Bug 429568 - SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "getattr" to /var/spool/amavisd (amavis_spool_t)
Summary: SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "getattr" to /var/spoo...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 8
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-21 18:02 UTC by owen
Modified: 2008-03-05 22:17 UTC (History)
0 users

Fixed In Version: Current
Clone Of:
Environment:
Last Closed: 2008-03-05 22:17:21 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description owen 2008-01-21 18:02:45 UTC
Description of problem:
SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "getattr" to
/var/spool/amavisd (amavis_spool_t).

From SELinux dialog:
----
Source Context:  system_u:system_r:tmpreaper_t:s0Target
Context:  system_u:object_r:amavis_spool_t:s0Target Objects:  /var/spool/amavisd
[ dir ]Affected RPM Packages:  tmpwatch-2.9.11-2
[application]amavisd-new-2.5.2-2.fc8 [target]Policy
RPM:  selinux-policy-3.0.8-74.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  plugins.catchall_fileHost
Name:  mail.metamachine.comPlatform:  Linux mail.metamachine.com 2.6.23.9-85.fc8
#1 SMP Fri Dec 7 15:49:59 EST 2007 i686 i686Alert Count:  2First Seen:  Sun 20
Jan 2008 03:59:50 PM PSTLast Seen:  Sun 20 Jan 2008 03:59:50 PM PSTLocal
ID:  8b0ced41-4675-41f7-9073-adf8b110dcf4Line Numbers:  Raw Audit Messages :avc:
denied { getattr } for comm=tmpwatch dev=sda5 egid=0 euid=0
exe=/usr/sbin/tmpwatch exit=-13 fsgid=0 fsuid=0 gid=0 items=0
path=/var/spool/amavisd pid=4836 scontext=system_u:system_r:tmpreaper_t:s0
sgid=0 subj=system_u:system_r:tmpreaper_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:amavis_spool_t:s0 tty=(none) uid=0 
----
Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-74.fc8

How reproducible:
Apply all updates to fresh F8 install, run SELinux in enforcing mode, let
tmpwatch run, see SELinux deny it access to /var/spool/amavisd (if I'm reading
this right).

Steps to Reproduce:
1. Apply all updates to fresh F8 install
2. Run SELinux in enforcing mode
3. Let tmpwatch run
4. See SELinux deny it access to /var/spool/amavisd
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2008-01-21 18:31:29 UTC
# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-79.fc8

Comment 2 Daniel Walsh 2008-03-05 22:17:21 UTC
Bugs have been in modified for over one month.  Closing as fixed in current
release please reopen if the problem still persists.


Note You need to log in before you can comment on or make changes to this bug.