-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vadym Chepkov wrote:
I got an interesting denial which took me a bit to figure out.
type=AVC msg=audit(1232788787.310:1787): avc: denied { read } for pid=9836
comm="mail" path="/var/run/yum-cron.EHQJws" dev=dm-3 ino=77843
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:rpm_var_run_t:s0 tclass=file
It comes from yum-cron package. What happens is a script starts from cron and creates a
temporary file which inherits directory security context. Later it mails it using
redirection syntax:
"mail $MAILTO < $YUMTMP"
mailx transitions to system_mail_t and is denied to read such a temporary file.
I don't think this is a unique script that has similar logic and I suspect some other
directory needs to be used, but I didn't find any suitable in sources/sendmail.fc and
before I create new type/directory I would like to know maybe there is more proper way to
handle cases like this?
Thank you.
Sincerely yours,
Vadym Chepkov
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This is a case where I believe we can use the open access.
I think a global saying tools like mailers could read ANY tmp file that
is handed to them, but can not open any would be ok.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
iEYEARECAAYFAkl/FJoACgkQrlYvE4MpobMslQCeNOEuDRECvl/VENyiVpGm/tCL
XWMAn2+XD7yQu5VVJgtfNb1hnzn0JHOp
=eYWh
-----END PGP SIGNATURE-----