SEL & Spamassassin

Arthur Dent misc.lists at blueyonder.co.uk
Sat Jun 11 13:40:46 UTC 2011 

Hello All,

I have just upgraded (clean install) from F13 to F15 and installed
spamassassin via yum.

At the same time I also installed the plugins Pyzor, Razor and iXhash.

In Permissive mode something in those triggers a strange AVC:

SELinux is preventing /bin/systemd-tty-ask-password-agent from read access on the fifo_file 136:0.

Here is the detail:

Raw Audit Messages
type=AVC msg=audit(1307797576.537:29628): avc:  denied  { read } for  pid=10471 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=282609 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file


type=AVC msg=audit(1307797576.537:29628): avc:  denied  { open } for  pid=10471 comm="systemd-tty-ask" name="136:0" dev=tmpfs ino=282609 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file


type=SYSCALL msg=audit(1307797576.537:29628): arch=i386 syscall=open success=yes exit=ESRCH a0=8ca9080 a1=88900 a2=0 a3=bf8fba54 items=0 ppid=10470 pid=10471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm=systemd-tty-ask exe=/bin/systemd-tty-ask-password-agent subj=unconfined_u:system_r:systemd_passwd_agent_t:s0 key=(null)

Hash: systemd-tty-ask,systemd_passwd_agent_t,init_var_run_t,fifo_file,read

audit2allow

#============= systemd_passwd_agent_t ==============
allow systemd_passwd_agent_t init_var_run_t:fifo_file { read open };

audit2allow -R

#============= systemd_passwd_agent_t ==============
allow systemd_passwd_agent_t init_var_run_t:fifo_file { read open };


The other slightly odd thing is that when I place the system back into
Enforcing mode I get no AVCs, but some of the Spamassassin checks
(Especially iXhash I think) don't seem to be run, but give no errors.

Anyway, the above AVC looked strange and I didn't want to create a local
policy module for it until I had checked with the chaps here...

Thanks in advance for any advice or suggestions...

Mark

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110611/c37afdce/attachment.bin

More information about the selinux mailing list