Does SETroubleshoot speak to SEBool?

Mon Feb 2 19:27:25 UTC 2009

On Mon, Feb 02, 2009 at 01:52:36PM -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Arthur Dent wrote:
> > On Mon, Feb 02, 2009 at 07:01:16PM +0100, Dominick Grift wrote:
> >> On second thought, no. I do not think spamd_t has access to
> >> user_pyzor_home_t.
> >>
> >> sesearch --allow -s spamd_t | grep home | less
> >>
> >> so i guess your custom module fixes that. consider filing a bug report
> >> for this issue.
> > 
> > Thanks for your help. I have not yet altered my new local policy, but I
> > thought I would try a reboot to see if that had any affect...
> > 
> > Oh boy! A whole raft of denials...
> > 
> > This is the audit2allow result of this recent batch. It seems quite a
> > lot to me!
> > 
> > require {
> > 	type user_pyzor_home_t;
> > 	type admin_home_t;
> > 	type spamd_t;
> > 	type procmail_t;
> > 	class dir { read write add_name remove_name };
> > 	class file { read create ioctl write getattr unlink append };
> > }
> > 
> > #============= procmail_t ==============
> > init_stream_connect_script(procmail_t)
> 
> This looks like you have some process running as initrc_t that procmail
> needs to talk to.  If this is not a domain we have a confinement for
> this is fine.

Well my mailchain is as follows:
fetchmail->procmail->clamassassin(using clamd)->spamassassin->dovecot

clamd and spamd are both started from init.d scripts if that's what this
means...

> > #============= spamd_t ==============
> > allow spamd_t admin_home_t:dir { read write add_name remove_name };
> > allow spamd_t admin_home_t:file { write getattr read create unlink ioctl
> > append };
> This is spamd creating stuff in the /root directory.  Not sure if you
> want to actually allow this.  Might want to setup the directory with
> properly lableing to allow spamd to write there.
> userdom_read_sysadm_home_content_files(spamd_t)

Hmmm... I was about to say that nothing is run as root WRT spamassassin
or spamd, but then I looked at the avcs. It seems that razor is the
offender here:
avc: denied { getattr } for pid=2200 comm="spamd"
path="/root/.razor/razor-agent.conf"

(and several others like it)

I don't know if razor can be installed by a non-root user. If not, can I
(should I?) just do what you suggest below?

> 
> What directory?

Could this be /root/.razor/ ?

> You could setup labeling of
> 
> # semanage fcontext -a -t spamassassin_home_t '/root/.spamassassin(/.*)?'
> #restorecon -R -v /root

Does this make the command:
# semanage fcontext -a -t spamassassin_home_t '/root/.razor(/.*)?'
# restorecon -R -v /root

?

> 
> > allow spamd_t user_pyzor_home_t:file { read getattr };
> This should be allowed and should be reported as a bug.

I will look into this tomorrow...

Thank you very much for your help so far.

Regards

Mark

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090202/cc0b849a/attachment.sig>