Spamassassin / GPG Problem

Arthur Dent misc.lists at blueyonder.co.uk
Wed Nov 2 13:23:17 UTC 2011 

Hello all,

I use Spamassassin on my server. It regularly downloads updated signatures
and checks the download using GPG. Since I upgraded to
selinux-policy-targeted-3.9.16-44.fc15.noarch this week I have been
getting errors reported by Spamassassin:

========8<==============================================================
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel: GPG validation failed, channel failed
02-Nov-2011 06:05:06: SpamAssassin: Update available, but download or
extract failed
========8<==============================================================

I also get the an SELinux AVC (full details below).

What is the best way to deal with this?

Thanks in advance...

Mark

========8<==============================================================
SELinux is preventing /usr/bin/gpg from read access on the file
.spamassassin12765zsyG6Ftmp.

*****  Plugin catchall (100. confidence) suggests 
***************************

If you believe that gpg should be allowed read access on the
.spamassassin12765zsyG6Ftmp file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gpg /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:gpg_t:s0-s0:c0.c1023
Target Context                system_u:object_r:spamd_tmp_t:s0
Target Objects                .spamassassin12765zsyG6Ftmp [ file ]
Source                        gpg
Source Path                   /usr/bin/gpg
Port                          <Unknown>
Host                          mydomain.org.uk
Source RPM Packages           gnupg-1.4.11-3.fc15
Target RPM Packages
Policy RPM                    selinux-policy-3.9.16-44.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     troodos.org.uk
Platform                      Linux mydomain.org.uk
2.6.40.6-0.fc15.i686.PAE #1
                              SMP Tue Oct 4 00:44:38 UTC 2011 i686 i686
Alert Count                   2
First Seen                    Mon Oct 31 05:22:55 2011
Last Seen                     Wed Nov  2 06:05:06 2011
Local ID                      bb4e6159-04a3-4e8c-b5f5-f41c0ff80d56

Raw Audit Messages
type=AVC msg=audit(1320213906.154:7990): avc:  denied  { read } for 
pid=12766
comm="gpg" name=".spamassassin12765zsyG6Ftmp" dev=sda5 ino=1058383
scontext=system_u:system_r:gpg_t:s0-s0:c0.c1023
tcontext=system_u:object_r:spamd_tmp_t:s0 tclass=file


type=SYSCALL msg=audit(1320213906.154:7990): arch=i386 syscall=open
success=no
exit=EACCES a0=bfe78f49 a1=8000 a2=0 a3=bfe78f49 items=0 ppid=12765
pid=12766 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=1070 comm=gpg
exe=/usr/bin/gpg subj=system_u:system_r:gpg_t:s0-s0:c0.c1023 key=(null)

Hash: gpg,gpg_t,spamd_tmp_t,file,read

audit2allow

#============= gpg_t ==============
allow gpg_t spamd_tmp_t:file read;

audit2allow -R

#============= gpg_t ==============
allow gpg_t spamd_tmp_t:file read;

More information about the selinux mailing list