Hi,
It seems for some reason selinux-targeted policy on Fedora doesn't install razor policy and, furthermore, removes it if razor module was installed. I guess it is done for simplicity, to have just one "spam" domain. But, somehow the proper labeling was forgotten:
selinux-policy-targeted-3.9.7-18.fc14.noarch
# ls -Z /usr/bin/razor-* -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-admin -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-check -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-client -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-report -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-revoke
# ls -dZ /home/vchepkov/.razor drwxr-xr-x. vchepkov users unconfined_u:object_r:user_home_t:s0 /home/vchepkov/.razor
# ls -dZ /root/.razor drwxr-xr-x. root root system_u:object_r:admin_home_t:s0 /root/.razor
Vadym
P.S. On related note, how do $HOME files get their labeling? # semanage fcontext -l|grep pyzor has reference only to /root/.pyzor(/.*)? all files system_u:object_r:pyzor_home_t:s0
but, directory gets proper labeling:
# ls -dZ /home/vchepkov/.pyzor drwx------. vchepkov users unconfined_u:object_r:spamc_home_t:s0 /home/vchepkov/.pyzor
On Dec 24, 2010, at 12:01 PM, Vadym Chepkov wrote:
Hi,
It seems for some reason selinux-targeted policy on Fedora doesn't install razor policy and, furthermore, removes it if razor module was installed. I guess it is done for simplicity, to have just one "spam" domain. But, somehow the proper labeling was forgotten:
selinux-policy-targeted-3.9.7-18.fc14.noarch
# ls -Z /usr/bin/razor-* -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-admin -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-check -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-client -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-report -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-revoke
# ls -dZ /home/vchepkov/.razor drwxr-xr-x. vchepkov users unconfined_u:object_r:user_home_t:s0 /home/vchepkov/.razor
# ls -dZ /root/.razor drwxr-xr-x. root root system_u:object_r:admin_home_t:s0 /root/.razor
Vadym
P.S. On related note, how do $HOME files get their labeling? # semanage fcontext -l|grep pyzor has reference only to /root/.pyzor(/.*)? all files system_u:object_r:pyzor_home_t:s0
but, directory gets proper labeling:
# ls -dZ /home/vchepkov/.pyzor drwx------. vchepkov users unconfined_u:object_r:spamc_home_t:s0 /home/vchepkov/.pyzor
I wonder if e-mail got lost.
Shall I just open a bugzilla about it?
Thanks, Vadym
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/28/2010 09:31 PM, Vadym Chepkov wrote:
On Dec 24, 2010, at 12:01 PM, Vadym Chepkov wrote:
Hi,
It seems for some reason selinux-targeted policy on Fedora doesn't install razor policy and, furthermore, removes it if razor module was installed. I guess it is done for simplicity, to have just one "spam" domain. But, somehow the proper labeling was forgotten:
selinux-policy-targeted-3.9.7-18.fc14.noarch
# ls -Z /usr/bin/razor-* -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-admin -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-check -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-client -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-report -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-revoke
# ls -dZ /home/vchepkov/.razor drwxr-xr-x. vchepkov users unconfined_u:object_r:user_home_t:s0 /home/vchepkov/.razor
# ls -dZ /root/.razor drwxr-xr-x. root root system_u:object_r:admin_home_t:s0 /root/.razor
Vadym
P.S. On related note, how do $HOME files get their labeling? # semanage fcontext -l|grep pyzor has reference only to /root/.pyzor(/.*)? all files system_u:object_r:pyzor_home_t:s0
but, directory gets proper labeling:
# ls -dZ /home/vchepkov/.pyzor drwx------. vchepkov users unconfined_u:object_r:spamc_home_t:s0 /home/vchepkov/.pyzor
I wonder if e-mail got lost.
I think i replied to this message earlier. So for me it was not lost.
Shall I just open a bugzilla about it?
Yes i think that may be the best solution (bugzilla.redhat.com in the selinux-policy component)
Looks like somehow fedora has not installed the pyzor/razor policy module or did it wrong.
Thanks, Vadym
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/28/2010 09:35 PM, Dominick Grift wrote:
On 12/28/2010 09:31 PM, Vadym Chepkov wrote:
On Dec 24, 2010, at 12:01 PM, Vadym Chepkov wrote:
Hi,
It seems for some reason selinux-targeted policy on Fedora doesn't install razor policy and, furthermore, removes it if razor module was installed. I guess it is done for simplicity, to have just one "spam" domain. But, somehow the proper labeling was forgotten:
selinux-policy-targeted-3.9.7-18.fc14.noarch
# ls -Z /usr/bin/razor-* -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-admin -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-check -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-client -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-report -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-revoke
# ls -dZ /home/vchepkov/.razor drwxr-xr-x. vchepkov users unconfined_u:object_r:user_home_t:s0 /home/vchepkov/.razor
# ls -dZ /root/.razor drwxr-xr-x. root root system_u:object_r:admin_home_t:s0 /root/.razor
Vadym
P.S. On related note, how do $HOME files get their labeling?
It depends, When all is right then files in Home get created with the proper contexts by means of "type transitions" basically rules.
example:
if a process with type pyzor_t creates a file in a directory with type user_home_dir_t then "type transition" from user_home_dir_t to pyzor_home_t.
But in gnome-session there is also restorecond -u watching contexts in home.
Basically it compares contexts in home with whats defined in semanage fcontext (or homedir.template) and resets contexts accordingly. (this is some hack to ensure that user home dir content is labelled properly)
# semanage fcontext -l|grep pyzor has reference only to /root/.pyzor(/.*)? all files system_u:object_r:pyzor_home_t:s0
but, directory gets proper labeling:
# ls -dZ /home/vchepkov/.pyzor drwx------. vchepkov users unconfined_u:object_r:spamc_home_t:s0 /home/vchepkov/.pyzor
I wonder if e-mail got lost.
I think i replied to this message earlier. So for me it was not lost.
Shall I just open a bugzilla about it?
Yes i think that may be the best solution (bugzilla.redhat.com in the selinux-policy component)
Looks like somehow fedora has not installed the pyzor/razor policy module or did it wrong.
Thanks, Vadym
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Dec 28, 2010, at 3:40 PM, Dominick Grift wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/28/2010 09:35 PM, Dominick Grift wrote:
On 12/28/2010 09:31 PM, Vadym Chepkov wrote:
On Dec 24, 2010, at 12:01 PM, Vadym Chepkov wrote:
Hi,
It seems for some reason selinux-targeted policy on Fedora doesn't install razor policy and, furthermore, removes it if razor module was installed. I guess it is done for simplicity, to have just one "spam" domain. But, somehow the proper labeling was forgotten:
selinux-policy-targeted-3.9.7-18.fc14.noarch
# ls -Z /usr/bin/razor-* -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-admin -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-check -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-client -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-report -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/razor-revoke
# ls -dZ /home/vchepkov/.razor drwxr-xr-x. vchepkov users unconfined_u:object_r:user_home_t:s0 /home/vchepkov/.razor
# ls -dZ /root/.razor drwxr-xr-x. root root system_u:object_r:admin_home_t:s0 /root/.razor
Vadym
P.S. On related note, how do $HOME files get their labeling?
It depends, When all is right then files in Home get created with the proper contexts by means of "type transitions" basically rules.
example:
if a process with type pyzor_t creates a file in a directory with type user_home_dir_t then "type transition" from user_home_dir_t to pyzor_home_t.
But in gnome-session there is also restorecond -u watching contexts in home.
Basically it compares contexts in home with whats defined in semanage fcontext (or homedir.template) and resets contexts accordingly. (this is some hack to ensure that user home dir content is labelled properly)
That was my question, how do you define it in semanage fcontext? I see explicit references to /root/ home, but what about users home? Some sort of keyword/macro?
# semanage fcontext -l|grep pyzor has reference only to /root/.pyzor(/.*)? all files system_u:object_r:pyzor_home_t:s0
but, directory gets proper labeling:
# ls -dZ /home/vchepkov/.pyzor drwx------. vchepkov users unconfined_u:object_r:spamc_home_t:s0 /home/vchepkov/.pyzor
I wonder if e-mail got lost.
I think i replied to this message earlier. So for me it was not lost.
anti-spam filters kill useful stuf too nowadays :(
Shall I just open a bugzilla about it?
Yes i think that may be the best solution (bugzilla.redhat.com in the selinux-policy component)
Will do, thanks.
Looks like somehow fedora has not installed the pyzor/razor policy module or did it wrong.
It seems it was deliberate:
rpm -q -changelog selinux-policy-targeted
* Fri Jul 25 2008 Dan Walsh dwalsh@redhat.com 3.5.1-4 - Consolodate pyzor,spamassassin, razor into one security domain
But it was partially reversed:
* Thu Nov 18 2010 Miroslav Grepl mgrepl@redhat.com 3.9.7-12 - Turn on pyzor policy
Thanks, Vadym
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0aSz8ACgkQMlxVo39jgT+u1QCfVLjLxlwugdnk6D848loHovF4 ShgAn11QNQsc5YrnIsP8cHS8GwnVLMTF =l1Nt
-----END PGP SIGNATURE-----
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
P.S. On related note, how do $HOME files get their labeling?
It depends, When all is right then files in Home get created with the proper contexts by means of "type transitions" basically rules.
example:
if a process with type pyzor_t creates a file in a directory with type user_home_dir_t then "type transition" from user_home_dir_t to pyzor_home_t.
But in gnome-session there is also restorecond -u watching contexts in home.
Basically it compares contexts in home with whats defined in semanage fcontext (or homedir.template) and resets contexts accordingly. (this is some hack to ensure that user home dir content is labelled properly)
That was my question, how do you define it in semanage fcontext? I see explicit references to /root/ home, but what about users home? Some sort of keyword/macro?
I can see this in pyzor.fc
HOME_DIR/.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) HOME_DIR/.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
But you won't find anything like this in semanage fcontext -l output. A bug?
# semanage fcontext -l|grep pyzor has reference only to /root/.pyzor(/.*)? all files system_u:object_r:pyzor_home_t:s0
but, directory gets proper labeling:
# ls -dZ /home/vchepkov/.pyzor drwx------. vchepkov users unconfined_u:object_r:spamc_home_t:s0 /home/vchepkov/.pyzor
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/28/2010 11:29 PM, Vadym Chepkov wrote:
P.S. On related note, how do $HOME files get their labeling?
It depends, When all is right then files in Home get created with the proper contexts by means of "type transitions" basically rules.
example:
if a process with type pyzor_t creates a file in a directory with type user_home_dir_t then "type transition" from user_home_dir_t to pyzor_home_t.
But in gnome-session there is also restorecond -u watching contexts in home.
Basically it compares contexts in home with whats defined in semanage fcontext (or homedir.template) and resets contexts accordingly. (this is some hack to ensure that user home dir content is labelled properly)
That was my question, how do you define it in semanage fcontext? I see explicit references to /root/ home, but what about users home? Some sort of keyword/macro?
I can see this in pyzor.fc
HOME_DIR/.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) HOME_DIR/.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
But you won't find anything like this in semanage fcontext -l output. A bug?
No, home directory contexts are handled a bit different. theres a file in /etc/selinux/*/contexts.* called homedir.contexts (or similar) with home directory contexts instead which gets recreated each time you build the policy. i think its a relic of the past when we used user role prefix to prefix our user home types. Nowadays its useful for user based access control i guess.
# semanage fcontext -l|grep pyzor has reference only to /root/.pyzor(/.*)? all files system_u:object_r:pyzor_home_t:s0
but, directory gets proper labeling:
# ls -dZ /home/vchepkov/.pyzor drwx------. vchepkov users unconfined_u:object_r:spamc_home_t:s0 /home/vchepkov/.pyzor
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/29/2010 07:00 AM, Dominick Grift wrote:
On 12/28/2010 11:29 PM, Vadym Chepkov wrote:
> > P.S. On related note, how do $HOME files get their labeling?
It depends, When all is right then files in Home get created with the proper contexts by means of "type transitions" basically rules.
example:
if a process with type pyzor_t creates a file in a directory with type user_home_dir_t then "type transition" from user_home_dir_t to pyzor_home_t.
But in gnome-session there is also restorecond -u watching contexts in home.
Basically it compares contexts in home with whats defined in semanage fcontext (or homedir.template) and resets contexts accordingly. (this is some hack to ensure that user home dir content is labelled properly)
That was my question, how do you define it in semanage fcontext? I see explicit references to /root/ home, but what about users home? Some sort of keyword/macro?
I can see this in pyzor.fc
HOME_DIR/.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) HOME_DIR/.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
But you won't find anything like this in semanage fcontext -l output. A bug?
No, home directory contexts are handled a bit different. theres a file in /etc/selinux/*/contexts.* called homedir.contexts (or similar) with home directory contexts instead which gets recreated each time you build the policy. i think its a relic of the past when we used user role prefix to prefix our user home types. Nowadays its useful for user based access control i guess.
> # semanage fcontext -l|grep pyzor > has reference only to > /root/.pyzor(/.*)? all files system_u:object_r:pyzor_home_t:s0 > > but, directory gets proper labeling: > > # ls -dZ /home/vchepkov/.pyzor > drwx------. vchepkov users unconfined_u:object_r:spamc_home_t:s0 /home/vchepkov/.pyzor >
Razor and pyzor policies should be back into Fedora with the next policy update-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org