I recently started doing some maintenance on the pyzor package, which is (most often) called by spamassassin as part of its usual spam checks. The existing policy has a directory set aside for pyzor: /etc/pyzor(/.*)? all files system_u:object_r:spamd_etc_t:s0 but pyzor when called by spamassassin can't access that directory: type=AVC msg=audit(1425604453.271:35249): avc: denied { getattr } for pid=7696 comm="pyzor" path="/etc/pyzor" dev="dm-0" ino=145303 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:spamd_etc_t:s0 tclass=dir permissive=0 Took me ages to figure out why pyzor wasn't finding its directory because that denial appears to be dontaudit'ed and I'm not quite sure why. Am I misunderstanding the function of spamd_etc_t? I can see that spamd_t is allowed to look there, and spamassassin does run as spamd_t, but I guess it transitions to spamc_t before it calls pyzor. Also, if this is indeed a policy issue, is there a simple workaround? Thanks.
Or, after more searching, maybe /etc/pyzor needs to be spamc_home_t instead of spamd_etc_t. A quick chcon -R -t spamc_home_t /etc/pyzor appears to fix my issues, at least temporarily.
We should just allow it to read the contents.
commit 5e10eee2f0c09a63eb5e85f148edfec28d068621 Author: Lukas Vrabec <lvrabec> Date: Mon Mar 9 10:43:08 2015 +0100 Allow spamc read spamd_etc_t files. BZ(1199339).
selinux-policy-3.13.1-105.9.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.9.fc21
Package selinux-policy-3.13.1-105.9.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.9.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-4492/selinux-policy-3.13.1-105.9.fc21 then log in and leave karma (feedback).
selinux-policy-3.13.1-105.9.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.