Description of problem: SELinux is preventing the spamd daemon from reading users' home directories. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.0.8-72.fc8 How reproducible: Everytime Steps to Reproduce: 1. Policies do not allow spamd to create locks and access the spamassasin files for the root user. 2. 3. Actual results: Expected results: Additional info:
I should have mentioned that I did check the boolean's and the rule to allow spamassassin to access home directories is checked.
Please attach the AVC messages from the audit.log. Are you seeing setroubleshoot messages?
This system has just been upgraded by doing a new install of Fedora 8. The setroubleshoot browser is up all the time. I have had to drop to permissive state to keep things running. Seems to be complaining about all users, not just root like it did in Fedora 6. type=AVC msg=audit(1199122273.777:313): avc: denied { read } for pid=7765 com m="spamassassin" name=".razor" dev=dm-2 ino=43753473 scontext=system_u:system_r: procmail_t:s0 tcontext=system_u:object_r:user_razor_home_t:s0 tclass=dir type=SYSCALL msg=audit(1199122273.777:313): arch=c000003e syscall=2 success=yes exit=7 a0=2f19c30 a1=90800 a2=0 a3=9 items=0 ppid=7764 pid=7765 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:procma il_t:s0 key=(null) type=AVC msg=audit(1199122280.505:316): avc: denied { remove_name } for pid=7 765 comm="spamassassin" name="auto-whitelist.lock.douglas.highley-recommended.co m.7765" dev=dm-2 ino=42650784 scontext=system_u:system_r:procmail_t:s0 tcontext= system_u:object_r:user_spamassassin_home_t:s0 tclass=dir type=AVC msg=audit(1199122280.505:316): avc: denied { unlink } for pid=7765 c omm="spamassassin" name="auto-whitelist.lock.douglas.highley-recommended.com.7765" dev=dm-2 ino=42650784 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=file type=SYSCALL msg=audit(1199122280.505:316): arch=c000003e syscall=87 success=yes exit=0 a0=2ef96f0 a1=1671650 a2=31cb112ce0 a3=5 items=0 ppid=7764 pid=7765 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:procmail_t:s0 key=(null)
Fixed in selinux-policy-3.0.8-74.fc8
After applying update selinux-policy-3.0.8-74.fc8 and relabeling the home directories just in case the policy had different labels I'm still seeing the following: type=USER_END msg=audit(1200628861.982:4480): user pid=7494 uid=0 auid=0 subj=sy stem_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct=root exe=" /usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=AVC msg=audit(1200629104.580:4481): avc: denied { getattr } for pid=7540 comm="spamassassin" path="/home/dhighley/.razor/identity" dev=dm-2 ino=12012773 8 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:user_razor _home_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1200629104.580:4481): arch=c000003e syscall=6 success=yes exit=0 a0=2f16880 a1=604140 a2=604140 a3=31cc1529f0 items=0 ppid=7539 pid=7540 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 f sgid=1000 tty=(none) comm="spamassassin" exe="/usr/bin/perl" subj=system_u:syste m_r:procmail_t:s0 key=(null) type=AVC msg=audit(1200629104.580:4482): avc: denied { read } for pid=7540 co mm="spamassassin" name="identity" dev=dm-2 ino=120127738 scontext=system_u:syste m_r:procmail_t:s0 tcontext=system_u:object_r:user_razor_home_t:s0 tclass=lnk_fil e
I one squawk now about ~/.razor/identity which is a symlink to identity-dhighley. This might be a heritage package configuration where they used a symlink in the past to point to the real file.
Removing symbolic link and renaming the identity file has fixed the last E-mail issue.