Summary: | /var/qmail/supervise directories should be owned by root (qmail-1.03-r15) | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Andy Dustman <farcepest> |
Component: | Current packages | Assignee: | Net-Mail Packages <net-mail+disabled> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | kaiowas |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | qmail ebuild diff |
Description
Andy Dustman
2004-11-17 10:40:46 UTC
your avc_deny message means that a DAC permission has been overriden. this happens for instance when your domain receives a 'permission denied' on an action due to wrong unix permissions on a file or directory. in most cases this means that something is wrong with your setup. in your case it might be qmail's setup. 1. with your temporary fix in your policy check if all your svc services started on that machine (/service/* and /service/*/log) actually run, and are not respawned indefinitely due to a wrong permission, missing user or whatever. 2. remove that dac_override from the daemontools.te and try to pinpoint exactly which service triggers it and try to find out why (strace if needed). if you have found a service at step 1 that did not work correcty then you must fix that, and the dac_override will not be needed. There is only one service, and that is qmail-send. /service/qmail-send is a symbolic link to /var/qmail/supervise/qmail-send: drwxr-xr-x qmaill root system_u:object_r:svc_svc_t /var/qmail/supervise/qmail-send I reverted and reloaded the policy, and changed the ownership to root, and it seems to work. I guess the problem then is that this directory is installed by qmail-1.03-r15 with the "wrong" ownership. The same applies for it's log subdirectory, and all the other qmail services in /var/qmail/supervise. There's no reason for these directories to be owned by qmaill, and in fact this is probably an error, and root ownership should not affect non-SELinux installations. Should we just reclassify this is a qmail ebuild bug? Created attachment 44220 [details, diff]
qmail ebuild diff
creating those dirs with qmaill is definitely a bug that came up in qmail-1.03-r15. attached is a trivial diff to that ebuild that makes sure that dirs in /var/qmail/supervise will be owned by root. thanks Andy for the help. Fixed in qmail-1.03-r15 and -r16. Thanks for reporting! |