Logrotate on mounted partition

Arthur Dent misc.lists at blueyonder.co.uk
Tue Aug 18 09:12:16 UTC 2009 

On Sat, 2009-08-15 at 11:50 +0100, Arthur Dent wrote:
> I have a procmail recipe which writes a copy of every mail I receive
> (just because I'm paranoid it doesn't mean they aren't out to get me!)
> to a backup area on my /dev/sda9 partition, mounted as
> /mnt/backup/ by fstab. (It is an ext3 partition).
> 
> Back in March 2008 when I was on F8 Stephen Smalley kindly helped me to
> prevent the hundreds of avcs by suggesting the following:
> 
> semanage fcontext -a -t mail_spool_t "/mnt/backup(/.*)?"
> restorecon -v -R /mnt/backup
> 
> This worked perfectly. It also held true throughout my time with F9. I
> have now upgraded to F11 (I skipped F10) and it still kind of works. I
> get an avc when logrotate tries to access these files.
> 
> The strange thing is this didn't happen under F8 or F9.
> 
> Is there an elegant solution to this problem or should I write a policy
> module?
> 
> This is what audit2allow proposes:
> 
> module rawmail 1.0;
> 
> require {
> 	type mail_spool_t;
> 	type logrotate_t;
> 	class file getattr;
> }
> 
> #============= logrotate_t ==============
> allow logrotate_t mail_spool_t:file getattr;
> 
> 
> The full avc is below.
> 
> Many thanks for all your help....
> 
> Mark

Just to add to my own mail...

I employed the above policy module, everything seemed OK so (as this
seemed to be the last of the problems since upgrading) I switched to
enforcing mode.

Since doing so I have received no AVCs but I am finding these in my
maillog:

procmail: Lock failure on "/mnt/backup/mail/rawmail.lock"
procmail: Error while writing to "/mnt/backup/mail/rawmail"

Temporarily switching back with setenforce 0 stops them so it is selinux
related...


Also, I get these dovecot messages (although I haven't investigated
fully if they are selinux related...
**Unmatched Entries**
    dovecot: IMAP(wife): fchown() failed with
file /home/wife/mail/.imap/INBOX/dovecot.index.tmp: Operation not
permitted: 1 Time(s)
    dovecot: IMAP(son): fchown() failed with
file /home/son/mail/.imap/INBOX/dovecot.index.cache.lock: Operation not
permitted: 1 Time(s)
    dovecot: IMAP(son): fchown() failed with
file /home/son/mail/.imap/INBOX/dovecot.index.log.newlock: Operation not
permitted: 1 Time(s)
    dovecot: IMAP(son): fchown() failed with
file /home/son/mail/.imap/INBOX/dovecot.index.tmp: Operation not
permitted: 3 Time(s)
 

But still no AVCs

Any ideas?

Thanks

Mark

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090818/06a9df76/attachment.sig>

More information about the fedora-selinux-list mailing list