From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Qppi4-0006BB-GL for garchives@archives.gentoo.org; Sat, 06 Aug 2011 22:51:12 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 546AB21C051; Sat, 6 Aug 2011 22:51:00 +0000 (UTC) Received: from basement.kutulu.org (187.250.102.97.cfl.res.rr.com [97.102.250.187]) by pigeon.gentoo.org (Postfix) with ESMTP id 0928421C022 for ; Sat, 6 Aug 2011 22:50:38 +0000 (UTC) Received: from localhost (basement.kutulu.org [127.0.0.1]) by basement.kutulu.org (Postfix) with ESMTP id 49C0A7D801F for ; Sat, 6 Aug 2011 18:50:38 -0400 (EDT) X-Virus-Scanned: amavisd-new at kutulu.org Received: from basement.kutulu.org ([127.0.0.1]) by localhost (basement.kutulu.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7yJrH7rONkSP for ; Sat, 6 Aug 2011 18:50:36 -0400 (EDT) Received: from platypus.localnet (platypus.kutulu.org [192.168.69.93]) by basement.kutulu.org (Postfix) with ESMTPSA id 9CD5E7D801C for ; Sat, 6 Aug 2011 18:50:36 -0400 (EDT) From: Mike Edenfield To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Troubleshooting FIFO pipes with bad security contexts... Date: Sat, 06 Aug 2011 18:40:09 -0400 Message-ID: <5256381.URYclHXeOG@platypus> User-Agent: KMail/4.6.1 (Linux/2.6.39-hardened-r7-platypus-2; KDE/4.6.5; x86_64; ; ) In-Reply-To: <20110806201239.GA10064@siphos.be> References: <16621515.sN1WQlegbk@platypus> <20110806201239.GA10064@siphos.be> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Archives-Salt: X-Archives-Hash: 7c56dd83c11072c3f0bc18bdaa5f8b21 On Saturday, August 06, 2011 10:12:39 PM Sven Vermeulen wrote: > On Sat, Aug 06, 2011 at 12:50:46PM -0400, Mike Edenfield wrote: > > I'm trying to chase down an AVC message coming from procmail. I'm having > > a problem figuring out how to research, troubleshoot, or fix bad FIFO > > pipe contexts. > > > > The AVC I get is: > > > > Aug 6 12:15:52 basement kernel: type=1400 audit(1312647352.712:9623): > > avc: denied { write } for pid=9816 comm="procmail" path="pipe:[4235]" > > dev=pipefs ino=4235 scontext=system_u:system_r:procmail_t > > tcontext=system_u:system_r:postfix_master_t tclass=fifo_file > > Any idea what procmail is trying to do at this point? Hm. Not offhand, and for some reason it seems to have stopped trying to do it. The only connection I have between procmail and postfix is the usual: main.cf:mailbox_command = /usr/bin/procmail -a "$EXTENSION" I use procmail mostly for mailing list filtering but that appears to be working fine without any AVCs, so I'm not sure where these came from. I'll poke around some more and see if I can figure it out, but at least now I have a better idea what the policy is supposed to be doing :) --Mike