Bug 856536
Summary: | AVCs when running spamassassin test with disabled unconfined and unlabelednet | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Michal Trunecka <mtruneck> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.4 | CC: | dwalsh, mgrepl, mmalik |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-02-25 10:45:55 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michal Trunecka
2012-09-12 09:19:38 UTC
These AVC's have nothing to do with unconfined being disabled. What directories does spamassassin need to write in the homedir? /root/\.pyzor(/.*)? system_u:object_r:spamc_home_t:s0 /root/\.spamd(/.*)? system_u:object_r:spamc_home_t:s0 /root/\.razor(/.*)? system_u:object_r:spamc_home_t:s0 /root/\.spamassassin(/.*)? system_u:object_r:spamc_home_t:s0 We have labels for these. But this test looks like spamc is spewing into ~/ After the test finishes, there is correct razor-agent.log file in .razor directory. But when running in permissive mode, there is also razor-agent.log file in the ~/mail directory, which causes the avc. It may be related with the comment in /usr/share/perl5/Razor2/Client/Agent.pm before assigning 'razor-agent.log' string into logfile variable: # Note: we start logging before we process '-create' , # so logfile will not go into a newly created razorhome But I don't understand what it exactly means. Following code is in /usr/share/perl5/Razor2/Logger.pm and in the $name variable is the mentioned filename: open (LOGF, ">>$name") or do { if ($self->{DontDie}) { open LOGF, ">>/dev/null" or do { print STDERR "Failed to open /dev/null, $!\n"; }; } else { die $!; } }; It would explain that nothing happens when the access is denied. So the question is why there needs to be also ~/mail dir with the razor-agent.log file. This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. We have fixes in RHEL7 where we are able to fix it using filename transitions. It needs to be fixed by either restorecond or restorecon in RHEL6. |