Bug 666765

Summary: SELinux is preventing /sbin/consoletype from 'read' accesses on the file /tmp/update_spamassassin.0102.
Product: [Fedora] Fedora Reporter: Chris Schanzle <bugzilla>
Component: spamassassinAssignee: Warren Togami <wtogami>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dwalsh, kevin, mgrepl, nb, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:5ab235feae5db28198651d4434707a9e5a9207eb23186b5646de7ac13170ede0
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-04 16:05:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Schanzle 2011-01-03 03:43:02 UTC 
SELinux is preventing /sbin/consoletype from 'read' accesses on the file /tmp/update_spamassassin.0102.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that consoletype should be allowed read access on the update_spamassassin.0102 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep /sbin/consoletype /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:consoletype_t:s0
Target Context                system_u:object_r:system_cronjob_tmp_t:s0
Target Objects                /tmp/update_spamassassin.0102 [ file ]
Source                        consoletype
Source Path                   /sbin/consoletype
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           initscripts-9.20.1-1.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-18.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.10-72.fc14.i686 #1
                              SMP Mon Dec 20 22:05:49 UTC 2010 i686 i686
Alert Count                   8
First Seen                    Sun 26 Dec 2010 04:02:36 AM EST
Last Seen                     Sun 02 Jan 2011 03:49:07 AM EST
Local ID                      f50d6be0-6c3d-447c-8e3a-1af2f8853f90

Raw Audit Messages
type=AVC msg=audit(1293958147.42:62296): avc:  denied  { read } for  pid=30430 comm="consoletype" path="/tmp/update_spamassassin.0102" dev=dm-0 ino=1450 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:system_cronjob_tmp_t:s0 tclass=file

consoletype,consoletype_t,system_cronjob_tmp_t,file,read
type=SYSCALL msg=audit(1293958147.42:62296): arch=i386 syscall=execve success=yes exit=0 a0=8305500 a1=8305578 a2=82fe9e0 a3=8305578 items=0 ppid=30429 pid=30430 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3355 comm=consoletype exe=/sbin/consoletype subj=system_u:system_r:consoletype_t:s0 key=(null)
consoletype,consoletype_t,system_cronjob_tmp_t,file,read

#============= consoletype_t ==============
allow consoletype_t system_cronjob_tmp_t:file read;
Comment 1 Miroslav Grepl 2011-01-03 17:48:49 UTC 
Looks like a leak descriptor. You can dontaudit it using

# grep consoletype /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp
Comment 2 Chris Schanzle 2011-01-04 02:44:39 UTC 
Hi - rather than paper over the alert ... is this likely from /etc/cron.daily/update_spamassassin ?  Should the spamassassin guys be taking a look?  I'd be happy to modify the script to help find out, but not sure of the techniques.
Comment 3 Daniel Walsh 2011-01-04 14:38:25 UTC 
Yes, they should be closing this file descriptor on exec.  Also why are they using /tmp for a process running as root?
Comment 4 Kevin Fenzi 2011-01-04 15:43:13 UTC 
I'm sure we would be open to adjustments to our spamassassin cron script, but is that ours or did you install from upstream? 

We use /etc/cron.d/sa-update

It sounds like you have a /etc/cron.daily/update_spamassassin script? Where did you get it?
Comment 5 Chris Schanzle 2011-01-04 16:05:54 UTC 
Ah, dang.  My bad for not checking:

rpm -qf  /etc/cron.daily/update_spamassassin
mailscanner-4.81.4-1.noarch

I'll work with the MailScanner.info guys to get this fixed.  Closing.  Thank you!