Does SETroubleshoot speak to SEBool?

Daniel J Walsh dwalsh at redhat.com
Mon Feb 2 18:52:36 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Arthur Dent wrote:
> On Mon, Feb 02, 2009 at 07:01:16PM +0100, Dominick Grift wrote:
>> On second thought, no. I do not think spamd_t has access to
>> user_pyzor_home_t.
>>
>> sesearch --allow -s spamd_t | grep home | less
>>
>> so i guess your custom module fixes that. consider filing a bug report
>> for this issue.
> 
> Thanks for your help. I have not yet altered my new local policy, but I
> thought I would try a reboot to see if that had any affect...
> 
> Oh boy! A whole raft of denials...
> 
> This is the audit2allow result of this recent batch. It seems quite a
> lot to me!
> 
> require {
> 	type user_pyzor_home_t;
> 	type admin_home_t;
> 	type spamd_t;
> 	type procmail_t;
> 	class dir { read write add_name remove_name };
> 	class file { read create ioctl write getattr unlink append };
> }
> 
> #============= procmail_t ==============
> init_stream_connect_script(procmail_t)

This looks like you have some process running as initrc_t that procmail
needs to talk to.  If this is not a domain we have a confinement for
this is fine.

> #============= spamd_t ==============
> allow spamd_t admin_home_t:dir { read write add_name remove_name };
> allow spamd_t admin_home_t:file { write getattr read create unlink ioctl
> append };
This is spamd creating stuff in the /root directory.  Not sure if you
want to actually allow this.  Might want to setup the directory with
properly lableing to allow spamd to write there.
userdom_read_sysadm_home_content_files(spamd_t)

What directory?

You could setup labeling of

# semanage fcontext -a -t spamassassin_home_t '/root/.spamassassin(/.*)?'
#restorecon -R -v /root

> allow spamd_t user_pyzor_home_t:file { read getattr };
This should be allowed and should be reported as a bug.

> 
> 

> What do you think?
> 
> Thanks again
> 
> Mark
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmHQPQACgkQrlYvE4MpobNMJQCgpyjywU41sN4DwjNf/I4sDupD
ircAn3+wy3IwE5yPn0VPt8aIvQpK9+2U
=Wssl
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list