On 03/16/2010 05:37 PM, Paul Howarth wrote:
I think these are leaked file descriptors from spamass-milter but
the
curious thing is, I don't see them when I run the milter in its normal
configuration as a non root user; they only appear when it's run as
root (which I'm only doing to test a patch for a security
vulnerability, and I have to do that in permissive mode too since
SELinux makes the vulnerability very difficult to test ;-) )
type=AVC msg=audit(1268768820.019:35365): avc: denied { read write } for pid=4941
comm="spamc" name="1" dev=devpts ino=4
scontext=unconfined_u:system_r:spamc_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0
tclass=chr_file
type=SYSCALL msg=audit(1268768820.019:35365): arch=c000003e syscall=59 success=yes exit=0
a0=409fae a1=7f6c98000f70 a2=7fff2c255858 a3=7f6ca0ffa7c0 items=0 ppid=1368 pid=4941
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3170
comm="spamc" exe="/usr/bin/spamc"
subj=unconfined_u:system_r:spamc_t:s0 key=(null)
Why would they only appear when the process that calls spamc is running
as root?
Paul.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
I would figure there is some DAC Permission that is preventing the
access before SELinux gets involved. Like the terminal device is owned
by root, so you are blocked when you are non root.