Bug 427087 - SELinux is preventing the spamd daemon from reading users' home directories.
SELinux is preventing the spamd daemon from reading users' home directories.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-31 01:45 EST by David Highley
Modified: 2008-05-01 11:39 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-02 11:46:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Highley 2007-12-31 01:45:55 EST
Description of problem:
SELinux is preventing the spamd daemon from reading users' home directories.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.0.8-72.fc8

How reproducible:
Everytime

Steps to Reproduce:
1. Policies do not allow spamd to create locks and access the spamassasin files
 for the root user.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 David Highley 2007-12-31 01:49:07 EST
I should have mentioned that I did check the boolean's and the rule to allow
spamassassin to access home directories is checked.
Comment 2 Daniel Walsh 2007-12-31 06:30:42 EST
Please attach the AVC messages from the audit.log.  Are you seeing
setroubleshoot messages?
Comment 3 David Highley 2007-12-31 12:45:23 EST
This system has just been upgraded by doing a new install of Fedora 8. The
setroubleshoot browser is up all the time. I have had to drop to permissive
state to keep things running. Seems to be complaining about all users, not just
root like it did in Fedora 6.

type=AVC msg=audit(1199122273.777:313): avc:  denied  { read } for  pid=7765 com
m="spamassassin" name=".razor" dev=dm-2 ino=43753473 scontext=system_u:system_r:
procmail_t:s0 tcontext=system_u:object_r:user_razor_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1199122273.777:313): arch=c000003e syscall=2 success=yes 
exit=7 a0=2f19c30 a1=90800 a2=0 a3=9 items=0 ppid=7764 pid=7765 auid=4294967295 
uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 
tty=(none) comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:procma
il_t:s0 key=(null)

type=AVC msg=audit(1199122280.505:316): avc:  denied  { remove_name } for  pid=7
765 comm="spamassassin" name="auto-whitelist.lock.douglas.highley-recommended.co
m.7765" dev=dm-2 ino=42650784 scontext=system_u:system_r:procmail_t:s0 tcontext=
system_u:object_r:user_spamassassin_home_t:s0 tclass=dir
type=AVC msg=audit(1199122280.505:316): avc:  denied  { unlink } for  pid=7765 c
omm="spamassassin"
name="auto-whitelist.lock.douglas.highley-recommended.com.7765" dev=dm-2
ino=42650784 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1199122280.505:316): arch=c000003e syscall=87 success=yes
exit=0 a0=2ef96f0 a1=1671650 a2=31cb112ce0 a3=5 items=0 ppid=7764 pid=7765
auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000
sgid=1000 fsgid=1000 tty=(none) comm="spamassassin" exe="/usr/bin/perl"
subj=system_u:system_r:procmail_t:s0 key=(null)
Comment 4 Daniel Walsh 2008-01-03 10:59:00 EST
Fixed in selinux-policy-3.0.8-74.fc8
Comment 5 David Highley 2008-01-18 00:34:28 EST
After applying update selinux-policy-3.0.8-74.fc8 and relabeling the home
directories just in case the policy had different labels I'm still seeing the
following:

type=USER_END msg=audit(1200628861.982:4480): user pid=7494 uid=0 auid=0 subj=sy
stem_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct=root exe="
/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=AVC msg=audit(1200629104.580:4481): avc:  denied  { getattr } for  pid=7540
 comm="spamassassin" path="/home/dhighley/.razor/identity" dev=dm-2 ino=12012773
8 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:user_razor
_home_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1200629104.580:4481): arch=c000003e syscall=6 success=yes
 exit=0 a0=2f16880 a1=604140 a2=604140 a3=31cc1529f0 items=0 ppid=7539 pid=7540 
auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 f
sgid=1000 tty=(none) comm="spamassassin" exe="/usr/bin/perl" subj=system_u:syste
m_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1200629104.580:4482): avc:  denied  { read } for  pid=7540 co
mm="spamassassin" name="identity" dev=dm-2 ino=120127738 scontext=system_u:syste
m_r:procmail_t:s0 tcontext=system_u:object_r:user_razor_home_t:s0 tclass=lnk_fil
e
Comment 6 David Highley 2008-01-30 10:41:33 EST
I one squawk now about ~/.razor/identity which is a symlink to
identity-dhighley. This might be a heritage package configuration where they
used a symlink in the past to point to the real file.
Comment 7 David Highley 2008-02-02 11:45:14 EST
Removing symbolic link and renaming the identity file has fixed the last E-mail
issue.

Note You need to log in before you can comment on or make changes to this bug.