
Dec 16 11:57:43 EST 2008 x86_64 x86_64</td>
</tr>
<tr>
<td><font color="#000000">Alert Count: </font></td>
<td>199</td>
</tr>
<tr>
<td><font color="#000000">First Seen: </font></td>
<td>Wed Jan 7 21:12:56 2009</td>
</tr>
<tr>
<td><font color="#000000">Last Seen: </font></td>
<td>Sat Jan 10 13:50:07 2009</td>
</tr>
<tr>
<td><font color="#000000">Local ID: </font></td>
<td>72201679-d161-4d2d-8423-44b1b65a211f</td>
</tr>
<tr>
<td><font color="#000000">Line Numbers: </font></td>
<td><br>
</td>
</tr>
</tbody>
</table>
<p>Raw Audit Messages
:<br>
<br>
host=C5.aardvark.com.au
type=AVC msg=audit(1231563007.814:8005): avc: denied { execute } for
pid=16474 comm="procmail" name="spamc" dev=dm-0 ino=31336954
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
<br>
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005):
avc: denied { execute } for pid=16474 comm="procmail" name="spamc"
dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
<br>
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005):
avc: denied { execute_no_trans } for pid=16474 comm="procmail"
path="/usr/bin/spamc" dev=dm-0 ino=31336954
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
<br>
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005):
avc: denied { execute_no_trans } for pid=16474 comm="procmail"
path="/usr/bin/spamc" dev=dm-0 ino=31336954
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
<br>
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005):
avc: denied { read } for pid=16474 comm="procmail"
path="/usr/bin/spamc" dev=dm-0 ino=31336954
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
<br>
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005):
avc: denied { read } for pid=16474 comm="procmail"
path="/usr/bin/spamc" dev=dm-0 ino=31336954
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
<br>
host=C5.aardvark.com.au type=SYSCALL
msg=audit(1231563007.814:8005): arch=c000003e syscall=59 success=yes
exit=0 a0=196772e0 a1=196792a0 a2=196791f0 a3=8 items=0 ppid=16473
pid=16474 auid=4294967295 uid=500 gid=501 euid=500 suid=500 fsuid=500
egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="spamc"
exe="/usr/bin/spamc" subj=system_u:system_r:procmail_t:s0 key=(null)
<br>
host=C5.aardvark.com.au type=SYSCALL
msg=audit(1231563007.814:8005): arch=c000003e syscall=59 success=yes
exit=0 a0=196772e0 a1=196792a0 a2=196791f0 a3=8 items=0 ppid=16473
pid=16474 auid=4294967295 uid=500 gid=501 euid=500 suid=500 fsuid=500
egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="spamc"
exe="/usr/bin/spamc" subj=system_u:system_r:procmail_t:s0 key=(null)
<br>
</p>
</td>
</tr>
</tbody>
</table>
</div>
<br>
<br>
<br>
<div class="moz-text-html" lang="x-unicode">
<table bgcolor="#ffffff">
<tbody>
<tr>
<td>
<table cellpadding="1" cellspacing="1" width="100%">
<tbody>
<tr bgcolor="#000000">
<td><font color="#ffffff">Summary</font></td>
</tr>
<tr>
<td><font color="#000000"> SELinux is preventing webalizer
(webalizer_t) "search" to ./webalizer (bin_t). </font></td>
</tr>
<tr bgcolor="#000000">
<td><font color="#ffffff">Detailed Description</font></td>
</tr>
<tr>
<td><font color="#000000"><font color="#ff0000">[SELinux is
in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]</font></font>
<p><font color="#000000"> SELinux denied access requested
by webalizer. It is not expected that this access is required by
webalizer and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application
is causing it to require additional access. </font></p>
</td>
</tr>
<tr bgcolor="#000000">
<td><font color="#ffffff">Allowing Access</font></td>
</tr>
<tr>
<td><font color="#000000"> Sometimes labeling problems can
cause SELinux denials. You could try to restore the default system file
context for ./webalizer, </font>
<p><font color="#000000"> restorecon -v './webalizer' </font></p>
<p><font color="#000000"> If this does not work, there is
currently no automatic way to allow this access. Instead, you can
generate a local policy module to allow this access - see <a
href="http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385">FAQ</a>
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a <a
href="http://bugzilla.redhat.com/bugzilla/enter_bug.cgi">bug report</a>
against this package. </font></p>
</td>
</tr>
<tr bgcolor="#000000">
<td><font color="#ffffff">Additional Information</font></td>
</tr>
<tr>
<td><br>
</td>
</tr>
</tbody>
</table>
<table border="0" cellpadding="1" cellspacing="1">
<tbody>
<tr>
<td><font color="#000000">Source Context: </font></td>
<td>root:system_r:webalizer_t:SystemLow-SystemHigh</td>
</tr>
<tr>
<td><font color="#000000">Target Context: </font></td>
<td>system_u:object_r:bin_t</td>
</tr>
<tr>
<td><font color="#000000">Target Objects: </font></td>
<td>./webalizer [ dir ]</td>
</tr>
<tr>
<td><font color="#000000">Source: </font></td>
<td>webalizer</td>
</tr>
<tr>
<td><font color="#000000">Source Path: </font></td>
<td>/usr/bin/webalizer</td>
</tr>
<tr>
<td><font color="#000000">Port: </font></td>
<td><Unknown></td>
</tr>
<tr>
<td><font color="#000000">Host: </font></td>
<td>C5.aardvark.com.au</td>
</tr>
<tr>
<td><font color="#000000">Source RPM Packages: </font></td>
<td>webalizer-2.01_10-30.1</td>
</tr>
<tr>
<td><font color="#000000">Target RPM Packages: </font></td>
<td><br>
</td>
</tr>
<tr>
<td><font color="#000000">Policy RPM: </font></td>
<td>selinux-policy-2.4.6-203.el5</td>
</tr>
<tr>
<td><font color="#000000">Selinux Enabled: </font></td>
<td>True</td>
</tr>
<tr>
<td><font color="#000000">Policy Type: </font></td>
<td>targeted</td>
</tr>
<tr>
<td><font color="#000000">MLS Enabled: </font></td>
<td>True</td>
</tr>
<tr>
<td><font color="#000000">Enforcing Mode: </font></td>
<td>Permissive</td>
</tr>
<tr>
<td><font color="#000000">Plugin Name: </font></td>
<td>catchall_file</td>
</tr>
<tr>
<td><font color="#000000">Host Name: </font></td>
<td>C5.aardvark.com.au</td>
</tr>
<tr>
<td><font color="#000000">Platform: </font></td>
<td>Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue
Dec 16 11:57:43 EST 2008 x86_64 x86_64</td>
</tr>
<tr>
<td><font color="#000000">Alert Count: </font></td>
<td>119</td>
</tr>
<tr>
<td><font color="#000000">First Seen: </font></td>
<td>Wed Jan 7 22:00:02 2009</td>
</tr>
<tr>
<td><font color="#000000">Last Seen: </font></td>
<td>Sat Jan 10 14:00:01 2009</td>
</tr>
<tr>
<td><font color="#000000">Local ID: </font></td>
<td>fd879861-abb1-4e67-a190-0a721c66dc0e</td>
</tr>
<tr>
<td><font color="#000000">Line Numbers: </font></td>
<td><br>
</td>
</tr>
</tbody>
</table>
<p>Raw Audit Messages
:<br>
<br>
host=C5.aardvark.com.au
type=AVC msg=audit(1231563601.389:8027): avc: denied { search } for
pid=16510 comm="webalizer" name="webalizer" dev=dm-0 ino=32479105
scontext=root:system_r:webalizer_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=dir
<br>
host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027):
avc: denied { search } for pid=16510 comm="webalizer" name="webalizer"
dev=dm-0 ino=32479105 scontext=root:system_r:webalizer_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=dir
<br>
host=C5.aardvark.com.au type=SYSCALL
msg=audit(1231563601.389:8027): arch=c000003e syscall=4 success=no
exit=-2 a0=4171ee a1=7fff7d310db0 a2=7fff7d310db0 a3=21000 items=0
ppid=16509 pid=16510 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=730 comm="webalizer"
exe="/usr/bin/webalizer" subj=root:system_r:webalizer_t:s0-s0:c0.c1023
key=(null)
<br>
host=C5.aardvark.com.au type=SYSCALL
msg=audit(1231563601.389:8027): arch=c000003e syscall=4 success=no
exit=-2 a0=4171ee a1=7fff7d310db0 a2=7fff7d310db0 a3=21000 items=0
ppid=16509 pid=16510 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=730 comm="webalizer"
exe="/usr/bin/webalizer" subj=root:system_r:webalizer_t:s0-s0:c0.c1023
key=(null)
<br>
</p>
</td>
</tr>
</tbody>
</table>
<br>
<br>
I didn't think I was doing anything unusual here - so I am surprised
these aren't covered by standard policy. Am I don't something strange -
and if so - do I need to write my own local policy. Is there a more
standard way to run spamc and/.or webalizer which will prevent these
denials?<br>
<br>
Thanks<br>
<br>
Richard.<br>
<br>
</div>
</body>
</html>