Does SETroubleshoot speak to SEBool?
Dominick Grift
domg472 at gmail.com
Mon Feb 2 16:34:47 UTC 2009
I think, but not sure, that your home space is mislabeled ( especially
pyzor_home_t). if my memory serves me correct then labeling for that
location has recently changes. It seems that setroubleshoot hasnt been
updated to reflect this change yet.
to fix, restorecon -R -v /home, might fix this issue.
hth
On Mon, 2009-02-02 at 15:29 +0000, Arthur Dent wrote:
> I am currently trying to tidy up my local modules which have been in
> place for a number of years and which have probably been superseded by
> more recent policies. I put SE into permissive mode and removed the
> relevant local policy module.
>
> One resulting denial suggested allowing access with:
> setsebool -P spamd_enable_home_dirs=1
>
> This surprised me because I thought I had this set. Sure enough:
> # getsebool -a | grep spam
> spamassassin_can_network --> off
> spamd_enable_home_dirs --> on
>
> Surely SETroubleshoot should realise that this bool is already set?
>
> I can of course recreate a local policy module to deal with this denial,
> but I just wondered why this came up as a suggested remedy?
>
> The full avc is listed below.
>
> Thank you to all involved in this this great endeavour...
>
> Mark
>
> Summary
> SELinux is preventing the spamd daemon from reading users' home
> directories.
> Detailed Description
> [SELinux is in permissive mode, the operation would have been denied but
> was permitted due to permissive mode.]
>
> SELinux has denied the spamd daemon access to users' home directories.
> Someone is attempting to access your home directories via your spamd
> daemon. If you only setup spamd to share non-home directories, this
> probably signals a intrusion attempt.
>
>
> Allowing Access
> If you want spamd to share home directories you need to turn on the
> spamd_enable_home_dirs boolean: "setsebool -P spamd_enable_home_dirs=1"
> Fix Command
> setsebool -P spamd_enable_home_dirs=1
> Additional Information
>
> Source Context: unconfined_u:system_r:spamd_t:s0
> Target Context: system_u:object_r:user_pyzor_home_t:s0
> Target Objects: /home/mark/.pyzor/servers [ file ]
> Source: pyzor
> Source Path: /usr/bin/python
> Port: <Unknown>
> Host: mydomain.com
> Source RPM Packages: python-2.5.1-26.fc9
> Target RPM Packages:
> Policy RPM: selinux-policy-3.3.1-118.fc9
> Selinux Enabled: True
> Policy Type: targeted
> MLS Enabled: True
> Enforcing Mode: Permissive
> Plugin Name: spamd_enable_home_dirs
> Host Name: mydomain.com
> Platform: Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct
> 17 14:52:14 EDT 2008 i686 i686
> Alert Count: 723
> First Seen: Sun Nov 2 01:13:46 2008
> Last Seen: Mon Feb 2 14:57:22 2009
> Local ID: 22265a4e-86dd-4a61-a314-7c3fc363d5ee
> Line Numbers:
>
> Raw Audit Messages :
>
> node=mydomain.com type=AVC msg=audit(1233586642.291:4900): avc: denied {
> getattr } for pid=17929 comm="pyzor" path="/home/mark/.pyzor/servers"
> dev=sda8 ino=3172618 scontext=unconfined_u:system_r:spamd_t:s0
> tcontext=system_u:object_r:user_pyzor_home_t:s0 tclass=file
> node=mydomain.com type=SYSCALL msg=audit(1233586642.291:4900):
> arch=40000003 syscall=195 success=yes exit=0 a0=8774db0 a1=bfc5c3c8
> a2=cd9ff4 a3=86f01b8 items=0 ppid=9197 pid=17929 auid=0 uid=500 gid=0
> euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none)
> ses=726 comm="pyzor" exe="/usr/bin/python"
> subj=unconfined_u:system_r:spamd_t:s0 key=(null)
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list