460001 – selinux prevents courier-authlib from starting

Bug 460001 - selinux prevents courier-authlib from starting

Summary: selinux prevents courier-authlib from starting

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	9
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-08-25 15:29 UTC by Pierre Ossman
Modified:	2008-09-03 13:47 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-09-03 13:47:45 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Pierre Ossman 2008-08-25 15:29:14 UTC

courier's authlib daemon fails to start as selinux is preventing access to some files in /var/spool:

type=1400 audit(1219677683.507:30): avc:  denied  { search } for  pid=7714 comm="authdaemond" name="spool" dev=dm-0 ino=369092 scontext=unconfined_u:system_r:courier_authdaemon_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=1400 audit(1219677683.515:31): avc:  denied  { write } for  pid=7714 comm="authdaemond" name="authdaemon" dev=dm-0 ino=368811 scontext=unconfined_u:system_r:courier_authdaemon_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=1400 audit(1219677683.515:32): avc:  denied  { add_name } for  pid=7714 comm="authdaemond" name="socket.tmp" scontext=unconfined_u:system_r:courier_authdaemon_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=1400 audit(1219677683.515:33): avc:  denied  { create } for  pid=7714 comm="authdaemond" name="socket.tmp" scontext=unconfined_u:system_r:courier_authdaemon_t:s0 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=sock_file
type=1400 audit(1219677683.516:34): avc:  denied  { setattr } for  pid=7714 comm="authdaemond" name="socket.tmp" dev=dm-0 ino=368739 scontext=unconfined_u:system_r:courier_authdaemon_t:s0 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=sock_file
type=1400 audit(1219677683.517:35): avc:  denied  { remove_name } for  pid=7714 comm="authdaemond" name="socket.tmp" dev=dm-0 ino=368739 scontext=unconfined_u:system_r:courier_authdaemon_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=1400 audit(1219677683.517:36): avc:  denied  { rename } for  pid=7714 comm="authdaemond" name="socket.tmp" dev=dm-0 ino=368739 scontext=unconfined_u:system_r:courier_authdaemon_t:s0 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=sock_file

369092 is /var/spool and 368811 is /var/spool/authdaemon.

So what needs to be done is probably:

1. grant courier_authdaemon_t the right to search var_spool_t
2. change /var/spool/authdaemon/* to have context courier_spool_t
3. grant courier_authdaemon_t full access to courier_spool_t

Comment 1 Daniel Walsh 2008-08-27 00:33:38 UTC

Fixed in selinux-policy-3.3.1-87.fc9.noarch

Comment 2 Pierre Ossman 2008-09-02 21:03:48 UTC

Sorry for not testing sooner, but the fix does indeed properly solve the problem. Thanks. :)

Note You need to log in before you can comment on or make changes to this bug.