SEL & Spamassassin

Daniel J Walsh dwalsh at redhat.com
Thu Sep 22 15:11:03 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/22/2011 09:58 AM, Paul Howarth wrote:
> On 06/11/2011 02:57 PM, Dominick Grift wrote:
>> 
>> 
>> On Sat, 2011-06-11 at 14:55 +0100, Arthur Dent wrote:
>> 
>>>> 
>>>>> Anyway, the above AVC looked strange and I didn't want to
>>>>> create a local policy module for it until I had checked
>>>>> with the chaps here...
>>>> 
>>>> This does not look particularly strange. The pipe is probably
>>>> created by systemd.
>>> 
>>> So, should I create a policy module to allow it?
>>> 
>> 
>> Did you notice any loss of functionality? Anyways i do not see a
>> problem with allowing it.
> 
> I'm getting this when I restart opendkim on F-15:
> 
> type=AVC msg=audit(1316699607.377:150425): avc:  denied  { read }
> for pid=4151 comm="systemd-tty-ask" name="136:0" dev=tmpfs
> ino=209876 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0
>  tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file
> 
> type=AVC msg=audit(1316699607.377:150425): avc:  denied  { open }
> for pid=4151 comm="systemd-tty-ask" name="136:0" dev=tmpfs
> ino=209876 scontext=unconfined_u:system_r:systemd_passwd_agent_t:s0
>  tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=fifo_file
> 
> type=SYSCALL msg=audit(1316699607.377:150425): arch=c000003e
> syscall=2 success=yes exit=3 a0=14c60a0 a1=80900
> a2=fffffffffffffed0 a3=7ffffdee5c80 items=1 ppid=4150 pid=4151
> auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=pts0 ses=9220 comm="systemd-tty-ask"
> exe="/bin/systemd-tty-ask-password-agent" 
> subj=unconfined_u:system_r:systemd_passwd_agent_t:s0 key=(null)
> 
> type=CWD msg=audit(1316699607.377:150425):  cwd="/"
> 
> type=PATH msg=audit(1316699607.377:150425): item=0 
> name="/run/systemd/ask-password-block/136:0" inode=209876 dev=00:12
>  mode=010600 ouid=0 ogid=0 rdev=00:00 
> obj=unconfined_u:object_r:init_var_run_t:s0
> 
> I don't know what's happening here and it doesn't appear to affect
> the operation of opendkim, so I'm tempted to dontaudit it rather
> than allow it. But what is it actually trying to do?
> 
> Paul. -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux


This is allowed in F16/Rawhide policy.   Looks like systemd
functionality is being back ported into F15 and selinux-policy has to
adapt.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk57UAcACgkQrlYvE4MpobPsWACgnyH76FyuSW41EMJtHKarG0O4
mmsAoK6Q/WDSB0qyFXna9FNVVzGEOgTb
=lY6l
-----END PGP SIGNATURE-----

More information about the selinux mailing list