Bug 452571 - SELinux is preventing the spamc from using potentially mislabeled files (/home/davej/Mail/procmail.log).
SELinux is preventing the spamc from using potentially mislabeled files (/hom...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-23 15:45 EDT by Dave Jones
Modified: 2015-01-04 17:30 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:04:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dave Jones 2008-06-23 15:45:18 EDT
my procmailrc has this..

LOGFILE=$HOME/Mail/procmail.log

# a spam assassin invocation
:0fw
* < 256000
| /usr/bin/spamc

This causes..

host=gelk type=AVC msg=audit(1214248091.620:1740): avc: denied { append } for
pid=23143 comm="spamc" path="/home/davej/Mail/procmail.log" dev=md0 ino=58917117
scontext=system_u:system_r:spamc_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file host=gelk type=SYSCALL
msg=audit(1214248091.620:1740): arch=c000003e syscall=59 success=yes exit=0
a0=16ae310 a1=16b0050 a2=16b0140 a3=8 items=0 ppid=23142 pid=23143
auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc"
subj=system_u:system_r:spamc_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-06-24 05:59:13 EDT
# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-71.fc9.noarch
Comment 2 Daniel Walsh 2008-11-17 17:04:45 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.