476333 – memcached-selinux package causing a smörgåsbord of problems during SELinux upgrade process

Bug 476333 - memcached-selinux package causing a smörgåsbord of problems during SELinux upgrade process

Summary: memcached-selinux package causing a smörgåsbord of problems during SELinux up...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	memcached
Sub Component:
Version:	10
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Paul Lindner
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-12-13 06:05 UTC by Naveed Hasan
Modified:	2009-03-27 18:41 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-03-27 18:41:47 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
SELinux alerts - First boot today (6.16 KB, application/x-bzip) 2008-12-13 06:07 UTC, Naveed Hasan	no flags	Details
SELinux alerts - Second boot today (5.68 KB, application/x-bzip) 2008-12-13 06:08 UTC, Naveed Hasan	no flags	Details
SELinux alerts - Collected after running a while (4.10 KB, application/x-bzip) 2008-12-13 06:09 UTC, Naveed Hasan	no flags	Details
SELinux alerts - All stable updates installed as of 2008-12-24 (8.24 KB, application/x-bzip) 2008-12-27 22:02 UTC, Naveed Hasan	no flags	Details
semodule Failed (4.53 KB, text/plain) 2009-01-10 10:55 UTC, Naveed Hasan	no flags	Details
SELinux alerts - One gdm alert remains after removing memcached-selinux (2.51 KB, text/plain) 2009-01-14 21:05 UTC, Naveed Hasan	no flags	Details
Show Obsolete (5) View All

Description Naveed Hasan 2008-12-13 06:05:25 UTC

The most prominent of which is that gdm does start properly when SELinux is set to enforcing. No background picture appears and three alerts pop up immediately about gnome-power-manager settings being missing (which they are not). The /tmp/orbit-gdm ends up empty, with a 1969 create date. Everything is fine with gdm when I boot into permissive mode.

There are other programs that alert after logging in as well, including awstats, certwatch, sadc and sendmail. I am attaching a few selinux_alert files saved from the setroubleshoot browser with all the gory details, captured throughout the course of only today (two boots). Below is a summary of the errors contained within. Thanks for any help!

--

SELinux is preventing awstats_updatea (awstats_t) "read" to inotify
SELinux is preventing certwatch (certwatch_t) "getsched" certwatch_t.
SELinux is preventing certwatch (certwatch_t) "read" to tmp (usr_t).
SELinux is preventing certwatch (certwatch_t) "sys_nice" certwatch_t.
SELinux is preventing gconfd-2 (xdm_dbusd_t) "append" to ./saved_state
SELinux is preventing gconfd-2 (xdm_dbusd_t) "connectto" xdm_dbusd_t.
SELinux is preventing gconfd-2 (xdm_dbusd_t) "connectto" xdm_t.
SELinux is preventing gconfd-2 (xdm_dbusd_t) "execute" to ./gconfd-2
SELinux is preventing gconfd-2 (xdm_dbusd_t) "getattr" to
SELinux is preventing gconfd-2 (xdm_dbusd_t) "getsched" xdm_dbusd_t.
SELinux is preventing gconfd-2 (xdm_dbusd_t) "read" to ./accessibility
SELinux is preventing gconfd-2 (xdm_dbusd_t) "read" to ./.gconf.mandatory
SELinux is preventing gconfd-2 (xdm_dbusd_t) "read" to ./.gconf.path
SELinux is preventing gconfd-2 (xdm_dbusd_t) "read" to ./%gconf.xml
SELinux is preventing gconfd-2 (xdm_dbusd_t) "remove_name" to
SELinux is preventing gconfd-2 (xdm_dbusd_t) "remove_name" to ./%gconf.xml.new
SELinux is preventing gconfd-2 (xdm_dbusd_t) "rename" to ./%gconf.xml.new
SELinux is preventing gconfd-2 (xdm_dbusd_t) "search" to ./dbus
SELinux is preventing gconfd-2 (xdm_dbusd_t) "setattr" to ./%gconf.xml.new
SELinux is preventing gconfd-2 (xdm_dbusd_t) "write" to ./.gconf
SELinux is preventing gconfd-2 (xdm_dbusd_t) "write" to ./keyboard
SELinux is preventing gnome-session (xdm_t) "getattr" to /tmp/orbit-gdm
SELinux is preventing gnome-session (xdm_t) "search" to ./orbit-gdm
SELinux is preventing gnome-session (xdm_t) "setattr" to ./orbit-gdm
SELinux is preventing metacity (xdm_t) "getattr" to /tmp/orbit-gdm
SELinux is preventing metacity (xdm_t) "search" to ./orbit-gdm
SELinux is preventing metacity (xdm_t) "setattr" to ./orbit-gdm
SELinux is preventing sadc (sysstat_t) "read" to inotify (inotifyfs_t).
SELinux is preventing sendmail (system_mail_t) "read" to /var/log/maillog
SELinux is preventing the certwatch from using potentially mislabeled files
SELinux is preventing the gconfd-2 from using potentially mislabeled files
SELinux is preventing the gdm-simple-gree from using potentially mislabeled
SELinux is preventing the gnome-session from using potentially mislabeled files
SELinux is preventing the metacity from using potentially mislabeled files
SELinux prevented certwatch from reading from the urandom device.

Comment 1 Naveed Hasan 2008-12-13 06:07:18 UTC

Created attachment 326801 [details]
SELinux alerts - First boot today

Comment 2 Naveed Hasan 2008-12-13 06:08:05 UTC

Created attachment 326802 [details]
SELinux alerts - Second boot today

Comment 3 Naveed Hasan 2008-12-13 06:09:17 UTC

Created attachment 326803 [details]
SELinux alerts - Collected after running a while

Comment 4 Daniel Walsh 2008-12-15 15:13:51 UTC

These are all fixed in the latest policy
selinux-policy-3.5.13-34.fc10

Comment 5 Naveed Hasan 2008-12-27 22:00:23 UTC

I'm still seeing all of the alerts with the latest updates installed and a complete file system relabeling. Here's a new summary -

--

SELinux is preventing awstats_updatea (awstats_t) "read" to inotify (inotifyfs_t).
SELinux is preventing certwatch (certwatch_t) "getsched" certwatch_t.
SELinux is preventing certwatch (certwatch_t) "read" to tmp (usr_t).
SELinux is preventing certwatch (certwatch_t) "sys_nice" certwatch_t.
SELinux is preventing gconfd-2 (xdm_dbusd_t) "append" to ./saved_state (xdm_var_lib_t).
SELinux is preventing gconfd-2 (xdm_dbusd_t) "connectto" xdm_dbusd_t.
SELinux is preventing gconfd-2 (xdm_dbusd_t) "execute" to ./gconfd-2 (gconfd_exec_t).
SELinux is preventing gconfd-2 (xdm_dbusd_t) "getattr" to /var/lib/gdm/.gconf/desktop/gnome/accessibility/keyboard/%gconf.xml
SELinux is preventing gconfd-2 (xdm_dbusd_t) "getattr" to /var/lib/gdm/.gconf/desktop/gnome/accessibility/keyboard/%gconf.xml.new
SELinux is preventing gconfd-2 (xdm_dbusd_t) "getattr" to /var/lib/gdm/.gconf.path (xdm_var_lib_t).
SELinux is preventing gconfd-2 (xdm_dbusd_t) "getsched" xdm_dbusd_t.
SELinux is preventing gconfd-2 (xdm_dbusd_t) "read" to ./accessibility (xdm_var_lib_t).
SELinux is preventing gconfd-2 (xdm_dbusd_t) "read" to ./.gconf.mandatory (xdm_var_lib_t).
SELinux is preventing gconfd-2 (xdm_dbusd_t) "read" to ./.gconf.path (xdm_var_lib_t).
SELinux is preventing gconfd-2 (xdm_dbusd_t) "read" to ./%gconf.xml (xdm_var_lib_t).
SELinux is preventing gconfd-2 (xdm_dbusd_t) "remove_name" to ./%gconf.xml.new (xdm_var_lib_t).
SELinux is preventing gconfd-2 (xdm_dbusd_t) "remove_name" to ./.testing.writeability (xdm_var_lib_t).
SELinux is preventing gconfd-2 (xdm_dbusd_t) "search" to ./dbus (system_dbusd_var_run_t).
SELinux is preventing gconfd-2 (xdm_dbusd_t) "setattr" to ./%gconf.xml.new (xdm_var_lib_t).
SELinux is preventing gconfd-2 (xdm_dbusd_t) "write" to ./.gconf (xdm_var_lib_t).
SELinux is preventing gconfd-2 (xdm_dbusd_t) "write" to ./keyboard (xdm_var_lib_t).
SELinux is preventing gconftool-2 (xdm_t) "getattr" to /tmp/orbit-gdm (xdm_dbusd_tmp_t).
SELinux is preventing gconftool-2 (xdm_t) "setattr" to ./orbit-gdm (xdm_dbusd_tmp_t).
SELinux is preventing gdm-simple-gree (xdm_t) "search" to ./orbit-gdm (xdm_dbusd_tmp_t).
SELinux is preventing sadc (sysstat_t) "read" to inotify (inotifyfs_t).
SELinux is preventing sendmail (system_mail_t) "read" to /var/log/maillog (var_log_t).
SELinux is preventing the certwatch from using potentially mislabeled files (./tmp).
SELinux is preventing the gconfd-2 from using potentially mislabeled files (linc-a8a-0-255316847cc8f).
SELinux is preventing the gconfd-2 from using potentially mislabeled files (linc-aff-0-1300d7fc779e0).
SELinux is preventing the gconfd-2 from using potentially mislabeled files (linc-b24-0-28e3d38bd330e).
SELinux is preventing the gconfd-2 from using potentially mislabeled files (linc-ddb-0-2c216f25c8933).
SELinux is preventing the gconftool-2 from using potentially mislabeled files (linc-aff-0-1300d7fc779e0).
SELinux is preventing the gconftool-2 from using potentially mislabeled files (./linc-ddb-0-2c216f25c8933).
SELinux is preventing the gnome-session from using potentially mislabeled files (./orbit-gdm).
SELinux is preventing the metacity from using potentially mislabeled files (linc-b24-0-28e3d38bd330e).
SELinux prevented certwatch from reading from the urandom device.

Comment 6 Naveed Hasan 2008-12-27 22:02:40 UTC

Created attachment 327890 [details]
SELinux alerts - All stable updates installed as of 2008-12-24

Comment 7 Naveed Hasan 2009-01-10 10:55:54 UTC

Created attachment 328615 [details]
semodule Failed

Still seeing the same problems with 3.5.13-38 installed. Here's some error output I am seeing while updating SELinux. Possibly related to this issue?

Comment 8 Daniel Walsh 2009-01-12 20:25:45 UTC

Seems you have a policy module that uses memcached instead of memcache, which is preventing the update.

Can you remove your policy module in order to get the upgrade to work.

Comment 9 Naveed Hasan 2009-01-13 07:43:33 UTC

I uninstalled memcached-selinux-1.2.5-2.fc10.x86_64 (tagged f10-final) and reinstalled the SELinux 3.5.13-38 RPMs. I also did an autorelabel for good measure. This appears to have fixed the gdm issues at boot time, which I described in the initial comment of this bug. I'll run this setup for a while and see if any of the other alerts recur.

Clearly something is missing from the current set of "latest" updates. Either the memcached-selinux package should have been obsoleted by one of the newer selinux policy packages -- or there needs to be an update to memcached to prevent this conflict from happening. Thanks for your help.

Comment 10 Naveed Hasan 2009-01-14 21:05:56 UTC

Created attachment 329046 [details]
SELinux alerts - One gdm alert remains after removing memcached-selinux

This new one is most likely valid.

Comment 11 Daniel Walsh 2009-01-15 16:06:11 UTC

You have a file named bash that is labeled usr_t?  If this is the shell it is badly mislabeled.  You can try to run restorecon on the file to fix its label.

bash the shell should be labeled shell_exec_t

Comment 12 Naveed Hasan 2009-01-16 04:57:48 UTC

After a quick locate, I found that the file /usr/share/Modules/init/bash from package environment-modules-3.2.6-6.fc10.x86_64 is the culprit in the last alert. This is a separate issue for which I'll open another bz shortly.

Comment 13 Naveed Hasan 2009-01-16 05:11:29 UTC

Comment on attachment 329046 [details]
SELinux alerts - One gdm alert remains after removing memcached-selinux

Migrated to separate bz at https://bugzilla.redhat.com/show_bug.cgi?id=480273

Comment 14 Eddie Lania 2009-03-27 08:51:51 UTC

SELinux is preventing sh (awstats_t) "read" to ./maillog (var_log_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by sh. It is not expected that this access is
required by sh and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./maillog,

restorecon -v './maillog'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:awstats_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_log_t:s0
Target Objects                ./maillog [ file ]
Source                        sh
Source Path                   /bin/bash
Port                          <Unknown>
Host                          ls2ka.elton-intra.net
Source RPM Packages           bash-3.2-30.fc10
Target RPM Packages
Policy RPM                    selinux-policy-3.5.13-49.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     ls2ka.elton-intra.net
Platform                      Linux ls2ka.elton-intra.net
                              2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23
                              13:21:22 EST 2009 i686 i686
Alert Count                   1
First Seen                    Fri Mar 27 09:01:03 2009
Last Seen                     Fri Mar 27 09:01:03 2009
Local ID                      667413ff-f1a5-47d6-89df-625f3da591a9
Line Numbers

Raw Audit Messages

node=ls2ka.elton-intra.net type=AVC msg=audit(1238140863.516:107): avc:  denied  { read } for  pid=3595 comm="sh" name="maillog" dev=sda2 ino=1267499 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file

node=ls2ka.elton-intra.net type=SYSCALL msg=audit(1238140863.516:107): arch=40000003 syscall=5 success=yes exit=3 a0=8d0a758 a1=8000 a2=0 a3=8000 items=0 ppid=3594 pid=3595 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="sh" exe="/bin/bash" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)

Comment 15 Eddie Lania 2009-03-27 09:03:29 UTC

SELinux is preventing named (named_t) "append" to /var/log/update-debug.log
(named_conf_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by named. /var/log/update-debug.log may be a
mislabeled. /var/log/update-debug.log default SELinux type is var_log_t, but its
current type is named_conf_t. Changing this file back to the default type, may
fix your problem.

Named, however, is running in chrooted env.

So the file actually is /var/named/chroot/var/log/update-debug.log

How to solve this?

restorecon -R /var/named/chroot/var/log?

Comment 16 Eddie Lania 2009-03-27 09:05:18 UTC

SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans" to /usr/share/awstats/tools/maillogconvert.pl (awstats_exec_t).

Comment 17 Eddie Lania 2009-03-27 09:24:14 UTC

Mar 27 08:40:45 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "append" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 2b5a5287-4461-4ba0-b2e4-6c3aaa20af35
Mar 27 08:40:45 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/lib/spamass-milter/.razor/identity (var_lib_t). For complete SELinux messages. run sealert -l 24674f18-5479-493b-8e80-6b64576215ac
Mar 27 08:40:45 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to identity (var_lib_t). For complete SELinux messages. run sealert -l 6a85153b-e63d-48b3-b7be-f9a6d27a61e7
Mar 27 08:40:45 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "getattr" to /var/lib/spamass-milter/.pyzor/servers (var_lib_t). For complete SELinux messages. run sealert -l 4e33741d-ba92-4f84-b7a9-53f9b07d8f24
Mar 27 08:40:45 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "read" to ./servers (var_lib_t). For complete SELinux messages. run sealert -l bc451cf1-96c1-498e-910a-c55a9a4f89cf
Mar 27 08:40:46 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "read write" to ./map (var_lib_t). For complete SELinux messages. run sealert -l f494a200-6ff8-4dc0-9ed1-c486cd437d0e
Mar 27 08:40:46 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "getattr" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 03fb9e23-0db5-4cf8-bfdf-635f0ce29b0e
Mar 27 08:40:46 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "lock" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 24d61ef4-6871-4f09-8129-750c0660cb1e
Mar 27 08:40:46 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./auto-whitelist (var_lib_t). For complete SELinux messages. run sealert -l e50421b4-5d29-4e40-b157-a145ae2c6240
Mar 27 08:43:39 ls2ka setroubleshoot: SELinux prevented httpd reading and writing access to http files. For complete SELinux messages. run sealert -l 669a4274-f874-48f0-9ad7-a7529e927dfc
Mar 27 08:43:46 ls2ka setroubleshoot: SELinux is preventing openvpn (openvpn_t) "write" to ./openvpn-status.log (openvpn_etc_t). For complete SELinux messages. run sealert -l e2fe14e3-1d73-4456-93fb-eceb4a7017a4
Mar 27 08:44:12 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "append" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 2b5a5287-4461-4ba0-b2e4-6c3aaa20af35
Mar 27 08:44:13 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/lib/spamass-milter/.razor/identity (var_lib_t). For complete SELinux messages. run sealert -l 24674f18-5479-493b-8e80-6b64576215ac
Mar 27 08:44:13 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to identity (var_lib_t). For complete SELinux messages. run sealert -l 6a85153b-e63d-48b3-b7be-f9a6d27a61e7
Mar 27 08:44:15 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./auto-whitelist (var_lib_t). For complete SELinux messages. run sealert -l e50421b4-5d29-4e40-b157-a145ae2c6240
Mar 27 08:45:46 ls2ka setroubleshoot: SELinux is preventing openvpn (openvpn_t) "write" to /etc/openvpn/openvpn-status.log (openvpn_etc_t). For complete SELinux messages. run sealert -l 0eed4005-a639-4f49-8000-f7d10b74957e
Mar 27 08:46:05 ls2ka setroubleshoot: SELinux is preventing named (named_t) "append" to /var/log/update-debug.log (named_conf_t). For complete SELinux messages. run sealert -l e657fe39-e17b-49fd-9625-f97a8b23a40c
Mar 27 08:46:46 ls2ka setroubleshoot: SELinux is preventing openvpn (openvpn_t) "write" to /etc/openvpn/openvpn-status.log (openvpn_etc_t). For complete SELinux messages. run sealert -l 0eed4005-a639-4f49-8000-f7d10b74957e
Mar 27 08:49:03 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "append" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 2b5a5287-4461-4ba0-b2e4-6c3aaa20af35
Mar 27 08:49:03 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/lib/spamass-milter/.razor/identity (var_lib_t). For complete SELinux messages. run sealert -l 24674f18-5479-493b-8e80-6b64576215ac
Mar 27 08:49:04 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to identity (var_lib_t). For complete SELinux messages. run sealert -l 6a85153b-e63d-48b3-b7be-f9a6d27a61e7
Mar 27 08:49:04 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "getattr" to /var/lib/spamass-milter/.pyzor/servers (var_lib_t). For complete SELinux messages. run sealert -l 4e33741d-ba92-4f84-b7a9-53f9b07d8f24
Mar 27 08:49:04 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "read" to ./servers (var_lib_t). For complete SELinux messages. run sealert -l bc451cf1-96c1-498e-910a-c55a9a4f89cf
Mar 27 08:49:04 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "read write" to ./map (var_lib_t). For complete SELinux messages. run sealert -l f494a200-6ff8-4dc0-9ed1-c486cd437d0e
Mar 27 08:49:04 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "getattr" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 03fb9e23-0db5-4cf8-bfdf-635f0ce29b0e
Mar 27 08:49:05 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "lock" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 24d61ef4-6871-4f09-8129-750c0660cb1e
Mar 27 08:49:07 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./auto-whitelist (var_lib_t). For complete SELinux messages. run sealert -l e50421b4-5d29-4e40-b157-a145ae2c6240
Mar 27 09:01:03 ls2ka setroubleshoot: SELinux is preventing sh (awstats_t) "read" to ./maillog (var_log_t). For complete SELinux messages. run sealert -l 667413ff-f1a5-47d6-89df-625f3da591a9
Mar 27 09:01:03 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans" to /usr/share/awstats/tools/maillogconvert.pl (awstats_exec_t). For complete SELinux messages. run sealert -l 53c9d3fe-fe21-4f83-a5bf-2739f0428621
Mar 27 09:01:04 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "ioctl" to /var/log/maillog (var_log_t). For complete SELinux messages. run sealert -l 2510fca0-1601-4866-88a4-87d022648af9
Mar 27 09:02:33 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "append" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 2b5a5287-4461-4ba0-b2e4-6c3aaa20af35
Mar 27 09:02:34 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/lib/spamass-milter/.razor/identity (var_lib_t). For complete SELinux messages. run sealert -l 24674f18-5479-493b-8e80-6b64576215ac
Mar 27 09:02:34 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to identity (var_lib_t). For complete SELinux messages. run sealert -l 6a85153b-e63d-48b3-b7be-f9a6d27a61e7
Mar 27 09:02:34 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "getattr" to /var/lib/spamass-milter/.pyzor/servers (var_lib_t). For complete SELinux messages. run sealert -l 4e33741d-ba92-4f84-b7a9-53f9b07d8f24
Mar 27 09:02:34 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "read" to ./servers (var_lib_t). For complete SELinux messages. run sealert -l bc451cf1-96c1-498e-910a-c55a9a4f89cf
Mar 27 09:02:34 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "read write" to ./map (var_lib_t). For complete SELinux messages. run sealert -l f494a200-6ff8-4dc0-9ed1-c486cd437d0e
Mar 27 09:02:35 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "getattr" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 03fb9e23-0db5-4cf8-bfdf-635f0ce29b0e
Mar 27 09:02:35 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "lock" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 24d61ef4-6871-4f09-8129-750c0660cb1e
Mar 27 09:02:35 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./auto-whitelist (var_lib_t). For complete SELinux messages. run sealert -l e50421b4-5d29-4e40-b157-a145ae2c6240
Mar 27 09:02:38 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "append" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 2b5a5287-4461-4ba0-b2e4-6c3aaa20af35
Mar 27 09:02:38 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/lib/spamass-milter/.razor/identity (var_lib_t). For complete SELinux messages. run sealert -l 24674f18-5479-493b-8e80-6b64576215ac
Mar 27 09:02:38 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to identity (var_lib_t). For complete SELinux messages. run sealert -l 6a85153b-e63d-48b3-b7be-f9a6d27a61e7
Mar 27 09:02:59 ls2ka setroubleshoot: SELinux is preventing named (named_t) "append" to /var/log/update-debug.log (named_conf_t). For complete SELinux messages. run sealert -l e657fe39-e17b-49fd-9625-f97a8b23a40c
Mar 27 09:03:39 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "getattr" to /var/lib/spamass-milter/.pyzor/servers (var_lib_t). For complete SELinux messages. run sealert -l 4e33741d-ba92-4f84-b7a9-53f9b07d8f24
Mar 27 09:03:39 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "read" to ./servers (var_lib_t). For complete SELinux messages. run sealert -l bc451cf1-96c1-498e-910a-c55a9a4f89cf
Mar 27 09:05:27 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "read write" to ./map (var_lib_t). For complete SELinux messages. run sealert -l f494a200-6ff8-4dc0-9ed1-c486cd437d0e
Mar 27 09:05:27 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "getattr" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 03fb9e23-0db5-4cf8-bfdf-635f0ce29b0e
Mar 27 09:05:27 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "lock" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 24d61ef4-6871-4f09-8129-750c0660cb1e
Mar 27 09:19:53 ls2ka setroubleshoot: SELinux is preventing the http daemon from executing cgi scripts. For complete SELinux messages. run sealert -l 0307d106-f6a6-4d12-a601-d7ea2b698708
Mar 27 09:19:53 ls2ka setroubleshoot: SELinux is preventing the http daemon from executing cgi scripts. For complete SELinux messages. run sealert -l cdd0ae86-5c73-41ac-b8f2-0f64d87dc31d
Mar 27 09:19:53 ls2ka setroubleshoot: SELinux prevented httpd reading access to http files. For complete SELinux messages. run sealert -l 437c8123-b20a-4c8a-9ec0-8ce7d9235900
Mar 27 09:41:34 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "append" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 2b5a5287-4461-4ba0-b2e4-6c3aaa20af35
Mar 27 09:41:34 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/lib/spamass-milter/.razor/identity (var_lib_t). For complete SELinux messages. run sealert -l 24674f18-5479-493b-8e80-6b64576215ac
Mar 27 09:41:34 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to identity (var_lib_t). For complete SELinux messages. run sealert -l 6a85153b-e63d-48b3-b7be-f9a6d27a61e7
Mar 27 09:41:38 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./auto-whitelist (var_lib_t). For complete SELinux messages. run sealert -l e50421b4-5d29-4e40-b157-a145ae2c6240
Mar 27 09:45:10 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "append" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 2b5a5287-4461-4ba0-b2e4-6c3aaa20af35
Mar 27 09:45:10 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/lib/spamass-milter/.razor/identity (var_lib_t). For complete SELinux messages. run sealert -l 24674f18-5479-493b-8e80-6b64576215ac
Mar 27 09:45:11 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to identity (var_lib_t). For complete SELinux messages. run sealert -l 6a85153b-e63d-48b3-b7be-f9a6d27a61e7
Mar 27 09:45:11 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "getattr" to /var/lib/spamass-milter/.pyzor/servers (var_lib_t). For complete SELinux messages. run sealert -l 4e33741d-ba92-4f84-b7a9-53f9b07d8f24
Mar 27 09:45:11 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "read" to ./servers (var_lib_t). For complete SELinux messages. run sealert -l bc451cf1-96c1-498e-910a-c55a9a4f89cf
Mar 27 09:45:11 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "read write" to ./map (var_lib_t). For complete SELinux messages. run sealert -l f494a200-6ff8-4dc0-9ed1-c486cd437d0e
Mar 27 09:45:11 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "getattr" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 03fb9e23-0db5-4cf8-bfdf-635f0ce29b0e
Mar 27 09:45:12 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "lock" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 24d61ef4-6871-4f09-8129-750c0660cb1e
Mar 27 09:45:12 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./auto-whitelist (var_lib_t). For complete SELinux messages. run sealert -l e50421b4-5d29-4e40-b157-a145ae2c6240
Mar 27 09:46:30 ls2ka setroubleshoot: SELinux prevented httpd reading and writing access to http files. For complete SELinux messages. run sealert -l 669a4274-f874-48f0-9ad7-a7529e927dfc
Mar 27 10:00:45 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "append" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 2b5a5287-4461-4ba0-b2e4-6c3aaa20af35
Mar 27 10:00:46 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/lib/spamass-milter/.razor/identity (var_lib_t). For complete SELinux messages. run sealert -l 24674f18-5479-493b-8e80-6b64576215ac
Mar 27 10:00:46 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to identity (var_lib_t). For complete SELinux messages. run sealert -l 6a85153b-e63d-48b3-b7be-f9a6d27a61e7
Mar 27 10:00:46 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./auto-whitelist (var_lib_t). For complete SELinux messages. run sealert -l e50421b4-5d29-4e40-b157-a145ae2c6240
Mar 27 10:01:03 ls2ka setroubleshoot: SELinux is preventing sh (awstats_t) "read" to ./maillog (var_log_t). For complete SELinux messages. run sealert -l 667413ff-f1a5-47d6-89df-625f3da591a9
Mar 27 10:01:03 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans" to /usr/share/awstats/tools/maillogconvert.pl (awstats_exec_t). For complete SELinux messages. run sealert -l 53c9d3fe-fe21-4f83-a5bf-2739f0428621
Mar 27 10:01:03 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "ioctl" to /var/log/maillog (var_log_t). For complete SELinux messages. run sealert -l 2510fca0-1601-4866-88a4-87d022648af9
Mar 27 10:01:10 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "getattr" to /var/lib/spamass-milter/.pyzor/servers (var_lib_t). For complete SELinux messages. run sealert -l 4e33741d-ba92-4f84-b7a9-53f9b07d8f24
Mar 27 10:01:10 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "read" to ./servers (var_lib_t). For complete SELinux messages. run sealert -l bc451cf1-96c1-498e-910a-c55a9a4f89cf
Mar 27 10:01:10 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "read write" to ./map (var_lib_t). For complete SELinux messages. run sealert -l f494a200-6ff8-4dc0-9ed1-c486cd437d0e
Mar 27 10:01:10 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "getattr" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 03fb9e23-0db5-4cf8-bfdf-635f0ce29b0e
Mar 27 10:01:11 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "lock" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 24d61ef4-6871-4f09-8129-750c0660cb1e
Mar 27 10:07:51 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/lib/spamass-milter/.razor/identity (var_lib_t). For complete SELinux messages. run sealert -l 24674f18-5479-493b-8e80-6b64576215ac
Mar 27 10:07:51 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to identity (var_lib_t). For complete SELinux messages. run sealert -l 6a85153b-e63d-48b3-b7be-f9a6d27a61e7
Mar 27 10:07:52 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./auto-whitelist (var_lib_t). For complete SELinux messages. run sealert -l e50421b4-5d29-4e40-b157-a145ae2c6240
Mar 27 10:09:36 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "append" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 2b5a5287-4461-4ba0-b2e4-6c3aaa20af35
Mar 27 10:11:51 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "append" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 2b5a5287-4461-4ba0-b2e4-6c3aaa20af35
Mar 27 10:11:52 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/lib/spamass-milter/.razor/identity (var_lib_t). For complete SELinux messages. run sealert -l 24674f18-5479-493b-8e80-6b64576215ac
Mar 27 10:11:52 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to identity (var_lib_t). For complete SELinux messages. run sealert -l 6a85153b-e63d-48b3-b7be-f9a6d27a61e7
Mar 27 10:11:53 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "getattr" to /var/lib/spamass-milter/.pyzor/servers (var_lib_t). For complete SELinux messages. run sealert -l 4e33741d-ba92-4f84-b7a9-53f9b07d8f24
Mar 27 10:11:53 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "read" to ./servers (var_lib_t). For complete SELinux messages. run sealert -l bc451cf1-96c1-498e-910a-c55a9a4f89cf
Mar 27 10:11:53 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "read write" to ./map (var_lib_t). For complete SELinux messages. run sealert -l f494a200-6ff8-4dc0-9ed1-c486cd437d0e
Mar 27 10:11:53 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "getattr" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 03fb9e23-0db5-4cf8-bfdf-635f0ce29b0e
Mar 27 10:11:53 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "lock" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 24d61ef4-6871-4f09-8129-750c0660cb1e
Mar 27 10:11:53 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./auto-whitelist (var_lib_t). For complete SELinux messages. run sealert -l e50421b4-5d29-4e40-b157-a145ae2c6240
Mar 27 10:12:01 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "rename" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 8d52e2d1-a418-48bf-a0f8-1f13dbfcb8de
Mar 27 10:12:01 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "unlink" to ./bayes_journal.old (var_lib_t). For complete SELinux messages. run sealert -l ff76b78f-555b-42ec-95b9-41d53641b566
Mar 27 10:14:46 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "read write" to ./map (var_lib_t). For complete SELinux messages. run sealert -l f494a200-6ff8-4dc0-9ed1-c486cd437d0e
Mar 27 10:14:46 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "getattr" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 03fb9e23-0db5-4cf8-bfdf-635f0ce29b0e
Mar 27 10:14:46 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "lock" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 24d61ef4-6871-4f09-8129-750c0660cb1e


I can't get those messages out of the way, restorecon doesn't seem to help.

Comment 18 Miroslav Grepl 2009-03-27 10:46:38 UTC

Eddie,
it would be better open a new separate bugzillas for each your report with appropriate component in this case selinux-policy.

Note You need to log in before you can comment on or make changes to this bug.