Does SETroubleshoot speak to SEBool?

Dominick Grift domg472 at gmail.com
Mon Feb 2 16:34:47 UTC 2009 

I think, but not sure, that your home space is mislabeled ( especially
pyzor_home_t). if my memory serves me correct then labeling for that
location has recently changes. It seems that setroubleshoot hasnt been
updated to reflect this change yet.

to fix, restorecon -R -v /home, might fix this issue.

hth

On Mon, 2009-02-02 at 15:29 +0000, Arthur Dent wrote:
> I am currently trying to tidy up my local modules which have been in
> place for a number of years and which have probably been superseded by
> more recent policies. I put SE into permissive mode and removed the
> relevant local policy module.
> 
> One resulting denial suggested allowing access with:
> setsebool -P spamd_enable_home_dirs=1
> 
> This surprised me because I thought I had this set. Sure enough:
> # getsebool -a | grep spam
> spamassassin_can_network --> off
> spamd_enable_home_dirs --> on
> 
> Surely SETroubleshoot should realise that this bool is already set?
> 
> I can of course recreate a local policy module to deal with this denial,
> but I just wondered why this came up as a suggested remedy?
> 
> The full avc is listed below.
> 
> Thank you to all involved in this this great endeavour...
> 
> Mark
> 
> Summary
> SELinux is preventing the spamd daemon from reading users' home
> directories. 
> Detailed Description
> [SELinux is in permissive mode, the operation would have been denied but
> was permitted due to permissive mode.]
> 
> SELinux has denied the spamd daemon access to users' home directories.
> Someone is attempting to access your home directories via your spamd
> daemon. If you only setup spamd to share non-home directories, this
> probably signals a intrusion attempt. 
> 
> 
> Allowing Access
> If you want spamd to share home directories you need to turn on the
> spamd_enable_home_dirs boolean: "setsebool -P spamd_enable_home_dirs=1" 
> Fix Command
> setsebool -P spamd_enable_home_dirs=1
> Additional Information
> 
> Source Context:  	unconfined_u:system_r:spamd_t:s0
> Target Context:  	system_u:object_r:user_pyzor_home_t:s0
> Target Objects:  	/home/mark/.pyzor/servers [ file ]
> Source:  	pyzor
> Source Path:  	/usr/bin/python
> Port:  	<Unknown>
> Host:  	mydomain.com
> Source RPM Packages:  	python-2.5.1-26.fc9
> Target RPM Packages:  	
> Policy RPM:  	selinux-policy-3.3.1-118.fc9
> Selinux Enabled:  	True
> Policy Type:  	targeted
> MLS Enabled:  	True
> Enforcing Mode:  	Permissive
> Plugin Name:  	spamd_enable_home_dirs
> Host Name:  	mydomain.com
> Platform:  	Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct
> 17 14:52:14 EDT 2008 i686 i686
> Alert Count:  	723
> First Seen:  	Sun Nov 2 01:13:46 2008
> Last Seen:  	Mon Feb 2 14:57:22 2009
> Local ID:  	22265a4e-86dd-4a61-a314-7c3fc363d5ee
> Line Numbers:  	
> 
> Raw Audit Messages :
> 
> node=mydomain.com type=AVC msg=audit(1233586642.291:4900): avc: denied {
> getattr } for pid=17929 comm="pyzor" path="/home/mark/.pyzor/servers"
> dev=sda8 ino=3172618 scontext=unconfined_u:system_r:spamd_t:s0
> tcontext=system_u:object_r:user_pyzor_home_t:s0 tclass=file 
> node=mydomain.com type=SYSCALL msg=audit(1233586642.291:4900):
> arch=40000003 syscall=195 success=yes exit=0 a0=8774db0 a1=bfc5c3c8
> a2=cd9ff4 a3=86f01b8 items=0 ppid=9197 pid=17929 auid=0 uid=500 gid=0
> euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none)
> ses=726 comm="pyzor" exe="/usr/bin/python"
> subj=unconfined_u:system_r:spamd_t:s0 key=(null) 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list