Does SETroubleshoot speak to SEBool?

Arthur Dent selinux.list at troodos.demon.co.uk
Mon Feb 2 15:29:57 UTC 2009 

I am currently trying to tidy up my local modules which have been in
place for a number of years and which have probably been superseded by
more recent policies. I put SE into permissive mode and removed the
relevant local policy module.

One resulting denial suggested allowing access with:
setsebool -P spamd_enable_home_dirs=1

This surprised me because I thought I had this set. Sure enough:
# getsebool -a | grep spam
spamassassin_can_network --> off
spamd_enable_home_dirs --> on

Surely SETroubleshoot should realise that this bool is already set?

I can of course recreate a local policy module to deal with this denial,
but I just wondered why this came up as a suggested remedy?

The full avc is listed below.

Thank you to all involved in this this great endeavour...

Mark

Summary
SELinux is preventing the spamd daemon from reading users' home
directories. 
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but
was permitted due to permissive mode.]

SELinux has denied the spamd daemon access to users' home directories.
Someone is attempting to access your home directories via your spamd
daemon. If you only setup spamd to share non-home directories, this
probably signals a intrusion attempt. 


Allowing Access
If you want spamd to share home directories you need to turn on the
spamd_enable_home_dirs boolean: "setsebool -P spamd_enable_home_dirs=1" 
Fix Command
setsebool -P spamd_enable_home_dirs=1
Additional Information

Source Context:  	unconfined_u:system_r:spamd_t:s0
Target Context:  	system_u:object_r:user_pyzor_home_t:s0
Target Objects:  	/home/mark/.pyzor/servers [ file ]
Source:  	pyzor
Source Path:  	/usr/bin/python
Port:  	<Unknown>
Host:  	mydomain.com
Source RPM Packages:  	python-2.5.1-26.fc9
Target RPM Packages:  	
Policy RPM:  	selinux-policy-3.3.1-118.fc9
Selinux Enabled:  	True
Policy Type:  	targeted
MLS Enabled:  	True
Enforcing Mode:  	Permissive
Plugin Name:  	spamd_enable_home_dirs
Host Name:  	mydomain.com
Platform:  	Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct
17 14:52:14 EDT 2008 i686 i686
Alert Count:  	723
First Seen:  	Sun Nov 2 01:13:46 2008
Last Seen:  	Mon Feb 2 14:57:22 2009
Local ID:  	22265a4e-86dd-4a61-a314-7c3fc363d5ee
Line Numbers:  	

Raw Audit Messages :

node=mydomain.com type=AVC msg=audit(1233586642.291:4900): avc: denied {
getattr } for pid=17929 comm="pyzor" path="/home/mark/.pyzor/servers"
dev=sda8 ino=3172618 scontext=unconfined_u:system_r:spamd_t:s0
tcontext=system_u:object_r:user_pyzor_home_t:s0 tclass=file 
node=mydomain.com type=SYSCALL msg=audit(1233586642.291:4900):
arch=40000003 syscall=195 success=yes exit=0 a0=8774db0 a1=bfc5c3c8
a2=cd9ff4 a3=86f01b8 items=0 ppid=9197 pid=17929 auid=0 uid=500 gid=0
euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none)
ses=726 comm="pyzor" exe="/usr/bin/python"
subj=unconfined_u:system_r:spamd_t:s0 key=(null) 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090202/65abc357/attachment.sig>

More information about the fedora-selinux-list mailing list