SELinux is preventing pyzor from getattr access on the file /usr/bin/rpm
Daniel J Walsh
dwalsh at redhat.com
Wed Sep 2 21:10:03 UTC 2015
Abort must have been executed under the pyzor context. All SELinux is
reporting what the kernel sees.
On 09/02/2015 12:46 PM, Tom Rivers wrote:
> On 9/1/2015 09:07, Tom Rivers wrote:
>> I will continue to monitor the logs to see if anything else occurs.
>
> After some additional debug work, I managed to determine that the
> source of the problem was the incorrect ownership of the file
> /var/lib/spamass-milter/.pyzor/servers. It was not owned by the user
> under which pyzor executes and once it was properly adjusted the error
> messages stopped.
>
> The more interesting piece of this puzzle, however, is the way in
> which SELinux is supposedly involved. According to one of the people
> helping me on the pyzor end of this, it isn't pyzor that is trying to
> access /usr/bin/rpm: he says it's abrt that is truly to blame. Here
> is what he posted:
>
> "I did some digging and have an explanation for the selinux/rpm thing.
> The issue is that pyzor is backtracing /and/ Tom has abrt installed
> and running. abrt logs and optionally auto-files bugs whenever (among
> other things) a distro-installed python application backtraces. It
> calls rpm to see which to which package the backtracing script belongs
> in order to classify it properly. This kind of doesn't work well for
> confined applications, but that's definitely not pyzor's bug."
>
> If that is the case, then my question is this: why is SELinux blaming
> pyzor for something abrt is doing?
>
>
> Tom
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150902/aadb51bc/attachment.html>
More information about the selinux
mailing list