Fedora 8 odds and sods

Paul Howarth paul at city-fan.org
Tue Feb 5 23:28:24 UTC 2008 

On Thu, 17 Jan 2008 12:51:33 -0500
Daniel J Walsh <dwalsh at redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Paul Howarth wrote:
> > Today I've done a bit of a clean-up of the local policy modules
> > I've had in use over the last couple of Fedora releases, removing
> > bits that are no longer needed and consolidating the remaining ones
> > into a single "localmisc" module. The results of this is:
> > 
> > policy_module(localmisc, 0.1.34)
> > 
> > require {
> >         attribute mailserver_delivery;
> >         type depmod_t;
> >         type httpd_t;
> >         type load_policy_t;
> >         type procmail_t;
> >         type procmail_tmp_t;
> >         type pptp_t;
> >         type restorecon_t;
> >         type sendmail_t;
> >         type setfiles_t;
> >         type soundd_port_t;
> >         type squid_t;
> >         type useradd_t;
> >         type var_t;
> > };
> > 
> > # ========================================
> > # Things that probably need to go upstream
> > # ========================================
> > 
> > # Milter sockets, why did this work before?
> > #allow sendmail_t initrc_t:unix_stream_socket { read write
> > connectto }; init_stream_connect_script(mailserver_delivery)
> > init_rw_script_stream_sockets(mailserver_delivery)
> > 
> Already added.
> > # Allow misc command output to be sent to a pipe, needed for rpm
> > scriptlets # Probably not needed since Fedora 8
> > #unconfined_rw_pipes(depmod_t)
> > #unconfined_rw_pipes(load_policy_t)
> > #unconfined_rw_pipes(setfiles_t)
> > #unconfined_rw_pipes(useradd_t)
> > 
> > # Allow pptp to manage its own processes
> > allow pptp_t self:process signal;
> > 
> Added.
> > # Allow sendmail to read procmail tempfiles for forwarding
> > # (would need a new interface in procmail.if to do this properly)
> > allow sendmail_t procmail_tmp_t:file { read write getattr ioctl };
> > 
> Added

Policy now has procmail_read_tmp_files(sendmail_t) but this doesn't
allow write access by sendmail. Sendmail needs to write into
procmail_tmp_t when a procmail recipe pipes a message into a filter and
that filter creates a temp file I believe.

I'm getting the AVCs anyway:
type=AVC msg=audit(1202162399.034:320138): avc:  denied  { write } for
pid=16452 comm="sendmail" path="/tmp/choplist.16383" dev=dm-1 ino=13
scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file type=SYSCALL
msg=audit(1202162399.034:320138): arch=40000003 syscall=11 success=yes
exit=0 a0=bf8febff a1=84ffe44 a2=bf8fe3a4 a3=84ffe44 items=0 ppid=16384
pid=16452 auid=0 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=51
sgid=51 fsgid=51 tty=(none) comm="sendmail"
exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0
key=(null) type=AVC msg=audit(1202162401.083:320139): avc:  denied
{ write } for  pid=16453 comm="sendmail"
path=2F746D702F63686F706C6973742E3136333833202864656C6574656429
dev=dm-1 ino=13 scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file

Paul.

More information about the fedora-selinux-list mailing list