Re: [CentOS] SELinux issue?
On 6/16/2014 10:13 AM, m.r...@5-cent.us wrote: > Chuck Campbell wrote: >> I've recently built a new mail server with centos6.5, and decided to bite >> the bullet and leave SELinux running. I've stumbled through making > things work >> and am mostly there. >> >> I've got my own spam and ham corpus as mbox files in >> /home/user/Mail/learned. >> These files came from my backup of the centos 5 server this machine is >> replacing. >> >> The folder is owned by the user (the following is run as root): >> ls -laF learned >> drw---. 6 user group 4096 Jun 10 03:35 ./ >> drw---. 6 user group 35864Jun 10 03:35 ../ >> drw---. 6 user group 4096 Jun 10 03:35 2004/ >> -rw---. 6 user group 155296 Jun 10 03:35 2014_10_Jun_learned_spam >> -rw---. 6 user group 996584 Jun 10 03:35 2014_10_Jun_learned_ham >> >> also as root: >> ls -laZlearned >> drw---. 6 user group unconfined_u:object_r:mail_spool_t:s0. >> drw---. 6 user group unconfined_u:object_r:mail_spool_t:s0.. >> drw---. 6 user group unconfined_u:object_r:mail_spool_t:s02004 >> -rw---. 6 user group >> system_u:object_r:mail_spool_t:s02014_10_Jun_learned_spam >> -rw---. 6 user group >> system_u:object_r:mail_spool_t:s02014_10_Jun_learned_ham >> >> When I do the same as the user, I get this: >> ls -laF learned >> ls: cannot access learned/2004: Permission denied >> ls: cannot access 2014_10_Jun_learned_spam: Permission denied >> ls: cannot access 2014_10_Jun_learned_ham: Permission denied > > Yup, you will. The *directories* have to be executable for you to look in > them. > > mark > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos I don't know how, after all these years, that bit on knowledge escaped me. Thanks, it works perfectly now. -chuck -- ACCEL Services, Inc.| Specialists in Gravity, Magnetics | (713)993-0671 ph. | and Integrated Interpretation | (713)993-0608 fax 448 W. 19th St. #325|Since 1992 | (713)306-5794 cell Houston, TX, 77008 | Chuck Campbell | campb...@accelinc.com | President & Senior Geoscientist | "Integration means more than having all the maps at the same scale!" ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux issue?
On 06/16/2014 11:13 AM, m.r...@5-cent.us wrote: > Chuck Campbell wrote: >> I've recently built a new mail server with centos6.5, and decided to bite >> the bullet and leave SELinux running. I've stumbled through making > things work >> and am mostly there. >> >> I've got my own spam and ham corpus as mbox files in >> /home/user/Mail/learned. >> These files came from my backup of the centos 5 server this machine is >> replacing. >> >> The folder is owned by the user (the following is run as root): >> ls -laF learned >> drw---. 6 user group 4096 Jun 10 03:35 ./ >> drw---. 6 user group 35864Jun 10 03:35 ../ >> drw---. 6 user group 4096 Jun 10 03:35 2004/ >> -rw---. 6 user group 155296 Jun 10 03:35 2014_10_Jun_learned_spam >> -rw---. 6 user group 996584 Jun 10 03:35 2014_10_Jun_learned_ham >> >> also as root: >> ls -laZlearned >> drw---. 6 user group unconfined_u:object_r:mail_spool_t:s0. >> drw---. 6 user group unconfined_u:object_r:mail_spool_t:s0.. >> drw---. 6 user group unconfined_u:object_r:mail_spool_t:s02004 >> -rw---. 6 user group >> system_u:object_r:mail_spool_t:s02014_10_Jun_learned_spam >> -rw---. 6 user group >> system_u:object_r:mail_spool_t:s02014_10_Jun_learned_ham >> >> When I do the same as the user, I get this: >> ls -laF learned >> ls: cannot access learned/2004: Permission denied >> ls: cannot access 2014_10_Jun_learned_spam: Permission denied >> ls: cannot access 2014_10_Jun_learned_ham: Permission denied > > Yup, you will. The *directories* have to be executable for you to look in > them. > > mark > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos I think this is more of a DAC issue as Mark has said. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux issue?
Chuck Campbell wrote: > > I've recently built a new mail server with centos6.5, and decided to bite > the bullet and leave SELinux running. I've stumbled through making things work > and am mostly there. > > I've got my own spam and ham corpus as mbox files in > /home/user/Mail/learned. > These files came from my backup of the centos 5 server this machine is > replacing. > > The folder is owned by the user (the following is run as root): > ls -laF learned > drw---. 6 user group 4096 Jun 10 03:35 ./ > drw---. 6 user group 35864Jun 10 03:35 ../ > drw---. 6 user group 4096 Jun 10 03:35 2004/ > -rw---. 6 user group 155296 Jun 10 03:35 2014_10_Jun_learned_spam > -rw---. 6 user group 996584 Jun 10 03:35 2014_10_Jun_learned_ham > > also as root: > ls -laZlearned > drw---. 6 user group unconfined_u:object_r:mail_spool_t:s0. > drw---. 6 user group unconfined_u:object_r:mail_spool_t:s0.. > drw---. 6 user group unconfined_u:object_r:mail_spool_t:s02004 > -rw---. 6 user group > system_u:object_r:mail_spool_t:s02014_10_Jun_learned_spam > -rw---. 6 user group > system_u:object_r:mail_spool_t:s02014_10_Jun_learned_ham > > When I do the same as the user, I get this: > ls -laF learned > ls: cannot access learned/2004: Permission denied > ls: cannot access 2014_10_Jun_learned_spam: Permission denied > ls: cannot access 2014_10_Jun_learned_ham: Permission denied Yup, you will. The *directories* have to be executable for you to look in them. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] SELinux issue?
I've recently built a new mail server with centos6.5, and decided to bite the bullet and leave SELinux running. I've stumbled through making things work and am mostly there. I've got my own spam and ham corpus as mbox files in /home/user/Mail/learned. These files came from my backup of the centos 5 server this machine is replacing. The folder is owned by the user (the following is run as root): ls -laF learned drw---. 6 user group 4096 Jun 10 03:35 ./ drw---. 6 user group 35864Jun 10 03:35 ../ drw---. 6 user group 4096 Jun 10 03:35 2004/ -rw---. 6 user group 155296 Jun 10 03:35 2014_10_Jun_learned_spam -rw---. 6 user group 996584 Jun 10 03:35 2014_10_Jun_learned_ham also as root: ls -laZlearned drw---. 6 user group unconfined_u:object_r:mail_spool_t:s0. drw---. 6 user group unconfined_u:object_r:mail_spool_t:s0.. drw---. 6 user group unconfined_u:object_r:mail_spool_t:s02004 -rw---. 6 user group system_u:object_r:mail_spool_t:s02014_10_Jun_learned_spam -rw---. 6 user group system_u:object_r:mail_spool_t:s02014_10_Jun_learned_ham When I do the same as the user, I get this: ls -laF learned ls: cannot access learned/2004: Permission denied ls: cannot access 2014_10_Jun_learned_spam: Permission denied ls: cannot access 2014_10_Jun_learned_ham: Permission denied total 0 d ? ? ? ? ? ./ d ? ? ? ? ? ../ d ? ? ? ? ? 2004/ - ? ? ? ? ? 2014_10_Jun_learned_spam - ? ? ? ? ? 2014_10_Jun_learned_ham and this: ls -laFZ learned ls: cannot access learned/2004: Permission denied ls: cannot access 2014_10_Jun_learned_spam: Permission denied ls: cannot access 2014_10_Jun_learned_ham: Permission denied total 0 d ? ? ./ d ? ? ../ d ? ? 2004/ - ? ? 2014_10_Jun_learned_spam - ? ? 2014_10_Jun_learned_ham The user's process to feed the spam and ham to spamassassin fails when trying to write to the directories, even though the files are owned by user:group What, precisely is wrong here? I don't get any AVC entries in /var/log/audit/audit.log, so I'm at a loss as to what to try next. Should this directory not be target mail_spool_t? Any guesses? -chuck -- ACCEL Services, Inc.| Specialists in Gravity, Magnetics | (713)993-0671 ph. | and Integrated Interpretation | (713)993-0608 fax 448 W. 19th St. #325|Since 1992 | (713)306-5794 cell Houston, TX, 77008 | Chuck Campbell | campb...@accelinc.com | President & Senior Geoscientist | "Integration means more than having all the maps at the same scale!" ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] SELinux issue
Hey all... not exactly an SELinux veteran, but am trying to work through some issues. Specifically, setting up a simple Samba configuration on a CentOS 5 machine. Determined I needed to do setsebool -P samba_enable_home_dirs 1 In order to get access to home directory shares working correctly. Fine; this is documented in samba_selinux(8). However, I still see the following in my /var/log/audit/audit.log file: type=AVC msg=audit(1200895451.310:1231): avc: denied { rename } for pid=24854 comm="smbd" name="smbd.log" dev=dm-0 ino=14254108 scontext=user_u:system_r:smbd_t:s0 tcontext=user_u:object_r:samba_log_t:s0 tclass=file type=SYSCALL msg=audit(1200895451.310:1231): arch=4003 syscall=38 success=no exit=-13 a0=6155e0 a1=bfb8bf08 a2=60da4c a3=bfb8bf08 items=0 ppid=24848 pid=24854 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="smbd" exe="/usr/sbin/smbd" subj=user_u:system_r:smbd_t:s0 key=(null) audit2allow suggests I create policy as follows: allow smbd_t samba_log_t:file rename; To resolve the problem. I decided to just do: setsebool -P smbd_disable_trans 1 And this cleared up the errors. Anyways, is this a bug? Seems like policy should allow smbd to work with its own logfiles Can file upstream if necessary, but starting here. Ray ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos