Bug 429568 - SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "getattr" to /var/spool/amavisd (amavis_spool_t)
SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "getattr" to /var/spoo...
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2008-01-21 13:02 EST by owen
Modified: 2008-03-05 17:17 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-03-05 17:17:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description owen 2008-01-21 13:02:45 EST
Description of problem:
SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "getattr" to
/var/spool/amavisd (amavis_spool_t).

From SELinux dialog:
Source Context:  system_u:system_r:tmpreaper_t:s0Target
Context:  system_u:object_r:amavis_spool_t:s0Target Objects:  /var/spool/amavisd
[ dir ]Affected RPM Packages:  tmpwatch-2.9.11-2
[application]amavisd-new-2.5.2-2.fc8 [target]Policy
RPM:  selinux-policy-3.0.8-74.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  plugins.catchall_fileHost
Name:  mail.metamachine.comPlatform:  Linux mail.metamachine.com
#1 SMP Fri Dec 7 15:49:59 EST 2007 i686 i686Alert Count:  2First Seen:  Sun 20
Jan 2008 03:59:50 PM PSTLast Seen:  Sun 20 Jan 2008 03:59:50 PM PSTLocal
ID:  8b0ced41-4675-41f7-9073-adf8b110dcf4Line Numbers:  Raw Audit Messages :avc:
denied { getattr } for comm=tmpwatch dev=sda5 egid=0 euid=0
exe=/usr/sbin/tmpwatch exit=-13 fsgid=0 fsuid=0 gid=0 items=0
path=/var/spool/amavisd pid=4836 scontext=system_u:system_r:tmpreaper_t:s0
sgid=0 subj=system_u:system_r:tmpreaper_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:amavis_spool_t:s0 tty=(none) uid=0 
Version-Release number of selected component (if applicable):

How reproducible:
Apply all updates to fresh F8 install, run SELinux in enforcing mode, let
tmpwatch run, see SELinux deny it access to /var/spool/amavisd (if I'm reading
this right).

Steps to Reproduce:
1. Apply all updates to fresh F8 install
2. Run SELinux in enforcing mode
3. Let tmpwatch run
4. See SELinux deny it access to /var/spool/amavisd
Actual results:

Expected results:

Additional info:
Comment 1 Daniel Walsh 2008-01-21 13:31:29 EST
# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-79.fc8
Comment 2 Daniel Walsh 2008-03-05 17:17:21 EST
Bugs have been in modified for over one month.  Closing as fixed in current
release please reopen if the problem still persists.

Note You need to log in before you can comment on or make changes to this bug.