Bug 189558 - pyzor avc denial
pyzor avc denial
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-20 22:36 EDT by Dave Jones
Modified: 2015-01-04 17:26 EST (History)
4 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:15:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dave Jones 2006-04-20 22:36:59 EDT
With the spamassassin & pyzor in rawhide, I'm getting this on every mail processed..

type=AVC msg=audit(1145587319.532:332): avc:  denied  { getattr } for  pid=9899
comm="pyzor" name="servers" dev=dm-0 ino=18120721
scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
Comment 1 Dave Jones 2006-04-20 22:37:38 EDT
also..

type=AVC msg=audit(1145587319.548:333): avc:  denied  { name_connect } for 
pid=9899 comm="pyzor" dest=80 scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
Comment 3 Daniel Walsh 2006-05-09 12:25:52 EDT
Fixed in rawhide policy
Comment 4 Dave Jones 2006-05-30 19:43:01 EDT
afraid not :-/
Just got this with all the latest rawhide bits updated.

type=AVC msg=audit(1149032957.180:2267): avc:  denied  { search } for  pid=25379
comm="pyzor" scontext=system_u:system_r:pyzor_t:s0
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
type=SYSCALL msg=audit(1149032957.180:2267): arch=c000003e syscall=156
success=no exit=-1 a0=7fff9de2d720 a1=0 a2=0 a3=3662346cc0 items=0 pid=25379
auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 tty=(none) comm="pyzor" exe="/usr/bin/python"
subj=system_u:system_r:pyzor_t:s0
type=AVC msg=audit(1149032957.180:2268): avc:  denied  { search } for  pid=25379
comm="pyzor" name="/" dev=proc ino=1 scontext=system_u:system_r:pyzor_t:s0
tcontext=system_u:object_r:proc_t:s0 tclass=dir
type=SYSCALL msg=audit(1149032957.180:2268): arch=c000003e syscall=2 success=no
exit=-13 a0=366340dd20 a1=0 a2=ffffffff a3=3662346cc0 items=1 pid=25379
auid=4294967295 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 tty=(none) comm="pyzor" exe="/usr/bin/python"
subj=system_u:system_r:pyzor_t:s0
type=CWD msg=audit(1149032957.180:2268):  cwd="/"
type=PATH msg=audit(1149032957.180:2268): item=0 name="/proc/sys/kernel/version"
obj=system_u:object_r:lib_t:s0
type=AVC msg=audit(1149032957.184:2269): avc:  denied  { search } for  pid=25379
comm="pyzor" name="bin" dev=dm-0 ino=4718602
scontext=system_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir
type=SYSCALL msg=audit(1149032957.184:2269): arch=c000003e syscall=2 success=no
exit=-13 a0=7fff9de2ded9 a1=0 a2=1b6 a3=0 items=1 pid=25379 auid=4294967295
uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none)
comm="pyzor" exe="/usr/bin/python" subj=system_u:system_r:pyzor_t:s0
type=CWD msg=audit(1149032957.184:2269):  cwd="/"
type=PATH msg=audit(1149032957.184:2269): item=0 name="/usr/bin/pyzor"
obj=system_u:object_r:lib_t:s0
Comment 5 Will Woods 2007-01-10 14:29:04 EST
resurrecting an old bug - I currently get this pyzor avc denial on each incoming
message:

audit(1168455390.669:723): avc:  denied  { search } for  pid=4386 comm="pyzor"
name="home" dev=md0 ino=8773249 scontext=system_u:system_r:pyzor_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=dir

IIRC pyzor is allowed to read/write user homedirs, so letting it search
home_root_t is probably a good idea.
Comment 6 Will Woods 2007-01-10 14:36:00 EST
Oh yeah: this is with selinux-policy-targeted-2.4.6-17.fc6 (the rawhide
referenced in this bug turned into FC6, so.. yeah)
Comment 7 Daniel Walsh 2007-08-22 10:15:56 EDT
Should be fixed in the current release

Note You need to log in before you can comment on or make changes to this bug.