Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187974
Summary: selinux denials of spamd reading files Product: Fedora Core Version: fc5 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: spamassassin AssignedTo: wtogami@redhat.com ReportedBy: dbaron@dbaron.org CC: fedora-perl-devel- list@redhat.com,felicity@kluge.net,jm@jmason.org,parkerm @pobox.com,rcoker@redhat.com,reg+redhat@sidney.com,wtoga mi@redhat.com
Description of problem: with the recent selinux and spamassassin updates to FC5 (which I picked up at the same time last week), there have started to be selinux denials of spamd, three at a time, when spamd starts:
type=AVC msg=audit(1144179464.345:5): avc: denied { search } for pid=1768 comm="spamd" name="lib" dev=hda3 ino=423490 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1144179464.345:5): arch=40000003 syscall=195 success=no exit=-13 a0=97843b0 a1=93dd0c8 a2=9bfff4 a3=97843b0 items=1 pid=1768 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="spamd" exe="/usr/bin/perl" type=CWD msg=audit(1144179464.345:5): cwd="/" type=PATH msg=audit(1144179464.345:5): item=0 name="/var/lib/spamassassin/3.001001" flags=1 type=AVC msg=audit(1144179464.753:6): avc: denied { search } for pid=1768 comm="spamd" name="lib" dev=hda3 ino=423490 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1144179464.753:6): arch=40000003 syscall=195 success=no exit=-13 a0=97843b0 a1=93dd0c8 a2=9bfff4 a3=97843b0 items=1 pid=1768 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="spamd" exe="/usr/bin/perl" type=CWD msg=audit(1144179464.753:6): cwd="/" type=PATH msg=audit(1144179464.753:6): item=0 name="/var/lib/spamassassin/3.001001/languages" flags=101 type=AVC msg=audit(1144179466.234:7): avc: denied { search } for pid=1768 comm="spamd" name="lib" dev=hda3 ino=423490 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1144179466.234:7): arch=40000003 syscall=195 success=no exit=-13 a0=97843b0 a1=93dd0c8 a2=9bfff4 a3=97843b0 items=1 pid=1768 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="spamd" exe="/usr/bin/perl" type=CWD msg=audit(1144179466.234:7): cwd="/" type=PATH msg=audit(1144179466.234:7): item=0 name="/var/lib/spamassassin/3.001001/triplets.txt" flags=1
I'm not sure what this effects, but having selinux prevent spamd from doing things seems like it could break something.
Version-Release number of selected component (if applicable): spamassassin-3.1.1-1.fc5 selinux-policy-2.2.25-3.fc5 selinux-policy-targeted-2.2.25-3.fc5
How reproducible: Always (when spamd starts/restarts).
Steps to Reproduce: 1. tail -f /var/log/audit.log 2. /sbin/service spamassassin restart
Actual results: selinux denials
Expected results: no selinux denials
Additional information: As a note, the directory /var/lib/spamassassin/ does not exist. And the files in question live in /usr/share/spamassassin/ ... which is why I'm filing this as a bug on spamassassin rather than selinux-policy-targeted.