Logrotate on mounted partition

Tue Aug 18 09:42:40 UTC 2009

On Tue, 2009-08-18 at 11:21 +0200, Dominick Grift wrote:
> On Tue, Aug 18, 2009 at 10:12:16AM +0100, Arthur Dent wrote:
> > On Sat, 2009-08-15 at 11:50 +0100, Arthur Dent wrote:
> > > I have a procmail recipe which writes a copy of every mail I receive
> > > (just because I'm paranoid it doesn't mean they aren't out to get me!)
> > > to a backup area on my /dev/sda9 partition, mounted as
> > > /mnt/backup/ by fstab. (It is an ext3 partition).
> > > 
> > > Back in March 2008 when I was on F8 Stephen Smalley kindly helped me to
> > > prevent the hundreds of avcs by suggesting the following:
> > > 
> > > semanage fcontext -a -t mail_spool_t "/mnt/backup(/.*)?"
> > > restorecon -v -R /mnt/backup
> > > 
> > > This worked perfectly. It also held true throughout my time with F9. I
> > > have now upgraded to F11 (I skipped F10) and it still kind of works. I
> > > get an avc when logrotate tries to access these files.
> > > 
> > > The strange thing is this didn't happen under F8 or F9.
> > > 
> > > Is there an elegant solution to this problem or should I write a policy
> > > module?
> > > 
> > > This is what audit2allow proposes:
> > > 
> > > module rawmail 1.0;
> > > 
> > > require {
> > > 	type mail_spool_t;
> > > 	type logrotate_t;
> > > 	class file getattr;
> > > }
> > > 
> > > #============= logrotate_t ==============
> > > allow logrotate_t mail_spool_t:file getattr;
> > > 
> > > 
> > > The full avc is below.
> > > 
> > > Many thanks for all your help....
> > > 
> > > Mark
> > 
> > Just to add to my own mail...
> > 
> > I employed the above policy module, everything seemed OK so (as this
> > seemed to be the last of the problems since upgrading) I switched to
> > enforcing mode.
> > 
> > Since doing so I have received no AVCs but I am finding these in my
> > maillog:
> > 
> > procmail: Lock failure on "/mnt/backup/mail/rawmail.lock"
> > procmail: Error while writing to "/mnt/backup/mail/rawmail"
> > 
> > Temporarily switching back with setenforce 0 stops them so it is selinux
> > related...
> > 
> > 
> > Also, I get these dovecot messages (although I haven't investigated
> > fully if they are selinux related...
> > **Unmatched Entries**
> >     dovecot: IMAP(wife): fchown() failed with
> > file /home/wife/mail/.imap/INBOX/dovecot.index.tmp: Operation not
> > permitted: 1 Time(s)
> >     dovecot: IMAP(son): fchown() failed with
> > file /home/son/mail/.imap/INBOX/dovecot.index.cache.lock: Operation not
> > permitted: 1 Time(s)
> >     dovecot: IMAP(son): fchown() failed with
> > file /home/son/mail/.imap/INBOX/dovecot.index.log.newlock: Operation not
> > permitted: 1 Time(s)
> >     dovecot: IMAP(son): fchown() failed with
> > file /home/son/mail/.imap/INBOX/dovecot.index.tmp: Operation not
> > permitted: 3 Time(s)
> >  
> > 
> > But still no AVCs
> > 
> > Any ideas?
> Try semodule -DB to unload any silent denials. Remember that the denials shown after you do this are meant to be silenced.
> To reload policy with the silenced denials: semodule -B.
> 
> Also keep an eye on /var/log/messages since the DBUS user space object manager logs some denials there (if DBUS is at all involved)

Is this related? (apologies for line-wrap):

Aug 18 09:07:44 troodos dbus: avc:  received setenforce notice
(enforcing=0)
Aug 18 09:07:44 troodos dbus: Can't send to audit system: USER_AVC avc:
received setenforce notice (enforcing=0)#012: exe="?" (sauid=81,
hostname=?, addr=?, terminal=?)

I haven't tried semodule -DB yet, but your message caused me to look
at /var/log/messages and this was the first thing I saw...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090818/e47cfb6b/attachment.sig>