[Imap-uw] SELinux and dmail

Mon, 06 Oct 2008 12:24:34 -0700
I just upgraded to Fedora 9 at home (disk went bad, FC4 didn't support new SATA disk on my motherboard, Firefox 3 wouldn't run ... time to change) 


Anyhow, newer Fedora (and RHEL 5 on my new desktop at work) come with 
SELinux turned on, and I thought I should get my head around it instead 
of turning it off (after all, it is a security feature and I'm supposed 
to know about that stuff..)



So, a ton of SELinux errors (10,000 and counting) as soon as I start 
importing my stuff onto a virgin system. One relevant to this list is for 
dmail



I don't really know what I'm doing here (yet). This is still the standard 
sendmail config calling procmail as local delivery; .procmailrc feeds
"|dmail". I used chcon to set the attributes for dmail the same as 
procmail thinking that might help, but no. The mail is 
actually being delivered, though.



.. I just thought .. this is my old home partition using Reiserfs 3 on 
sdb10. According to some other error message I'd seen, an ISO volume 
(CDROM loopback) also has nfs type as it doesn't support the extended 
attributes. So maybe if I move my home directory to the new disk under 
ext3, and relabel it, the errors will go away. But it is quite common I 
think to have NFS-mounted home directories - certainly we do it at work 
on clustered machines - and I presume this would have the same problem.


Anyone done this before ?
Any idea what setroubleshooter is talking about "getattr to /" ?
I could not find "getattr" in the source code, and if it's
trying to access my mail folder, that's on /home not /



I also have a script  ~/bin/nmail which procmail calls to write message 
headers to a pipe that lists incoming mail in a window. That fails 
totally. Maybe the same issues around my reiserfs partition



  --

SELinux is preventing dmail (procmail_t) "getattr" to / (nfs_t).

SELinux denied access requested by dmail. It is not expected that this 
access is required by dmail and this access may signal an intrusion 
attempt.



Source Context:  system_u:system_r:procmail_t:s0Target 
Context:  system_u:object_r:nfs_t:s0Target Objects:  / [ filesystem 
]Source:  dmailSource Path:  /usr/bin/dmail




denied { getattr } for pid=8337 comm="dmail" name="/" dev=sdb10 ino=2 
scontext=system_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:nfs_t:s0 tclass=filesystem


  --


SELinux is preventing sh (procmail_t) "execute" to ./nmail 
(nfs_t).






--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager
_______________________________________________
Imap-uw mailing list
[email protected]
http://mailman2.u.washington.edu/mailman/listinfo/imap-uw






















					Reply via email to