Bug 446975 - spamass-milter pid file denials
Summary: spamass-milter pid file denials
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: spamass-milter
Version: 9
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Paul Howarth
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 483849
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-16 19:47 UTC by Thomas J. Baker
Modified: 2009-04-24 19:54 UTC (History)
0 users

Fixed In Version: 0.3.1-13.fc9
Clone Of:
Environment:
Last Closed: 2009-04-23 10:18:03 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Thomas J. Baker 2008-05-16 19:47:31 UTC 
I'm getting 

type=AVC msg=audit(1210966532.947:773): avc:  denied  { write } for  pid=5077
comm="spamass-milter" name="spamass-milter.pid" dev=dm-0 ino=2359648
scontext=unconfined_u:system_r:spamd_t:s0
tcontext=unconfined_u:object_r:initrc_var_run_t:s0 tclass=file

errors with selinux-policy-targeted-3.3.1-51.fc9.noarch. I've tried restorecon
on just the pid file and relabeling the entire file system. You have to turn
auditing on (in s-c-selinux) just to see the failure, otherwise it just fails
silently, and in a weird way. (It appears to be running but thinks it's not
because it can't write to it's pid file.)

I've tried this:

[root@freeside run]#  chcon unconfined_u:system_r:spamd_t:s0  spamass-milter.pid 
chcon: failed to change context of `spamass-milter.pid' to
`unconfined_u:system_r:spamd_t:s0': Permission denied
[root@freeside run]# 

I haven't found a way to work around it short of going to permissive mode.
Comment 1 Daniel Walsh 2008-05-16 21:09:50 UTC 
Why is spamd trying to write a pid file owened by spamass-milter?
Comment 2 Thomas J. Baker 2008-05-17 00:03:59 UTC 
From the avc, spamass-milter is what's being run and trying to write the pid
file. It has a spamd context:

[root@freeside tjb]# restorecon -v /usr/sbin/spamass-milter
[root@freeside tjb]# ls -lZ /usr/sbin/spamass-milter
-rwxr-xr-x  root root system_u:object_r:spamd_exec_t:s0 /usr/sbin/spamass-milter
[root@freeside tjb]#
Comment 3 Daniel Walsh 2008-09-08 19:36:12 UTC 
The problem here is the initrc is creating the pid file with the wrong context.  The init script should either allow the daemon to create the pid file or run restorecon after it creates it.
Comment 4 Paul Howarth 2008-09-08 23:09:21 UTC 
Using my new spamass-milter policy should help:

https://bugzilla.redhat.com/show_bug.cgi?id=452248#c11
Comment 5 Paul Howarth 2009-02-03 22:00:49 UTC 
I've created a separate ticket (Bug #483849) requesting that my milter policy module be merged into F-9 and F-10 policy (it is already upstream and in Rawhide). The policy update would fix more than just this bug.
Comment 6 Fedora Update System 2009-04-03 15:43:28 UTC 
spamass-milter-0.3.1-13.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/spamass-milter-0.3.1-13.fc10
Comment 7 Fedora Update System 2009-04-03 15:47:06 UTC 
spamass-milter-0.3.1-13.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/spamass-milter-0.3.1-13.fc9
Comment 8 Fedora Update System 2009-04-22 20:28:01 UTC 
spamass-milter-0.3.1-13.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2009-04-24 19:54:43 UTC 
spamass-milter-0.3.1-13.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.