Bug 446975 - spamass-milter pid file denials
spamass-milter pid file denials
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: spamass-milter (Show other bugs)
9
All Linux
low Severity medium
: ---
: ---
Assigned To: Paul Howarth
Fedora Extras Quality Assurance
:
Depends On: 483849
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-16 15:47 EDT by Thomas J. Baker
Modified: 2009-04-24 15:54 EDT (History)
0 users

See Also:
Fixed In Version: 0.3.1-13.fc9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-23 06:18:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Thomas J. Baker 2008-05-16 15:47:31 EDT
I'm getting 

type=AVC msg=audit(1210966532.947:773): avc:  denied  { write } for  pid=5077
comm="spamass-milter" name="spamass-milter.pid" dev=dm-0 ino=2359648
scontext=unconfined_u:system_r:spamd_t:s0
tcontext=unconfined_u:object_r:initrc_var_run_t:s0 tclass=file

errors with selinux-policy-targeted-3.3.1-51.fc9.noarch. I've tried restorecon
on just the pid file and relabeling the entire file system. You have to turn
auditing on (in s-c-selinux) just to see the failure, otherwise it just fails
silently, and in a weird way. (It appears to be running but thinks it's not
because it can't write to it's pid file.)

I've tried this:

[root@freeside run]#  chcon unconfined_u:system_r:spamd_t:s0  spamass-milter.pid 
chcon: failed to change context of `spamass-milter.pid' to
`unconfined_u:system_r:spamd_t:s0': Permission denied
[root@freeside run]# 

I haven't found a way to work around it short of going to permissive mode.
Comment 1 Daniel Walsh 2008-05-16 17:09:50 EDT
Why is spamd trying to write a pid file owened by spamass-milter?
Comment 2 Thomas J. Baker 2008-05-16 20:03:59 EDT
From the avc, spamass-milter is what's being run and trying to write the pid
file. It has a spamd context:

[root@freeside tjb]# restorecon -v /usr/sbin/spamass-milter
[root@freeside tjb]# ls -lZ /usr/sbin/spamass-milter
-rwxr-xr-x  root root system_u:object_r:spamd_exec_t:s0 /usr/sbin/spamass-milter
[root@freeside tjb]# 
Comment 3 Daniel Walsh 2008-09-08 15:36:12 EDT
The problem here is the initrc is creating the pid file with the wrong context.  The init script should either allow the daemon to create the pid file or run restorecon after it creates it.
Comment 4 Paul Howarth 2008-09-08 19:09:21 EDT
Using my new spamass-milter policy should help:

https://bugzilla.redhat.com/show_bug.cgi?id=452248#c11
Comment 5 Paul Howarth 2009-02-03 17:00:49 EST
I've created a separate ticket (Bug #483849) requesting that my milter policy module be merged into F-9 and F-10 policy (it is already upstream and in Rawhide). The policy update would fix more than just this bug.
Comment 6 Fedora Update System 2009-04-03 11:43:28 EDT
spamass-milter-0.3.1-13.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/spamass-milter-0.3.1-13.fc10
Comment 7 Fedora Update System 2009-04-03 11:47:06 EDT
spamass-milter-0.3.1-13.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/spamass-milter-0.3.1-13.fc9
Comment 8 Fedora Update System 2009-04-22 16:28:01 EDT
spamass-milter-0.3.1-13.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2009-04-24 15:54:43 EDT
spamass-milter-0.3.1-13.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.