Logrotate on mounted partition

Arthur Dent misc.lists at blueyonder.co.uk
Tue Aug 18 10:39:07 UTC 2009 

On Tue, 2009-08-18 at 11:21 +0200, Dominick Grift wrote:
> On Tue, Aug 18, 2009 at 10:12:16AM +0100, Arthur Dent wrote:
> > On Sat, 2009-08-15 at 11:50 +0100, Arthur Dent wrote:

[snip]

> > 
> > Just to add to my own mail...
> > 
> > I employed the above policy module, everything seemed OK so (as this
> > seemed to be the last of the problems since upgrading) I switched to
> > enforcing mode.
> > 
> > Since doing so I have received no AVCs but I am finding these in my
> > maillog:
> > 
> > procmail: Lock failure on "/mnt/backup/mail/rawmail.lock"
> > procmail: Error while writing to "/mnt/backup/mail/rawmail"
> > 
> > Temporarily switching back with setenforce 0 stops them so it is selinux
> > related...
> > 
> > 
> > Also, I get these dovecot messages (although I haven't investigated
> > fully if they are selinux related...
> > **Unmatched Entries**
> >     dovecot: IMAP(wife): fchown() failed with
> > file /home/wife/mail/.imap/INBOX/dovecot.index.tmp: Operation not
> > permitted: 1 Time(s)
> >     dovecot: IMAP(son): fchown() failed with
> > file /home/son/mail/.imap/INBOX/dovecot.index.cache.lock: Operation not
> > permitted: 1 Time(s)
> >     dovecot: IMAP(son): fchown() failed with
> > file /home/son/mail/.imap/INBOX/dovecot.index.log.newlock: Operation not
> > permitted: 1 Time(s)
> >     dovecot: IMAP(son): fchown() failed with
> > file /home/son/mail/.imap/INBOX/dovecot.index.tmp: Operation not
> > permitted: 3 Time(s)
> >  
> > 
> > But still no AVCs
> > 
> > Any ideas?
> Try semodule -DB to unload any silent denials. Remember that the denials shown after you do this are meant to be silenced.
> To reload policy with the silenced denials: semodule -B.
> 
> Also keep an eye on /var/log/messages since the DBUS user space object manager logs some denials there (if DBUS is at all involved)

OK - since semodule -DB getting flooded with AVCs...

Here are some that are related to this problem...

cat /var/log/audit/audit.log | grep -i procmail
....
type=AVC msg=audit(1250591203.244:43494): avc:  denied  { rlimitinh }
for  pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1250591203.244:43494): avc:  denied  { siginh } for
pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=AVC msg=audit(1250591203.244:43494): avc:  denied  { noatsecure }
for  pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:procmail_t:s0 tclass=process
type=SYSCALL msg=audit(1250591203.244:43494): arch=40000003 syscall=11
success=yes exit=0 a0=5d8098 a1=bf83277c a2=4ab960 a3=41904 items=0
ppid=14766 pid=14767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail"
exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1250591203.418:43495): avc:  denied  { search } for
pid=14767 comm="procmail" name="mnt" dev=sda5 ino=943921
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:mnt_t:s0 tclass=dir
type=SYSCALL msg=audit(1250591203.418:43495): arch=40000003 syscall=196
success=no exit=-2 a0=9779280 a1=bf95f790 a2=77cff4 a3=97793f8 items=0
ppid=14766 pid=14767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail"
exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)

This still with setenforce 0

Any ideas?

Thanks for your help!...

Mark

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090818/658359ee/attachment.sig>

More information about the fedora-selinux-list mailing list