Bug 429568

Summary: SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "getattr" to /var/spool/amavisd (amavis_spool_t)
Product: [Fedora] Fedora Reporter: owen
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 8   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-05 22:17:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description owen 2008-01-21 18:02:45 UTC
Description of problem:
SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "getattr" to
/var/spool/amavisd (amavis_spool_t).

From SELinux dialog:
----
Source Context:  system_u:system_r:tmpreaper_t:s0Target
Context:  system_u:object_r:amavis_spool_t:s0Target Objects:  /var/spool/amavisd
[ dir ]Affected RPM Packages:  tmpwatch-2.9.11-2
[application]amavisd-new-2.5.2-2.fc8 [target]Policy
RPM:  selinux-policy-3.0.8-74.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  plugins.catchall_fileHost
Name:  mail.metamachine.comPlatform:  Linux mail.metamachine.com 2.6.23.9-85.fc8
#1 SMP Fri Dec 7 15:49:59 EST 2007 i686 i686Alert Count:  2First Seen:  Sun 20
Jan 2008 03:59:50 PM PSTLast Seen:  Sun 20 Jan 2008 03:59:50 PM PSTLocal
ID:  8b0ced41-4675-41f7-9073-adf8b110dcf4Line Numbers:  Raw Audit Messages :avc:
denied { getattr } for comm=tmpwatch dev=sda5 egid=0 euid=0
exe=/usr/sbin/tmpwatch exit=-13 fsgid=0 fsuid=0 gid=0 items=0
path=/var/spool/amavisd pid=4836 scontext=system_u:system_r:tmpreaper_t:s0
sgid=0 subj=system_u:system_r:tmpreaper_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:amavis_spool_t:s0 tty=(none) uid=0 
----
Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-74.fc8

How reproducible:
Apply all updates to fresh F8 install, run SELinux in enforcing mode, let
tmpwatch run, see SELinux deny it access to /var/spool/amavisd (if I'm reading
this right).

Steps to Reproduce:
1. Apply all updates to fresh F8 install
2. Run SELinux in enforcing mode
3. Let tmpwatch run
4. See SELinux deny it access to /var/spool/amavisd
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2008-01-21 18:31:29 UTC
# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-79.fc8

Comment 2 Daniel Walsh 2008-03-05 22:17:21 UTC
Bugs have been in modified for over one month.  Closing as fixed in current
release please reopen if the problem still persists.