SELinux Issue?
I’ve recently built a new mail server with CentOS6.5, and decided to bite the bullet and leave SELinux running. I’ve stumbled through making things work and am mostly there.
I’ve got my own spam and ham corpus as mbox files in /home/user/Mail/learned. These files came from my backup of the CentOS 5 server this machine is replacing.
The folder is owned by the user (the following is run as root):
ls -laF learned drw——-. 6 user group 4096 Jun 10 03:35 ./
drw——-. 6 user group 35864Jun 10 03:35 ../
drw——-. 6 user group 4096 Jun 10 03:35 2004/
-rw——-. 6 user group 155296 Jun 10 03:35 2014_10_Jun_learned_spam
-rw——-. 6 user group 996584 Jun 10 03:35 2014_10_Jun_learned_ham
also as root:
ls -laZlearned drw——-. 6 user group unconfined_u:object_r:mail_spool_t:s0. drw——-. 6 user group unconfined_u:object_r:mail_spool_t:s0.. drw——-. 6 user group unconfined_u:object_r:mail_spool_t:s02004
-rw——-. 6 user group system_u:object_r:mail_spool_t:s02014_10_Jun_learned_spam
-rw——-. 6 user group system_u:object_r:mail_spool_t:s02014_10_Jun_learned_ham
When I do the same as the user, I get this:
ls -laF learned ls: cannot access learned/2004: Permission denied ls: cannot access 2014_10_Jun_learned_spam: Permission denied ls: cannot access 2014_10_Jun_learned_ham: Permission denied total 0
d???????? ? ? ? ? ? ./
d???????? ? ? ? ? ? ../
d???????? ? ? ? ? ? 2004/
-???????? ? ? ? ? ? 2014_10_Jun_learned_spam
-???????? ? ? ? ? ? 2014_10_Jun_learned_ham
and this:
ls -laFZ learned ls: cannot access learned/2004: Permission denied ls: cannot access 2014_10_Jun_learned_spam: Permission denied ls: cannot access 2014_10_Jun_learned_ham: Permission denied total 0
d???????? ? ? ./
d???????? ? ? ../
d???????? ? ? 2004/
-???????? ? ? 2014_10_Jun_learned_spam
-???????? ? ? 2014_10_Jun_learned_ham
The user’s process to feed the spam and ham to spamassassin fails when trying to write to the directories, even though the files are owned by user:group
What, precisely is wrong here? I don’t get any AVC entries in
/var/log/audit/audit.log, so I’m at a loss as to what to try next. Should this directory not be target mail_spool_t? Any guesses?
-chuck
2 thoughts on - SELinux Issue?
Chuck Campbell wrote:
things work
Yup, you will. The *directories* have to be executable for you to look in them.
mark
I think this is more of a DAC issue as Mark has said.