238325 – AVC denied when accessing /var/lib/spamassassin

Bug 238325 - AVC denied when accessing /var/lib/spamassassin

Summary: AVC denied when accessing /var/lib/spamassassin

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-04-29 11:04 UTC by Robert Scheck
Modified:	2007-11-30 22:12 UTC (History)
CC List:	0 users
Fixed In Version:	Current
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-08-22 14:15:12 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Robert Scheck 2007-04-29 11:04:06 UTC

Description of problem:
type=AVC msg=audit(1177844482.191:174250): avc:  denied  { read } for  pid=2485 
comm="spamassassin" name="3.002000" dev=cciss/c0d0p2 ino=213219 
scontext=user_u:system_r:procmail_t:s0 
tcontext=user_u:object_r:spamd_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1177844482.191:174250): arch=40000003 syscall=5 
success=yes exit=3 a0=9fbb928 a1=18800 a2=3 a3=9f07488 items=0 ppid=2484 
pid=2485 auid=500 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=100 sgid=100 
fsgid=100 tty=(none) comm="spamassassin" exe="/usr/bin/perl" 
subj=user_u:system_r:procmail_t:s0 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-2.6.1-1
selinux-policy-targeted-2.6.1-1

Actual results:
AVC denied when accessing /var/lib/spamassassin (by procmail?)

Expected results:
No AVC denied message.

Comment 1 Robert Scheck 2007-04-29 18:30:07 UTC

Oh and SpamAssassin must be allowed to access this directory; any updates by
sa-update will be put into there.

Comment 2 Daniel Walsh 2007-04-30 12:41:25 UTC

Fixed in selinux-policy-targeted-2.6.3-1

Comment 3 Robert Scheck 2007-05-25 20:27:34 UTC

NO! This bug is not fixed in selinux-policy-targeted-2.6.4-8:

type=AVC msg=audit(1180124312.557:188618): avc:  denied  { read } for  
pid=18541 comm="spamassassin" name="3.002000" dev=cciss/c0d0p2 ino=21321
9 scontext=user_u:system_r:procmail_t:s0 
tcontext=user_u:object_r:spamd_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1180124312.557:188618): arch=40000003 syscall=5 
success=yes exit=3 a0=a28f9c8 a1=18800 a2=3 a3=a1db540 items=0 ppid=1854
0 pid=18541 auid=500 uid=506 gid=501 euid=506 suid=506 fsuid=506 egid=501 
sgid=501 fsgid=501 tty=(none) comm="spamassassin" exe="/usr/bin/perl"
 subj=user_u:system_r:procmail_t:s0 key=(null)

Comment 4 Daniel Walsh 2007-05-29 14:27:57 UTC

Fix will be in  2.6.4-10

Comment 5 Robert Scheck 2007-06-10 22:00:14 UTC

DANIEL! This bug is also NOT fixed in selinux-policy-targeted-2.6.5-2:

Raw Audit Messages

avc: denied { read } for comm="spamassassin" dev=cciss/c0d0p2 egid=100 euid=500
exe="/usr/bin/perl" exit=3 fsgid=100 fsuid=500 gid=100 items=0 name="3.002000"
pid=20326 scontext=system_u:system_r:procmail_t:s0 sgid=100
subj=system_u:system_r:procmail_t:s0 suid=500 tclass=dir
tcontext=user_u:object_r:spamd_var_lib_t:s0 tty=(none) uid=500

Comment 6 Daniel Walsh 2007-06-11 14:41:53 UTC

Fix will be selinux-policy-3.0.0  It is in fc7.

Comment 7 Daniel Walsh 2007-08-22 14:15:12 UTC

Should be fixed in the current release

Note You need to log in before you can comment on or make changes to this bug.