Does SETroubleshoot speak to SEBool?
Daniel J Walsh
dwalsh at redhat.com
Mon Feb 2 18:54:42 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Arthur Dent wrote:
> I am currently trying to tidy up my local modules which have been in
> place for a number of years and which have probably been superseded by
> more recent policies. I put SE into permissive mode and removed the
> relevant local policy module.
>
> One resulting denial suggested allowing access with:
> setsebool -P spamd_enable_home_dirs=1
>
> This surprised me because I thought I had this set. Sure enough:
> # getsebool -a | grep spam
> spamassassin_can_network --> off
> spamd_enable_home_dirs --> on
>
> Surely SETroubleshoot should realise that this bool is already set?
>
SETroubleshoot is responding to what the kernel tells it. It reads the
avc and then tries to report what it believes is the problem. In newer
versions of Fedora, setroubleshoot does read the policy and trys out
different booleans to see if the access would be allowed. So in a way
it does know what booleans are turned on.
> I can of course recreate a local policy module to deal with this denial,
> but I just wondered why this came up as a suggested remedy?
>
> The full avc is listed below.
>
> Thank you to all involved in this this great endeavour...
>
> Mark
>
> Summary
> SELinux is preventing the spamd daemon from reading users' home
> directories.
> Detailed Description
> [SELinux is in permissive mode, the operation would have been denied but
> was permitted due to permissive mode.]
>
> SELinux has denied the spamd daemon access to users' home directories.
> Someone is attempting to access your home directories via your spamd
> daemon. If you only setup spamd to share non-home directories, this
> probably signals a intrusion attempt.
>
>
> Allowing Access
> If you want spamd to share home directories you need to turn on the
> spamd_enable_home_dirs boolean: "setsebool -P spamd_enable_home_dirs=1"
> Fix Command
> setsebool -P spamd_enable_home_dirs=1
> Additional Information
>
> Source Context: unconfined_u:system_r:spamd_t:s0
> Target Context: system_u:object_r:user_pyzor_home_t:s0
> Target Objects: /home/mark/.pyzor/servers [ file ]
> Source: pyzor
> Source Path: /usr/bin/python
> Port: <Unknown>
> Host: mydomain.com
> Source RPM Packages: python-2.5.1-26.fc9
> Target RPM Packages:
> Policy RPM: selinux-policy-3.3.1-118.fc9
> Selinux Enabled: True
> Policy Type: targeted
> MLS Enabled: True
> Enforcing Mode: Permissive
> Plugin Name: spamd_enable_home_dirs
> Host Name: mydomain.com
> Platform: Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct
> 17 14:52:14 EDT 2008 i686 i686
> Alert Count: 723
> First Seen: Sun Nov 2 01:13:46 2008
> Last Seen: Mon Feb 2 14:57:22 2009
> Local ID: 22265a4e-86dd-4a61-a314-7c3fc363d5ee
> Line Numbers:
>
> Raw Audit Messages :
>
> node=mydomain.com type=AVC msg=audit(1233586642.291:4900): avc: denied {
> getattr } for pid=17929 comm="pyzor" path="/home/mark/.pyzor/servers"
> dev=sda8 ino=3172618 scontext=unconfined_u:system_r:spamd_t:s0
> tcontext=system_u:object_r:user_pyzor_home_t:s0 tclass=file
> node=mydomain.com type=SYSCALL msg=audit(1233586642.291:4900):
> arch=40000003 syscall=195 success=yes exit=0 a0=8774db0 a1=bfc5c3c8
> a2=cd9ff4 a3=86f01b8 items=0 ppid=9197 pid=17929 auid=0 uid=500 gid=0
> euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none)
> ses=726 comm="pyzor" exe="/usr/bin/python"
> subj=unconfined_u:system_r:spamd_t:s0 key=(null)
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmHQXIACgkQrlYvE4MpobMu+gCeIMt6jVtUK2qWdYng5G104Bcj
g1EAnApxq/WmooUvtW8qNHHlW0JQ3MmV
=5cxu
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list