Bug 460001 - selinux prevents courier-authlib from starting
Summary: selinux prevents courier-authlib from starting
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 9
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-25 15:29 UTC by Pierre Ossman
Modified: 2008-09-03 13:47 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-09-03 13:47:45 UTC
Type: ---


Attachments (Terms of Use)

Description Pierre Ossman 2008-08-25 15:29:14 UTC
courier's authlib daemon fails to start as selinux is preventing access to some files in /var/spool:

type=1400 audit(1219677683.507:30): avc:  denied  { search } for  pid=7714 comm="authdaemond" name="spool" dev=dm-0 ino=369092 scontext=unconfined_u:system_r:courier_authdaemon_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=1400 audit(1219677683.515:31): avc:  denied  { write } for  pid=7714 comm="authdaemond" name="authdaemon" dev=dm-0 ino=368811 scontext=unconfined_u:system_r:courier_authdaemon_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=1400 audit(1219677683.515:32): avc:  denied  { add_name } for  pid=7714 comm="authdaemond" name="socket.tmp" scontext=unconfined_u:system_r:courier_authdaemon_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=1400 audit(1219677683.515:33): avc:  denied  { create } for  pid=7714 comm="authdaemond" name="socket.tmp" scontext=unconfined_u:system_r:courier_authdaemon_t:s0 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=sock_file
type=1400 audit(1219677683.516:34): avc:  denied  { setattr } for  pid=7714 comm="authdaemond" name="socket.tmp" dev=dm-0 ino=368739 scontext=unconfined_u:system_r:courier_authdaemon_t:s0 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=sock_file
type=1400 audit(1219677683.517:35): avc:  denied  { remove_name } for  pid=7714 comm="authdaemond" name="socket.tmp" dev=dm-0 ino=368739 scontext=unconfined_u:system_r:courier_authdaemon_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=1400 audit(1219677683.517:36): avc:  denied  { rename } for  pid=7714 comm="authdaemond" name="socket.tmp" dev=dm-0 ino=368739 scontext=unconfined_u:system_r:courier_authdaemon_t:s0 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=sock_file

369092 is /var/spool and 368811 is /var/spool/authdaemon.

So what needs to be done is probably:

1. grant courier_authdaemon_t the right to search var_spool_t
2. change /var/spool/authdaemon/* to have context courier_spool_t
3. grant courier_authdaemon_t full access to courier_spool_t

Comment 1 Daniel Walsh 2008-08-27 00:33:38 UTC
Fixed in selinux-policy-3.3.1-87.fc9.noarch

Comment 2 Pierre Ossman 2008-09-02 21:03:48 UTC
Sorry for not testing sooner, but the fix does indeed properly solve the problem. Thanks. :)


Note You need to log in before you can comment on or make changes to this bug.