I'm getting type=AVC msg=audit(1210966532.947:773): avc: denied { write } for pid=5077 comm="spamass-milter" name="spamass-milter.pid" dev=dm-0 ino=2359648 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:initrc_var_run_t:s0 tclass=file errors with selinux-policy-targeted-3.3.1-51.fc9.noarch. I've tried restorecon on just the pid file and relabeling the entire file system. You have to turn auditing on (in s-c-selinux) just to see the failure, otherwise it just fails silently, and in a weird way. (It appears to be running but thinks it's not because it can't write to it's pid file.) I've tried this: [root@freeside run]# chcon unconfined_u:system_r:spamd_t:s0 spamass-milter.pid chcon: failed to change context of `spamass-milter.pid' to `unconfined_u:system_r:spamd_t:s0': Permission denied [root@freeside run]# I haven't found a way to work around it short of going to permissive mode.
Why is spamd trying to write a pid file owened by spamass-milter?
From the avc, spamass-milter is what's being run and trying to write the pid file. It has a spamd context: [root@freeside tjb]# restorecon -v /usr/sbin/spamass-milter [root@freeside tjb]# ls -lZ /usr/sbin/spamass-milter -rwxr-xr-x root root system_u:object_r:spamd_exec_t:s0 /usr/sbin/spamass-milter [root@freeside tjb]#
The problem here is the initrc is creating the pid file with the wrong context. The init script should either allow the daemon to create the pid file or run restorecon after it creates it.
Using my new spamass-milter policy should help: https://bugzilla.redhat.com/show_bug.cgi?id=452248#c11
I've created a separate ticket (Bug #483849) requesting that my milter policy module be merged into F-9 and F-10 policy (it is already upstream and in Rawhide). The policy update would fix more than just this bug.
spamass-milter-0.3.1-13.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/spamass-milter-0.3.1-13.fc10
spamass-milter-0.3.1-13.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/spamass-milter-0.3.1-13.fc9
spamass-milter-0.3.1-13.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
spamass-milter-0.3.1-13.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.