Partitions Mounted by fstab

Arthur Dent selinux.list at troodos.demon.co.uk
Thu Mar 6 10:07:38 UTC 2008 

On Wed, Mar 05, 2008 at 12:02:40PM -0500, Stephen Smalley wrote:
> 
> On Wed, 2008-03-05 at 11:59 -0500, Stephen Smalley wrote:
> > On Wed, 2008-03-05 at 16:12 +0000, Arthur Dent wrote:
> > > On Wed, Mar 05, 2008 at 10:47:15AM -0500, Stephen Smalley wrote:
> > > 
> > 
> > You'll likely need a local policy module then to permit such access
> > in addition to the commands above.
> > Maybe something like this:
> > 
> > # cat mymailbackup.te
> > policy_module(mybackup, 1.0)
> > require {
> > 	# Symbols defined outside of this module.
> > 	type system_crond_t;
> > 	type user_crond_t;
> > 	type mail_spool_t;
> > }
> > 
> > # Mark mail_spool_t as a log file that can be managed by logrotate.
> > logging_log_file(mail_spool_t)
> > # Let system and user cron jobs read it.
> > read_files_pattern(system_crond_t, mail_spool_t, mail_spool_t)
> > read_files_pattern(user_crond_t, mail_spool_t, mail_spool_t)
> > 
> > # make -f /usr/share/selinux/devel/Makefile mybackup.pp
> > # semodule -i mybackup.pp

This is fantastically helpful. Thank you so much! 

> Actually, did you need write access to /mnt/backup from the cron job, or
> only read access?  The above only gives read access.
> 
> Also, on second thought, I suppose that if you are running these as user
> cron jobs, they'll run unconfined_t under the default targeted policy
> and thus not require any additional rules at all.  So you may only need
> the logging_log_file() part.

Well actually the /mnt/backup directory contains 2 subdirs /data and
/mail.
The /mail dir contains the one backup file that procmail writes
to and the archives of that file created by logrotate (until they have
been copied onto a DVD by the cron job - which I guess is just a "read"
access.
The /data dir contains the daily incremental, and weekly full backups
created by tar running under cron (one version run as my user and one
version - for system files - run by root). Here I guess write access is
required, but as you say - running as a cron job.
I am so swamped with avc denial that I can't say for certain, but I
don't *think* I've seen any related to these jobs.

I have therefore implemented your policy with the "read_files" lines
commented out. Unfortunately I have only been able to do it this morning
and the cron job(s) run overnight - so I will wait to see what the
morning brings...

Thanks again.

Now, by far and away the biggest cause of clutter in the logs is errors
caused by the next hop in the procmail processing chain - calling clamav
(using clamd).

Here is a sample (edited to remove the sealert reference):
Mar  6 09:24:06 mydomain setroubleshoot: SELinux is preventing procmail (procmail_t) "search" to ./mnt (mnt_t). 
Mar  6 09:24:07 mydomain setroubleshoot: SELinux is preventing the clamdscan from using potentially mislabeled files (/home/mark/Procmail/pmlog). 
Mar  6 09:24:07 mydomain setroubleshoot: SELinux is preventing the clamdscan from using potentially mislabeled files (./Msgs). 
Mar  6 09:24:07 mydomain setroubleshoot: SELinux is preventing the clamdscan from using potentially mislabeled files (/tmp/clamassassinmsg.gEsPbc3633). 
Mar  6 09:24:07 mydomain setroubleshoot: SELinux is preventing clamdscan (clamscan_t) "write" to clamd.sock (var_run_t). 
Mar  6 09:24:07 mydomain setroubleshoot: SELinux is preventing the clamd (clamd_t) from binding to port 1839.
Mar  6 09:24:07 mydomain setroubleshoot: SELinux is preventing clamdscan (clamscan_t) "create" to <Unknown> (clamscan_t). 
Mar  6 09:24:07 mydomain setroubleshoot: SELinux is preventing clamdscan( clamscan_t) "connect" to <Unknown> (clamscan_t).
Mar  6 09:24:08 mydomain setroubleshoot: SELinux is preventing clamdscan (clamscan_t) "write" to socket (clamscan_t). 
Mar  6 09:24:08 mydomain setroubleshoot: SELinux is preventing the clamdscan from using potentially mislabeled files(/tmp/clamassassinlog.PDbPHf3634). 
Mar  6 09:30:06 mydomain setroubleshoot: SELinux is preventing clamdscan (clamscan_t) "read" to /var/spool/mqueue/dfm269U2u1003678 (mqueue_spool_t).
Mar  6 09:30:06 mydomain setroubleshoot: SELinux is preventing theclamdscan from using potentially mislabeled files (./Msgs). 
Mar  6 09:30:06 mydomain setroubleshoot: SELinux is preventing clamdscan (clamscan_t) "write" to clamd.sock (var_run_t). 
Mar  6 09:30:06 mydomain setroubleshoot: SELinux is preventing the clamd (clamd_t) from binding to port 1508.  

Fetchmail checks for mail every 3 minutes so you can imagine there are
quite a few of those entries in the logs!

Based on what you showed me for procmail I have tried to create a policy
for clamd. However I am not even going to *think* about running it until
you have checked it over!

##########################################
# cat myclamd.te
policy_module(myclamd, 1.0)
require {
        # Symbols defined outside of this module.
        type clamd_t;
        type clamscan_t;
}

# Don't really know what to put here...
allow clamd_t bin_t
###########################################

Or am I re-inventing the wheel? Surely there must be a ready-made clamd
policy?

Thanks again. Your help is greatly appreciated.

Mark



> Stephen Smalley
> National Security Agency
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080306/f6114ebf/attachment.sig>

More information about the fedora-selinux-list mailing list