Description of problem: Running 'at 5pm', say, in enforcing mode gives this error: [tim@cyberelk tim]$ id -Z user_u:user_r:user_t [tim@cyberelk tim]$ at 5pm Cannot open lockfile /var/spool/at/.SEQ: Permission denied [root@cyberelk root]# ls -Z /var/spool/at/.SEQ -rw-------+ daemon daemon system_u:object_r:at_spool_t /var/spool/at/.SEQ Version-Release number of selected component (if applicable): at-3.1.8-50 policy-1.11.2-6 How reproducible: 100%
Fixed in policy-1.11.2-7
Thanks, works for me.
Spoke too soon. I got audit messages when a job (just to 'mail -s test ...') tried to execute. These are (obviously!) from non-enforcing mode: Apr 15 17:20:00 cyberelk kernel: audit(1082046000.256:0): avc: denied { read } for pid=23064 exe=/usr/sbin/atd name=sh dev=hda2 ino=3850250 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:bin_t tclass=lnk_file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.256:0): avc: denied { execute } for pid=23064 exe=/usr/sbin/atd name=bash dev=hda2 ino=3850326 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:shell_exec_t tclass=file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.256:0): avc: denied { execute_no_trans } for pid=23064 exe=/usr/sbin/atd path=/bin/bash dev=hda2 ino=3850326 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:shell_exec_t tclass=file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.256:0): avc: denied { read } for pid=23064 exe=/usr/sbin/atd path=/bin/bash dev=hda2 ino=3850326 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:shell_exec_t tclass=file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.258:0): avc: denied { read } for pid=23064 exe=/bin/bash name=mtab dev=hda2 ino=3835834 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:etc_runtime_t tclass=file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.259:0): avc: denied { getattr } for pid=23064 exe=/bin/bash path=/etc/mtab dev=hda2 ino=3835834 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:etc_runtime_t tclass=file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.259:0): avc: denied { getattr } for pid=23064 exe=/bin/bash path=/proc/meminfo dev= ino=4098 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:proc_t tclass=file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.261:0): avc: denied { getattr } for pid=23064 exe=/bin/bash path=/bin/bash dev=hda2 ino=3850326 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:shell_exec_t tclass=file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.264:0): avc: denied { search } for pid=23064 exe=/bin/bash name=mail dev=hda2 ino=1015845 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:mail_spool_t tclass=dir Apr 15 17:20:00 cyberelk kernel: audit(1082046000.266:0): avc: denied { getattr } for pid=23064 exe=/bin/bash path=/home dev=hda6 ino=2 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:home_root_t tclass=dir Apr 15 17:20:00 cyberelk kernel: audit(1082046000.266:0): avc: denied { search } for pid=23064 exe=/bin/bash dev=hda6 ino=2 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:home_root_t tclass=dir Apr 15 17:20:00 cyberelk kernel: audit(1082046000.266:0): avc: denied { getattr } for pid=23064 exe=/bin/bash path=/home/tim dev=hda6 ino=243361 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:user_home_dir_t tclass=dir Apr 15 17:20:00 cyberelk kernel: audit(1082046000.266:0): avc: denied { search } for pid=23064 exe=/bin/bash name=tim dev=hda6 ino=243361 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:user_home_dir_t tclass=dir Apr 15 17:20:00 cyberelk kernel: audit(1082046000.273:0): avc: denied { read } for pid=23065 exe=/bin/bash name=.bashrc dev=hda6 ino=245635 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:user_home_t tclass=file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.273:0): avc: denied { getattr } for pid=23065 exe=/bin/bash path=/home/tim/.bashrc dev=hda6 ino=245635 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:user_home_t tclass=file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.275:0): avc: denied { getattr } for pid=23066 exe=/bin/bash path=/usr/bin/id dev=hda2 ino=1251966 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:bin_t tclass=file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.276:0): avc: denied { execute } for pid=23067 exe=/bin/bash name=id dev=hda2 ino=1251966 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:bin_t tclass=file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.276:0): avc: denied { execute_no_trans } for pid=23067 exe=/bin/bash path=/usr/bin/id dev=hda2 ino=1251966 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:bin_t tclass=file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.276:0): avc: denied { read } for pid=23067 exe=/bin/bash path=/usr/bin/id dev=hda2 ino=1251966 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:bin_t tclass=file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.279:0): avc: denied { getattr } for pid=23067 exe=/usr/bin/id path=pipe:[107801] dev= ino=107801 scontext=system_u:system_r:atd_t tcontext=system_u:system_r:atd_t tclass=fifo_file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.280:0): avc: denied { write } for pid=23067 exe=/usr/bin/id path=pipe:[107801] dev= ino=107801 scontext=system_u:system_r:atd_t tcontext=system_u:system_r:atd_t tclass=fifo_file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.281:0): avc: denied { read } for pid=23065 exe=/bin/bash path=pipe:[107801] dev= ino=107801 scontext=system_u:system_r:atd_t tcontext=system_u:system_r:atd_t tclass=fifo_file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.373:0): avc: denied { search } for pid=23073 exe=/bin/mail name=sbin dev=hda2 ino=1245245 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:sbin_t tclass=dir Apr 15 17:20:00 cyberelk kernel: audit(1082046000.373:0): avc: denied { read } for pid=23073 exe=/bin/mail name=sendmail dev=hda2 ino=1252731 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:sbin_t tclass=lnk_file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.503:0): avc: denied { execute } for pid=23073 exe=/bin/mail name=sendmail.sendmail dev=hda2 ino=1252719 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:sendmail_exec_t tclass=file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.503:0): avc: denied { execute_no_trans } for pid=23073 exe=/bin/mail path=/usr/sbin/sendmail.sendmail dev=hda2 ino=1252719 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:sendmail_exec_t tclass=file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.503:0): avc: denied { read } for pid=23073 exe=/bin/mail path=/usr/sbin/sendmail.sendmail dev=hda2 ino=1252719 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:sendmail_exec_t tclass=file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.790:0): avc: denied { create } for pid=23073 exe=/usr/sbin/sendmail.sendmail scontext=system_u:system_r:atd_t tcontext=system_u:system_r:atd_t tclass=tcp_socket Apr 15 17:20:00 cyberelk kernel: audit(1082046000.793:0): avc: denied { read } for pid=23073 exe=/usr/sbin/sendmail.sendmail name=resolv.conf dev=hda2 ino=3834860 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:net_conf_t tclass=file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.793:0): avc: denied { getattr } for pid=23073 exe=/usr/sbin/sendmail.sendmail path=/etc/resolv.conf dev=hda2 ino=3834860 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:net_conf_t tclass=file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.795:0): avc: denied { search } for pid=23073 exe=/usr/sbin/sendmail.sendmail name=mail dev=hda2 ino=3834696 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:etc_mail_t tclass=dir Apr 15 17:20:00 cyberelk kernel: audit(1082046000.852:0): avc: denied { getattr } for pid=23073 exe=/usr/sbin/sendmail.sendmail path=/etc/mail/submit.cf dev=hda2 ino=3834746 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:etc_mail_t tclass=file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.852:0): avc: denied { getattr } for pid=23073 exe=/usr/sbin/sendmail.sendmail path=/etc/mail dev=hda2 ino=3834696 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:etc_mail_t tclass=dir Apr 15 17:20:00 cyberelk kernel: audit(1082046000.852:0): avc: denied { read } for pid=23073 exe=/usr/sbin/sendmail.sendmail name=submit.cf dev=hda2 ino=3834746 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:etc_mail_t tclass=file Apr 15 17:20:00 cyberelk kernel: audit(1082046000.890:0): avc: denied { search } for pid=23073 exe=/usr/sbin/sendmail.sendmail name=clientmqueue dev=hda2 ino=1015923 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir Apr 15 17:20:00 cyberelk kernel: audit(1082046000.890:0): avc: denied { getattr } for pid=23073 exe=/usr/sbin/sendmail.sendmail path=/var/spool/clientmqueue dev=hda2 ino=1015923 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir Apr 15 17:20:01 cyberelk kernel: audit(1082046001.034:0): avc: denied { create } for pid=23073 exe=/usr/sbin/sendmail.sendmail scontext=system_u:system_r:atd_t tcontext=system_u:system_r:atd_t tclass=udp_socket Apr 15 17:20:01 cyberelk kernel: audit(1082046001.034:0): avc: denied { connect } for pid=23073 exe=/usr/sbin/sendmail.sendmail scontext=system_u:system_r:atd_t tcontext=system_u:system_r:atd_t tclass=udp_socket Apr 15 17:20:01 cyberelk kernel: audit(1082046001.035:0): avc: denied { write } for pid=23073 exe=/usr/sbin/sendmail.sendmail laddr=192.168.1.1 lport=34439 faddr=192.168.1.1 fport=53 scontext=system_u:system_r:atd_t tcontext=system_u:system_r:atd_t tclass=udp_socket Apr 15 17:20:01 cyberelk kernel: audit(1082046001.035:0): avc: denied { udp_send } for pid=23073 exe=/usr/sbin/sendmail.sendmail saddr=192.168.1.1 src=34439 daddr=192.168.1.1 dest=53 netif=lo scontext=system_u:system_r:atd_t tcontext=system_u:object_r:netif_lo_t tclass=netif Apr 15 17:20:01 cyberelk kernel: audit(1082046001.035:0): avc: denied { udp_send } for pid=23073 exe=/usr/sbin/sendmail.sendmail saddr=192.168.1.1 src=34439 daddr=192.168.1.1 dest=53 netif=lo scontext=system_u:system_r:atd_t tcontext=system_u:object_r:node_t tclass=node Apr 15 17:20:01 cyberelk kernel: audit(1082046001.035:0): avc: denied { send_msg } for pid=23073 exe=/usr/sbin/sendmail.sendmail saddr=192.168.1.1 src=34439 daddr=192.168.1.1 dest=53 netif=lo scontext=system_u:system_r:atd_t tcontext=system_u:object_r:dns_port_t tclass=udp_socket Apr 15 17:20:01 cyberelk kernel: audit(1082046001.209:0): avc: denied { udp_recv } for pid=1914 exe=/usr/sbin/named saddr=192.168.1.1 src=53 daddr=192.168.1.1 dest=34439 netif=lo scontext=system_u:system_r:atd_t tcontext=system_u:object_r:netif_lo_t tclass=netif Apr 15 17:20:01 cyberelk kernel: audit(1082046001.209:0): avc: denied { udp_recv } for pid=1914 exe=/usr/sbin/named saddr=192.168.1.1 src=53 daddr=192.168.1.1 dest=34439 netif=lo scontext=system_u:system_r:atd_t tcontext=system_u:object_r:node_t tclass=node Apr 15 17:20:01 cyberelk kernel: audit(1082046001.209:0): avc: denied { recv_msg } for pid=1914 exe=/usr/sbin/named saddr=192.168.1.1 src=53 daddr=192.168.1.1 dest=34439 netif=lo scontext=system_u:system_r:atd_t tcontext=system_u:object_r:dns_port_t tclass=udp_socket Apr 15 17:20:01 cyberelk kernel: audit(1082046001.210:0): avc: denied { read } for pid=23073 exe=/usr/sbin/sendmail.sendmail laddr=192.168.1.1 lport=34439 faddr=192.168.1.1 fport=53 scontext=system_u:system_r:atd_t tcontext=system_u:system_r:atd_t tclass=udp_socket Apr 15 17:20:01 cyberelk kernel: audit(1082046001.390:0): avc: denied { write } for pid=23073 exe=/usr/sbin/sendmail.sendmail name=clientmqueue dev=hda2 ino=1015923 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir Apr 15 17:20:01 cyberelk kernel: audit(1082046001.390:0): avc: denied { add_name } for pid=23073 exe=/usr/sbin/sendmail.sendmail name=dfi3FGK07j023073 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir Apr 15 17:20:01 cyberelk kernel: audit(1082046001.390:0): avc: denied { create } for pid=23073 exe=/usr/sbin/sendmail.sendmail name=dfi3FGK07j023073 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:mqueue_spool_t tclass=file Apr 15 17:20:01 cyberelk kernel: audit(1082046001.391:0): avc: denied { getattr } for pid=23073 exe=/usr/sbin/sendmail.sendmail path=/var/spool/clientmqueue/dfi3FGK07j023073 dev=hda2 ino=1015911 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:mqueue_spool_t tclass=file Apr 15 17:20:01 cyberelk kernel: audit(1082046001.392:0): avc: denied { lock } for pid=23073 exe=/usr/sbin/sendmail.sendmail path=/var/spool/clientmqueue/dfi3FGK07j023073 dev=hda2 ino=1015911 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:mqueue_spool_t tclass=file Apr 15 17:20:01 cyberelk kernel: audit(1082046001.392:0): avc: denied { write } for pid=23073 exe=/usr/sbin/sendmail.sendmail path=/var/spool/clientmqueue/dfi3FGK07j023073 dev=hda2 ino=1015911 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:mqueue_spool_t tclass=file Apr 15 17:20:01 cyberelk kernel: audit(1082046001.397:0): avc: denied { read } for pid=23073 exe=/usr/sbin/sendmail.sendmail name=dfi3FGK07j023073 dev=hda2 ino=1015911 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:mqueue_spool_t tclass=file Apr 15 17:20:01 cyberelk kernel: audit(1082046001.430:0): avc: denied { connect } for pid=23073 exe=/usr/sbin/sendmail.sendmail scontext=system_u:system_r:atd_t tcontext=system_u:system_r:atd_t tclass=tcp_socket Apr 15 17:20:01 cyberelk kernel: audit(1082046001.430:0): avc: denied { tcp_send } for pid=23073 exe=/usr/sbin/sendmail.sendmail saddr=127.0.0.1 src=33954 daddr=127.0.0.1 dest=25 netif=lo scontext=system_u:system_r:atd_t tcontext=system_u:object_r:netif_lo_t tclass=netif Apr 15 17:20:01 cyberelk kernel: audit(1082046001.430:0): avc: denied { tcp_send } for pid=23073 exe=/usr/sbin/sendmail.sendmail saddr=127.0.0.1 src=33954 daddr=127.0.0.1 dest=25 netif=lo scontext=system_u:system_r:atd_t tcontext=system_u:object_r:node_lo_t tclass=node Apr 15 17:20:01 cyberelk kernel: audit(1082046001.430:0): avc: denied { send_msg } for pid=23073 exe=/usr/sbin/sendmail.sendmail saddr=127.0.0.1 src=33954 daddr=127.0.0.1 dest=25 netif=lo scontext=system_u:system_r:atd_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket Apr 15 17:20:01 cyberelk kernel: audit(1082046001.430:0): avc: denied { tcp_recv } for pid=23073 exe=/usr/sbin/sendmail.sendmail saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=33954 netif=lo scontext=system_u:system_r:atd_t tcontext=system_u:object_r:netif_lo_t tclass=netif Apr 15 17:20:01 cyberelk kernel: audit(1082046001.430:0): avc: denied { tcp_recv } for pid=23073 exe=/usr/sbin/sendmail.sendmail saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=33954 netif=lo scontext=system_u:system_r:atd_t tcontext=system_u:object_r:node_lo_t tclass=node Apr 15 17:20:01 cyberelk kernel: audit(1082046001.430:0): avc: denied { recv_msg } for pid=23073 exe=/usr/sbin/sendmail.sendmail saddr=127.0.0.1 src=25 daddr=127.0.0.1 dest=33954 netif=lo scontext=system_u:system_r:atd_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket Apr 15 17:20:01 cyberelk kernel: audit(1082046001.441:0): avc: denied { getattr } for pid=23073 exe=/usr/sbin/sendmail.sendmail laddr=127.0.0.1 lport=33954 faddr=127.0.0.1 fport=25 scontext=system_u:system_r:atd_t tcontext=system_u:system_r:atd_t tclass=tcp_socket Apr 15 17:20:01 cyberelk kernel: audit(1082046001.442:0): avc: denied { read } for pid=23073 exe=/usr/sbin/sendmail.sendmail path=socket:[107830] dev= ino=107830 scontext=system_u:system_r:atd_t tcontext=system_u:system_r:atd_t tclass=tcp_socket Apr 15 17:20:01 cyberelk kernel: audit(1082046001.622:0): avc: denied { write } for pid=23073 exe=/usr/sbin/sendmail.sendmail path=socket:[107830] dev= ino=107830 scontext=system_u:system_r:atd_t tcontext=system_u:system_r:atd_t tclass=tcp_socket Apr 15 17:20:01 cyberelk kernel: audit(1082046001.797:0): avc: denied { remove_name } for pid=23073 exe=/usr/sbin/sendmail.sendmail name=dfi3FGK07j023073 dev=hda2 ino=1015911 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir Apr 15 17:20:01 cyberelk kernel: audit(1082046001.797:0): avc: denied { unlink } for pid=23073 exe=/usr/sbin/sendmail.sendmail name=dfi3FGK07j023073 dev=hda2 ino=1015911 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:mqueue_spool_t tclass=file Apr 15 17:20:01 cyberelk kernel: audit(1082046001.798:0): avc: denied { read } for pid=23073 exe=/usr/sbin/sendmail.sendmail name=clientmqueue dev=hda2 ino=1015923 scontext=system_u:system_r:atd_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir
There is no longer an atd_t; it runs as crond_t since Dan's latest changes. I did however fix one or two bugs in the policy relating to this. Could you try the latest policy? Note you will need to relabel /var/spool/at and /usr/sbin/atd and /usr/bin/at at least.
With policy-1.11.2-9, I get no audit messages when running: at "now + 2 minutes" echo hello world ^D When the job fires I get this (permissive mode): audit(1082449920.313:0): avc: denied { write } for pid=15079 exe=/usr/sbin/atd name=spool dev=hda2 ino=1015866 scontext=root:system_r:crond_t tcontext=system_u:object_r:var_spool_t tclass=dir audit(1082449920.313:0): avc: denied { add_name } for pid=15079 exe=/usr/sbin/atd name=a0000801134800 scontext=root:system_r:crond_t tcontext=system_u:object_r:var_spool_t tclass=dir audit(1082449920.313:0): avc: denied { create } for pid=15079 exe=/usr/sbin/atd name=a0000801134800 scontext=root:system_r:crond_t tcontext=root:object_r:var_spool_t tclass=file audit(1082449920.313:0): avc: denied { write } for pid=15079 exe=/usr/sbin/atd path=/var/spool/at/spool/a0000801134800 dev=hda2 ino=1017281 scontext=root:system_r:crond_t tcontext=root:object_r:var_spool_t tclass=file audit(1082449920.318:0): avc: denied { write } for pid=15080 exe=/bin/bash path=/var/spool/at/spool/a0000801134800 dev=hda2 ino=1017281 scontext=user_u:user_r:user_crond_t tcontext=root:object_r:var_spool_t tclass=file audit(1082449920.354:0): avc: denied { getattr } for pid=15081 exe=/bin/bash path=/var/spool/at/spool/a0000801134800 dev=hda2 ino=1017281 scontext=user_u:user_r:user_crond_t tcontext=root:object_r:var_spool_t tclass=file audit(1082449920.357:0): avc: denied { remove_name } for pid=15079 exe=/usr/sbin/atd name=a0000801134800 dev=hda2 ino=1017281 scontext=root:system_r:crond_t tcontext=system_u:object_r:var_spool_t tclass=dir audit(1082449920.357:0): avc: denied { unlink } for pid=15079 exe=/usr/sbin/atd name=a0000801134800 dev=hda2 ino=1017281 scontext=root:system_r:crond_t tcontext=root:object_r:var_spool_t tclass=file audit(1082449920.360:0): avc: denied { read } for pid=15079 exe=/usr/sbin/sendmail.sendmail path=/var/spool/at/spool/a0000801134800 (deleted) dev=hda2 ino=1017281 scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t tclass=file audit(1082449920.374:0): avc: denied { getattr } for pid=15079 exe=/usr/sbin/sendmail.sendmail path=/var/spool/at/spool/a0000801134800 (deleted) dev=hda2 ino=1017281 scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t tclass=file audit(1082449920.385:0): avc: denied { ioctl } for pid=15079 exe=/usr/sbin/sendmail.sendmail path=/var/spool/at/spool/a0000801134800 (deleted) dev=hda2 ino=1017281 scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t tclass=file
..but with policy-1.11.2-12 everything works fine. Seems fixed now.