Bug 624546
Summary: | Spam reporting through Horde application framework to Spamassassin ends up in AVC denial | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Roope Karhu <roope> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 13 | CC: | domg444, dominick.grift, dwalsh, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-51.fc13 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-08-31 06:39:04 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Roope Karhu
2010-08-16 20:01:26 UTC
Also, forgot to mention that this prevented any mail from being delivered to my inbox. /var/log/maillog showed that the mail was delivered to postfix queue, but when postfix fed it to procmail, I lost trace of it (because of the same AVC denial). Is there a specific cgi script that apache runs in order to start spamassassin? horde is a php webapp that runs /usr/bin/spamassassiin directly i believe. I guess then, should this be allowed under a boolean? Is httpd_can_sendmail required? If yes should this be under that boolean or do we need httpd_can_check_spam. I do not know if Roope Karhu has the the httpd_can_sendmail boolean enabled, and so i am not sure if this is required. A boolean seems like a good idea however i am not sure whether that is even possible since spamc local policy has optional policy, and AFAIK you cannot have optional policy in conditionals? Mind you that spamc_t can send mail. I guess: optional_policy(` tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` spamassassin_domtrans_client(httpd_t) ') ') would make sense. My gut feeling tells me that httpd_can_sendmail is required. Since Horde is a mail client php webapp. But .. i am not sure. p.s. never mind my previous comment about optionals and conditionals because it does not apply here. Here: $ getsebool httpd_can_sendmail httpd_can_sendmail --> on Remember that I've never had problems with SELinux before this, so I've never studied it or it's functionalities more than this. I'm mostly running with default values. Miroslav, lets go with Dominick's suggestion. Fixed in selinux-policy-3.7.19-50.fc13 selinux-policy-3.7.19-51.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-51.fc13 selinux-policy-3.7.19-51.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-51.fc13 selinux-policy-3.7.19-51.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. |