Bug 425958
Summary: | spamass-milter generates AVC errors | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Steven Stern <subscribed-lists> |
Component: | selinux-policy-targeted | Assignee: | Paul Howarth <paul> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 8 | CC: | esteban.xandri |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 3.0.8-81.fc8 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-01-29 09:03:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Steven Stern
2007-12-17 13:21:19 UTC
This appears to be a labelling problem. /var/run/spamass-milter /spamass-milter.sock should be spamd_var_run_t, not initrc_t. Try stopping the milter and sendmail, remove /var/run/spamass-milter /spamass-milter.sock if it exists, then do: # restorecon -rv /var/run/spamass-milter Then try starting the services again. Been there, done that. No change. OK, so what contexts have you got? $ ls -lZd /var/run $ ls -laZ /var/run/spamass-milter What about sestatus? $ sestatus -v Are you starting spamass-milter using the provided initscript? I'm bitten by this as well. It's due to the fact that /usr/sbin/spamass-milter has a selinux type of bin_t, which when run from an init script, becomes initrc_t, which changes the type of the socket it opens (/var/run/spamass-milter/spamass-milter.sock) to become initrc_t, despite its label of spamd_var_run_t. That can be fixed by running: chcon -t spamd_exec_t /usr/sbin/spamass-milter Sendmail would then be able to connect to the socket. HOWEVER, when run as spamd_exec_t, spamass-milter can't execute spamc, which makes spamass-milter useless. spamass-milter may need its own selinux type that sendmail can connect to, and can execute spamc. Or add a rule that spamd_exec_t can execute spamc, but spamd never does this, so that wouldn't be particularly ideal. I've raised this problem on fedora-selinux-list (https://www.redhat.com/archives/fedora-selinux-list/2008-January/msg00007.html) but nobody has responded yet :-( Dan has committed a fix for this in cvs for selinux-policy 3.0.8-78. It may be a few days yet before it gets built and appears in updates-testing. I intend to write a separate selinux policy for spamass-milter (and also for milter-regex), which will need a lot of testing. I'd be very happy to hear from anyone willing to help with this, particularly if you have a more "unusual" configuration such as running over network sockets rather than unix domain sockets, or using postfix instead of sendmail. selinux-policy-targeted-3.0.8-81.fc8 from updates-testing fixes this for me. # yum --enablerepo=updates-testing update selinux\* selinux-policy-targeted-3.0.8-81.fc8 has now been pushed to the updates repository; a regular yum update will fix this problem once the mirrors have synced. |