Description of problem: SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "getattr" to /var/spool/amavisd (amavis_spool_t). From SELinux dialog: ---- Source Context: system_u:system_r:tmpreaper_t:s0Target Context: system_u:object_r:amavis_spool_t:s0Target Objects: /var/spool/amavisd [ dir ]Affected RPM Packages: tmpwatch-2.9.11-2 [application]amavisd-new-2.5.2-2.fc8 [target]Policy RPM: selinux-policy-3.0.8-74.fc8Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: plugins.catchall_fileHost Name: mail.metamachine.comPlatform: Linux mail.metamachine.com 2.6.23.9-85.fc8 #1 SMP Fri Dec 7 15:49:59 EST 2007 i686 i686Alert Count: 2First Seen: Sun 20 Jan 2008 03:59:50 PM PSTLast Seen: Sun 20 Jan 2008 03:59:50 PM PSTLocal ID: 8b0ced41-4675-41f7-9073-adf8b110dcf4Line Numbers: Raw Audit Messages :avc: denied { getattr } for comm=tmpwatch dev=sda5 egid=0 euid=0 exe=/usr/sbin/tmpwatch exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path=/var/spool/amavisd pid=4836 scontext=system_u:system_r:tmpreaper_t:s0 sgid=0 subj=system_u:system_r:tmpreaper_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:amavis_spool_t:s0 tty=(none) uid=0 ---- Version-Release number of selected component (if applicable): selinux-policy-3.0.8-74.fc8 How reproducible: Apply all updates to fresh F8 install, run SELinux in enforcing mode, let tmpwatch run, see SELinux deny it access to /var/spool/amavisd (if I'm reading this right). Steps to Reproduce: 1. Apply all updates to fresh F8 install 2. Run SELinux in enforcing mode 3. Let tmpwatch run 4. See SELinux deny it access to /var/spool/amavisd Actual results: Expected results: Additional info:
# audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.0.8-79.fc8
Bugs have been in modified for over one month. Closing as fixed in current release please reopen if the problem still persists.