Logrotate on mounted partition

Dominick Grift domg472 at gmail.com
Tue Aug 18 10:28:19 UTC 2009 

On Tue, Aug 18, 2009 at 10:42:40AM +0100, Arthur Dent wrote:
> On Tue, 2009-08-18 at 11:21 +0200, Dominick Grift wrote:
> > On Tue, Aug 18, 2009 at 10:12:16AM +0100, Arthur Dent wrote:
> > > On Sat, 2009-08-15 at 11:50 +0100, Arthur Dent wrote:
> > > > I have a procmail recipe which writes a copy of every mail I receive
> > > > (just because I'm paranoid it doesn't mean they aren't out to get me!)
> > > > to a backup area on my /dev/sda9 partition, mounted as
> > > > /mnt/backup/ by fstab. (It is an ext3 partition).
> > > > 
> > > > Back in March 2008 when I was on F8 Stephen Smalley kindly helped me to
> > > > prevent the hundreds of avcs by suggesting the following:
> > > > 
> > > > semanage fcontext -a -t mail_spool_t "/mnt/backup(/.*)?"
> > > > restorecon -v -R /mnt/backup
> > > > 
> > > > This worked perfectly. It also held true throughout my time with F9. I
> > > > have now upgraded to F11 (I skipped F10) and it still kind of works. I
> > > > get an avc when logrotate tries to access these files.
> > > > 
> > > > The strange thing is this didn't happen under F8 or F9.
> > > > 
> > > > Is there an elegant solution to this problem or should I write a policy
> > > > module?
> > > > 
> > > > This is what audit2allow proposes:
> > > > 
> > > > module rawmail 1.0;
> > > > 
> > > > require {
> > > > 	type mail_spool_t;
> > > > 	type logrotate_t;
> > > > 	class file getattr;
> > > > }
> > > > 
> > > > #============= logrotate_t ==============
> > > > allow logrotate_t mail_spool_t:file getattr;
> > > > 
> > > > 
> > > > The full avc is below.
> > > > 
> > > > Many thanks for all your help....
> > > > 
> > > > Mark
> > > 
> > > Just to add to my own mail...
> > > 
> > > I employed the above policy module, everything seemed OK so (as this
> > > seemed to be the last of the problems since upgrading) I switched to
> > > enforcing mode.
> > > 
> > > Since doing so I have received no AVCs but I am finding these in my
> > > maillog:
> > > 
> > > procmail: Lock failure on "/mnt/backup/mail/rawmail.lock"
> > > procmail: Error while writing to "/mnt/backup/mail/rawmail"
> > > 
> > > Temporarily switching back with setenforce 0 stops them so it is selinux
> > > related...
> > > 
> > > 
> > > Also, I get these dovecot messages (although I haven't investigated
> > > fully if they are selinux related...
> > > **Unmatched Entries**
> > >     dovecot: IMAP(wife): fchown() failed with
> > > file /home/wife/mail/.imap/INBOX/dovecot.index.tmp: Operation not
> > > permitted: 1 Time(s)
> > >     dovecot: IMAP(son): fchown() failed with
> > > file /home/son/mail/.imap/INBOX/dovecot.index.cache.lock: Operation not
> > > permitted: 1 Time(s)
> > >     dovecot: IMAP(son): fchown() failed with
> > > file /home/son/mail/.imap/INBOX/dovecot.index.log.newlock: Operation not
> > > permitted: 1 Time(s)
> > >     dovecot: IMAP(son): fchown() failed with
> > > file /home/son/mail/.imap/INBOX/dovecot.index.tmp: Operation not
> > > permitted: 3 Time(s)
> > >  
> > > 
> > > But still no AVCs
> > > 
> > > Any ideas?
> > Try semodule -DB to unload any silent denials. Remember that the denials shown after you do this are meant to be silenced.
> > To reload policy with the silenced denials: semodule -B.
> > 
> > Also keep an eye on /var/log/messages since the DBUS user space object manager logs some denials there (if DBUS is at all involved)
> 
> Is this related? (apologies for line-wrap):

No, not related. (it is a (known) bug in dbus though)

> 
> Aug 18 09:07:44 troodos dbus: avc:  received setenforce notice
> (enforcing=0)
> Aug 18 09:07:44 troodos dbus: Can't send to audit system: USER_AVC avc:
> received setenforce notice (enforcing=0)#012: exe="?" (sauid=81,
> hostname=?, addr=?, terminal=?)
> 
> I haven't tried semodule -DB yet, but your message caused me to look
> at /var/log/messages and this was the first thing I saw...
> 
> 



> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090818/9f0eefaf/attachment.sig>

More information about the fedora-selinux-list mailing list