The most prominent of which is that gdm does start properly when SELinux is set to enforcing. No background picture appears and three alerts pop up immediately about gnome-power-manager settings being missing (which they are not). The /tmp/orbit-gdm ends up empty, with a 1969 create date. Everything is fine with gdm when I boot into permissive mode. There are other programs that alert after logging in as well, including awstats, certwatch, sadc and sendmail. I am attaching a few selinux_alert files saved from the setroubleshoot browser with all the gory details, captured throughout the course of only today (two boots). Below is a summary of the errors contained within. Thanks for any help! -- SELinux is preventing awstats_updatea (awstats_t) "read" to inotify SELinux is preventing certwatch (certwatch_t) "getsched" certwatch_t. SELinux is preventing certwatch (certwatch_t) "read" to tmp (usr_t). SELinux is preventing certwatch (certwatch_t) "sys_nice" certwatch_t. SELinux is preventing gconfd-2 (xdm_dbusd_t) "append" to ./saved_state SELinux is preventing gconfd-2 (xdm_dbusd_t) "connectto" xdm_dbusd_t. SELinux is preventing gconfd-2 (xdm_dbusd_t) "connectto" xdm_t. SELinux is preventing gconfd-2 (xdm_dbusd_t) "execute" to ./gconfd-2 SELinux is preventing gconfd-2 (xdm_dbusd_t) "getattr" to SELinux is preventing gconfd-2 (xdm_dbusd_t) "getsched" xdm_dbusd_t. SELinux is preventing gconfd-2 (xdm_dbusd_t) "read" to ./accessibility SELinux is preventing gconfd-2 (xdm_dbusd_t) "read" to ./.gconf.mandatory SELinux is preventing gconfd-2 (xdm_dbusd_t) "read" to ./.gconf.path SELinux is preventing gconfd-2 (xdm_dbusd_t) "read" to ./%gconf.xml SELinux is preventing gconfd-2 (xdm_dbusd_t) "remove_name" to SELinux is preventing gconfd-2 (xdm_dbusd_t) "remove_name" to ./%gconf.xml.new SELinux is preventing gconfd-2 (xdm_dbusd_t) "rename" to ./%gconf.xml.new SELinux is preventing gconfd-2 (xdm_dbusd_t) "search" to ./dbus SELinux is preventing gconfd-2 (xdm_dbusd_t) "setattr" to ./%gconf.xml.new SELinux is preventing gconfd-2 (xdm_dbusd_t) "write" to ./.gconf SELinux is preventing gconfd-2 (xdm_dbusd_t) "write" to ./keyboard SELinux is preventing gnome-session (xdm_t) "getattr" to /tmp/orbit-gdm SELinux is preventing gnome-session (xdm_t) "search" to ./orbit-gdm SELinux is preventing gnome-session (xdm_t) "setattr" to ./orbit-gdm SELinux is preventing metacity (xdm_t) "getattr" to /tmp/orbit-gdm SELinux is preventing metacity (xdm_t) "search" to ./orbit-gdm SELinux is preventing metacity (xdm_t) "setattr" to ./orbit-gdm SELinux is preventing sadc (sysstat_t) "read" to inotify (inotifyfs_t). SELinux is preventing sendmail (system_mail_t) "read" to /var/log/maillog SELinux is preventing the certwatch from using potentially mislabeled files SELinux is preventing the gconfd-2 from using potentially mislabeled files SELinux is preventing the gdm-simple-gree from using potentially mislabeled SELinux is preventing the gnome-session from using potentially mislabeled files SELinux is preventing the metacity from using potentially mislabeled files SELinux prevented certwatch from reading from the urandom device.
Created attachment 326801 [details] SELinux alerts - First boot today
Created attachment 326802 [details] SELinux alerts - Second boot today
Created attachment 326803 [details] SELinux alerts - Collected after running a while
These are all fixed in the latest policy selinux-policy-3.5.13-34.fc10
I'm still seeing all of the alerts with the latest updates installed and a complete file system relabeling. Here's a new summary - -- SELinux is preventing awstats_updatea (awstats_t) "read" to inotify (inotifyfs_t). SELinux is preventing certwatch (certwatch_t) "getsched" certwatch_t. SELinux is preventing certwatch (certwatch_t) "read" to tmp (usr_t). SELinux is preventing certwatch (certwatch_t) "sys_nice" certwatch_t. SELinux is preventing gconfd-2 (xdm_dbusd_t) "append" to ./saved_state (xdm_var_lib_t). SELinux is preventing gconfd-2 (xdm_dbusd_t) "connectto" xdm_dbusd_t. SELinux is preventing gconfd-2 (xdm_dbusd_t) "execute" to ./gconfd-2 (gconfd_exec_t). SELinux is preventing gconfd-2 (xdm_dbusd_t) "getattr" to /var/lib/gdm/.gconf/desktop/gnome/accessibility/keyboard/%gconf.xml SELinux is preventing gconfd-2 (xdm_dbusd_t) "getattr" to /var/lib/gdm/.gconf/desktop/gnome/accessibility/keyboard/%gconf.xml.new SELinux is preventing gconfd-2 (xdm_dbusd_t) "getattr" to /var/lib/gdm/.gconf.path (xdm_var_lib_t). SELinux is preventing gconfd-2 (xdm_dbusd_t) "getsched" xdm_dbusd_t. SELinux is preventing gconfd-2 (xdm_dbusd_t) "read" to ./accessibility (xdm_var_lib_t). SELinux is preventing gconfd-2 (xdm_dbusd_t) "read" to ./.gconf.mandatory (xdm_var_lib_t). SELinux is preventing gconfd-2 (xdm_dbusd_t) "read" to ./.gconf.path (xdm_var_lib_t). SELinux is preventing gconfd-2 (xdm_dbusd_t) "read" to ./%gconf.xml (xdm_var_lib_t). SELinux is preventing gconfd-2 (xdm_dbusd_t) "remove_name" to ./%gconf.xml.new (xdm_var_lib_t). SELinux is preventing gconfd-2 (xdm_dbusd_t) "remove_name" to ./.testing.writeability (xdm_var_lib_t). SELinux is preventing gconfd-2 (xdm_dbusd_t) "search" to ./dbus (system_dbusd_var_run_t). SELinux is preventing gconfd-2 (xdm_dbusd_t) "setattr" to ./%gconf.xml.new (xdm_var_lib_t). SELinux is preventing gconfd-2 (xdm_dbusd_t) "write" to ./.gconf (xdm_var_lib_t). SELinux is preventing gconfd-2 (xdm_dbusd_t) "write" to ./keyboard (xdm_var_lib_t). SELinux is preventing gconftool-2 (xdm_t) "getattr" to /tmp/orbit-gdm (xdm_dbusd_tmp_t). SELinux is preventing gconftool-2 (xdm_t) "setattr" to ./orbit-gdm (xdm_dbusd_tmp_t). SELinux is preventing gdm-simple-gree (xdm_t) "search" to ./orbit-gdm (xdm_dbusd_tmp_t). SELinux is preventing sadc (sysstat_t) "read" to inotify (inotifyfs_t). SELinux is preventing sendmail (system_mail_t) "read" to /var/log/maillog (var_log_t). SELinux is preventing the certwatch from using potentially mislabeled files (./tmp). SELinux is preventing the gconfd-2 from using potentially mislabeled files (linc-a8a-0-255316847cc8f). SELinux is preventing the gconfd-2 from using potentially mislabeled files (linc-aff-0-1300d7fc779e0). SELinux is preventing the gconfd-2 from using potentially mislabeled files (linc-b24-0-28e3d38bd330e). SELinux is preventing the gconfd-2 from using potentially mislabeled files (linc-ddb-0-2c216f25c8933). SELinux is preventing the gconftool-2 from using potentially mislabeled files (linc-aff-0-1300d7fc779e0). SELinux is preventing the gconftool-2 from using potentially mislabeled files (./linc-ddb-0-2c216f25c8933). SELinux is preventing the gnome-session from using potentially mislabeled files (./orbit-gdm). SELinux is preventing the metacity from using potentially mislabeled files (linc-b24-0-28e3d38bd330e). SELinux prevented certwatch from reading from the urandom device.
Created attachment 327890 [details] SELinux alerts - All stable updates installed as of 2008-12-24
Created attachment 328615 [details] semodule Failed Still seeing the same problems with 3.5.13-38 installed. Here's some error output I am seeing while updating SELinux. Possibly related to this issue?
Seems you have a policy module that uses memcached instead of memcache, which is preventing the update. Can you remove your policy module in order to get the upgrade to work.
I uninstalled memcached-selinux-1.2.5-2.fc10.x86_64 (tagged f10-final) and reinstalled the SELinux 3.5.13-38 RPMs. I also did an autorelabel for good measure. This appears to have fixed the gdm issues at boot time, which I described in the initial comment of this bug. I'll run this setup for a while and see if any of the other alerts recur. Clearly something is missing from the current set of "latest" updates. Either the memcached-selinux package should have been obsoleted by one of the newer selinux policy packages -- or there needs to be an update to memcached to prevent this conflict from happening. Thanks for your help.
Created attachment 329046 [details] SELinux alerts - One gdm alert remains after removing memcached-selinux This new one is most likely valid.
You have a file named bash that is labeled usr_t? If this is the shell it is badly mislabeled. You can try to run restorecon on the file to fix its label. bash the shell should be labeled shell_exec_t
After a quick locate, I found that the file /usr/share/Modules/init/bash from package environment-modules-3.2.6-6.fc10.x86_64 is the culprit in the last alert. This is a separate issue for which I'll open another bz shortly.
Comment on attachment 329046 [details] SELinux alerts - One gdm alert remains after removing memcached-selinux Migrated to separate bz at https://bugzilla.redhat.com/show_bug.cgi?id=480273
SELinux is preventing sh (awstats_t) "read" to ./maillog (var_log_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by sh. It is not expected that this access is required by sh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./maillog, restorecon -v './maillog' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:awstats_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_log_t:s0 Target Objects ./maillog [ file ] Source sh Source Path /bin/bash Port <Unknown> Host ls2ka.elton-intra.net Source RPM Packages bash-3.2-30.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-49.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name ls2ka.elton-intra.net Platform Linux ls2ka.elton-intra.net 2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23 13:21:22 EST 2009 i686 i686 Alert Count 1 First Seen Fri Mar 27 09:01:03 2009 Last Seen Fri Mar 27 09:01:03 2009 Local ID 667413ff-f1a5-47d6-89df-625f3da591a9 Line Numbers Raw Audit Messages node=ls2ka.elton-intra.net type=AVC msg=audit(1238140863.516:107): avc: denied { read } for pid=3595 comm="sh" name="maillog" dev=sda2 ino=1267499 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file node=ls2ka.elton-intra.net type=SYSCALL msg=audit(1238140863.516:107): arch=40000003 syscall=5 success=yes exit=3 a0=8d0a758 a1=8000 a2=0 a3=8000 items=0 ppid=3594 pid=3595 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="sh" exe="/bin/bash" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)
SELinux is preventing named (named_t) "append" to /var/log/update-debug.log (named_conf_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by named. /var/log/update-debug.log may be a mislabeled. /var/log/update-debug.log default SELinux type is var_log_t, but its current type is named_conf_t. Changing this file back to the default type, may fix your problem. Named, however, is running in chrooted env. So the file actually is /var/named/chroot/var/log/update-debug.log How to solve this? restorecon -R /var/named/chroot/var/log?
SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans" to /usr/share/awstats/tools/maillogconvert.pl (awstats_exec_t).
Mar 27 08:40:45 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "append" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 2b5a5287-4461-4ba0-b2e4-6c3aaa20af35 Mar 27 08:40:45 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/lib/spamass-milter/.razor/identity (var_lib_t). For complete SELinux messages. run sealert -l 24674f18-5479-493b-8e80-6b64576215ac Mar 27 08:40:45 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to identity (var_lib_t). For complete SELinux messages. run sealert -l 6a85153b-e63d-48b3-b7be-f9a6d27a61e7 Mar 27 08:40:45 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "getattr" to /var/lib/spamass-milter/.pyzor/servers (var_lib_t). For complete SELinux messages. run sealert -l 4e33741d-ba92-4f84-b7a9-53f9b07d8f24 Mar 27 08:40:45 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "read" to ./servers (var_lib_t). For complete SELinux messages. run sealert -l bc451cf1-96c1-498e-910a-c55a9a4f89cf Mar 27 08:40:46 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "read write" to ./map (var_lib_t). For complete SELinux messages. run sealert -l f494a200-6ff8-4dc0-9ed1-c486cd437d0e Mar 27 08:40:46 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "getattr" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 03fb9e23-0db5-4cf8-bfdf-635f0ce29b0e Mar 27 08:40:46 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "lock" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 24d61ef4-6871-4f09-8129-750c0660cb1e Mar 27 08:40:46 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./auto-whitelist (var_lib_t). For complete SELinux messages. run sealert -l e50421b4-5d29-4e40-b157-a145ae2c6240 Mar 27 08:43:39 ls2ka setroubleshoot: SELinux prevented httpd reading and writing access to http files. For complete SELinux messages. run sealert -l 669a4274-f874-48f0-9ad7-a7529e927dfc Mar 27 08:43:46 ls2ka setroubleshoot: SELinux is preventing openvpn (openvpn_t) "write" to ./openvpn-status.log (openvpn_etc_t). For complete SELinux messages. run sealert -l e2fe14e3-1d73-4456-93fb-eceb4a7017a4 Mar 27 08:44:12 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "append" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 2b5a5287-4461-4ba0-b2e4-6c3aaa20af35 Mar 27 08:44:13 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/lib/spamass-milter/.razor/identity (var_lib_t). For complete SELinux messages. run sealert -l 24674f18-5479-493b-8e80-6b64576215ac Mar 27 08:44:13 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to identity (var_lib_t). For complete SELinux messages. run sealert -l 6a85153b-e63d-48b3-b7be-f9a6d27a61e7 Mar 27 08:44:15 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./auto-whitelist (var_lib_t). For complete SELinux messages. run sealert -l e50421b4-5d29-4e40-b157-a145ae2c6240 Mar 27 08:45:46 ls2ka setroubleshoot: SELinux is preventing openvpn (openvpn_t) "write" to /etc/openvpn/openvpn-status.log (openvpn_etc_t). For complete SELinux messages. run sealert -l 0eed4005-a639-4f49-8000-f7d10b74957e Mar 27 08:46:05 ls2ka setroubleshoot: SELinux is preventing named (named_t) "append" to /var/log/update-debug.log (named_conf_t). For complete SELinux messages. run sealert -l e657fe39-e17b-49fd-9625-f97a8b23a40c Mar 27 08:46:46 ls2ka setroubleshoot: SELinux is preventing openvpn (openvpn_t) "write" to /etc/openvpn/openvpn-status.log (openvpn_etc_t). For complete SELinux messages. run sealert -l 0eed4005-a639-4f49-8000-f7d10b74957e Mar 27 08:49:03 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "append" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 2b5a5287-4461-4ba0-b2e4-6c3aaa20af35 Mar 27 08:49:03 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/lib/spamass-milter/.razor/identity (var_lib_t). For complete SELinux messages. run sealert -l 24674f18-5479-493b-8e80-6b64576215ac Mar 27 08:49:04 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to identity (var_lib_t). For complete SELinux messages. run sealert -l 6a85153b-e63d-48b3-b7be-f9a6d27a61e7 Mar 27 08:49:04 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "getattr" to /var/lib/spamass-milter/.pyzor/servers (var_lib_t). For complete SELinux messages. run sealert -l 4e33741d-ba92-4f84-b7a9-53f9b07d8f24 Mar 27 08:49:04 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "read" to ./servers (var_lib_t). For complete SELinux messages. run sealert -l bc451cf1-96c1-498e-910a-c55a9a4f89cf Mar 27 08:49:04 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "read write" to ./map (var_lib_t). For complete SELinux messages. run sealert -l f494a200-6ff8-4dc0-9ed1-c486cd437d0e Mar 27 08:49:04 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "getattr" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 03fb9e23-0db5-4cf8-bfdf-635f0ce29b0e Mar 27 08:49:05 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "lock" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 24d61ef4-6871-4f09-8129-750c0660cb1e Mar 27 08:49:07 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./auto-whitelist (var_lib_t). For complete SELinux messages. run sealert -l e50421b4-5d29-4e40-b157-a145ae2c6240 Mar 27 09:01:03 ls2ka setroubleshoot: SELinux is preventing sh (awstats_t) "read" to ./maillog (var_log_t). For complete SELinux messages. run sealert -l 667413ff-f1a5-47d6-89df-625f3da591a9 Mar 27 09:01:03 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans" to /usr/share/awstats/tools/maillogconvert.pl (awstats_exec_t). For complete SELinux messages. run sealert -l 53c9d3fe-fe21-4f83-a5bf-2739f0428621 Mar 27 09:01:04 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "ioctl" to /var/log/maillog (var_log_t). For complete SELinux messages. run sealert -l 2510fca0-1601-4866-88a4-87d022648af9 Mar 27 09:02:33 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "append" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 2b5a5287-4461-4ba0-b2e4-6c3aaa20af35 Mar 27 09:02:34 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/lib/spamass-milter/.razor/identity (var_lib_t). For complete SELinux messages. run sealert -l 24674f18-5479-493b-8e80-6b64576215ac Mar 27 09:02:34 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to identity (var_lib_t). For complete SELinux messages. run sealert -l 6a85153b-e63d-48b3-b7be-f9a6d27a61e7 Mar 27 09:02:34 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "getattr" to /var/lib/spamass-milter/.pyzor/servers (var_lib_t). For complete SELinux messages. run sealert -l 4e33741d-ba92-4f84-b7a9-53f9b07d8f24 Mar 27 09:02:34 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "read" to ./servers (var_lib_t). For complete SELinux messages. run sealert -l bc451cf1-96c1-498e-910a-c55a9a4f89cf Mar 27 09:02:34 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "read write" to ./map (var_lib_t). For complete SELinux messages. run sealert -l f494a200-6ff8-4dc0-9ed1-c486cd437d0e Mar 27 09:02:35 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "getattr" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 03fb9e23-0db5-4cf8-bfdf-635f0ce29b0e Mar 27 09:02:35 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "lock" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 24d61ef4-6871-4f09-8129-750c0660cb1e Mar 27 09:02:35 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./auto-whitelist (var_lib_t). For complete SELinux messages. run sealert -l e50421b4-5d29-4e40-b157-a145ae2c6240 Mar 27 09:02:38 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "append" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 2b5a5287-4461-4ba0-b2e4-6c3aaa20af35 Mar 27 09:02:38 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/lib/spamass-milter/.razor/identity (var_lib_t). For complete SELinux messages. run sealert -l 24674f18-5479-493b-8e80-6b64576215ac Mar 27 09:02:38 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to identity (var_lib_t). For complete SELinux messages. run sealert -l 6a85153b-e63d-48b3-b7be-f9a6d27a61e7 Mar 27 09:02:59 ls2ka setroubleshoot: SELinux is preventing named (named_t) "append" to /var/log/update-debug.log (named_conf_t). For complete SELinux messages. run sealert -l e657fe39-e17b-49fd-9625-f97a8b23a40c Mar 27 09:03:39 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "getattr" to /var/lib/spamass-milter/.pyzor/servers (var_lib_t). For complete SELinux messages. run sealert -l 4e33741d-ba92-4f84-b7a9-53f9b07d8f24 Mar 27 09:03:39 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "read" to ./servers (var_lib_t). For complete SELinux messages. run sealert -l bc451cf1-96c1-498e-910a-c55a9a4f89cf Mar 27 09:05:27 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "read write" to ./map (var_lib_t). For complete SELinux messages. run sealert -l f494a200-6ff8-4dc0-9ed1-c486cd437d0e Mar 27 09:05:27 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "getattr" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 03fb9e23-0db5-4cf8-bfdf-635f0ce29b0e Mar 27 09:05:27 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "lock" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 24d61ef4-6871-4f09-8129-750c0660cb1e Mar 27 09:19:53 ls2ka setroubleshoot: SELinux is preventing the http daemon from executing cgi scripts. For complete SELinux messages. run sealert -l 0307d106-f6a6-4d12-a601-d7ea2b698708 Mar 27 09:19:53 ls2ka setroubleshoot: SELinux is preventing the http daemon from executing cgi scripts. For complete SELinux messages. run sealert -l cdd0ae86-5c73-41ac-b8f2-0f64d87dc31d Mar 27 09:19:53 ls2ka setroubleshoot: SELinux prevented httpd reading access to http files. For complete SELinux messages. run sealert -l 437c8123-b20a-4c8a-9ec0-8ce7d9235900 Mar 27 09:41:34 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "append" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 2b5a5287-4461-4ba0-b2e4-6c3aaa20af35 Mar 27 09:41:34 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/lib/spamass-milter/.razor/identity (var_lib_t). For complete SELinux messages. run sealert -l 24674f18-5479-493b-8e80-6b64576215ac Mar 27 09:41:34 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to identity (var_lib_t). For complete SELinux messages. run sealert -l 6a85153b-e63d-48b3-b7be-f9a6d27a61e7 Mar 27 09:41:38 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./auto-whitelist (var_lib_t). For complete SELinux messages. run sealert -l e50421b4-5d29-4e40-b157-a145ae2c6240 Mar 27 09:45:10 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "append" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 2b5a5287-4461-4ba0-b2e4-6c3aaa20af35 Mar 27 09:45:10 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/lib/spamass-milter/.razor/identity (var_lib_t). For complete SELinux messages. run sealert -l 24674f18-5479-493b-8e80-6b64576215ac Mar 27 09:45:11 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to identity (var_lib_t). For complete SELinux messages. run sealert -l 6a85153b-e63d-48b3-b7be-f9a6d27a61e7 Mar 27 09:45:11 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "getattr" to /var/lib/spamass-milter/.pyzor/servers (var_lib_t). For complete SELinux messages. run sealert -l 4e33741d-ba92-4f84-b7a9-53f9b07d8f24 Mar 27 09:45:11 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "read" to ./servers (var_lib_t). For complete SELinux messages. run sealert -l bc451cf1-96c1-498e-910a-c55a9a4f89cf Mar 27 09:45:11 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "read write" to ./map (var_lib_t). For complete SELinux messages. run sealert -l f494a200-6ff8-4dc0-9ed1-c486cd437d0e Mar 27 09:45:11 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "getattr" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 03fb9e23-0db5-4cf8-bfdf-635f0ce29b0e Mar 27 09:45:12 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "lock" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 24d61ef4-6871-4f09-8129-750c0660cb1e Mar 27 09:45:12 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./auto-whitelist (var_lib_t). For complete SELinux messages. run sealert -l e50421b4-5d29-4e40-b157-a145ae2c6240 Mar 27 09:46:30 ls2ka setroubleshoot: SELinux prevented httpd reading and writing access to http files. For complete SELinux messages. run sealert -l 669a4274-f874-48f0-9ad7-a7529e927dfc Mar 27 10:00:45 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "append" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 2b5a5287-4461-4ba0-b2e4-6c3aaa20af35 Mar 27 10:00:46 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/lib/spamass-milter/.razor/identity (var_lib_t). For complete SELinux messages. run sealert -l 24674f18-5479-493b-8e80-6b64576215ac Mar 27 10:00:46 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to identity (var_lib_t). For complete SELinux messages. run sealert -l 6a85153b-e63d-48b3-b7be-f9a6d27a61e7 Mar 27 10:00:46 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./auto-whitelist (var_lib_t). For complete SELinux messages. run sealert -l e50421b4-5d29-4e40-b157-a145ae2c6240 Mar 27 10:01:03 ls2ka setroubleshoot: SELinux is preventing sh (awstats_t) "read" to ./maillog (var_log_t). For complete SELinux messages. run sealert -l 667413ff-f1a5-47d6-89df-625f3da591a9 Mar 27 10:01:03 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans" to /usr/share/awstats/tools/maillogconvert.pl (awstats_exec_t). For complete SELinux messages. run sealert -l 53c9d3fe-fe21-4f83-a5bf-2739f0428621 Mar 27 10:01:03 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "ioctl" to /var/log/maillog (var_log_t). For complete SELinux messages. run sealert -l 2510fca0-1601-4866-88a4-87d022648af9 Mar 27 10:01:10 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "getattr" to /var/lib/spamass-milter/.pyzor/servers (var_lib_t). For complete SELinux messages. run sealert -l 4e33741d-ba92-4f84-b7a9-53f9b07d8f24 Mar 27 10:01:10 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "read" to ./servers (var_lib_t). For complete SELinux messages. run sealert -l bc451cf1-96c1-498e-910a-c55a9a4f89cf Mar 27 10:01:10 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "read write" to ./map (var_lib_t). For complete SELinux messages. run sealert -l f494a200-6ff8-4dc0-9ed1-c486cd437d0e Mar 27 10:01:10 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "getattr" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 03fb9e23-0db5-4cf8-bfdf-635f0ce29b0e Mar 27 10:01:11 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "lock" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 24d61ef4-6871-4f09-8129-750c0660cb1e Mar 27 10:07:51 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/lib/spamass-milter/.razor/identity (var_lib_t). For complete SELinux messages. run sealert -l 24674f18-5479-493b-8e80-6b64576215ac Mar 27 10:07:51 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to identity (var_lib_t). For complete SELinux messages. run sealert -l 6a85153b-e63d-48b3-b7be-f9a6d27a61e7 Mar 27 10:07:52 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./auto-whitelist (var_lib_t). For complete SELinux messages. run sealert -l e50421b4-5d29-4e40-b157-a145ae2c6240 Mar 27 10:09:36 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "append" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 2b5a5287-4461-4ba0-b2e4-6c3aaa20af35 Mar 27 10:11:51 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "append" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 2b5a5287-4461-4ba0-b2e4-6c3aaa20af35 Mar 27 10:11:52 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/lib/spamass-milter/.razor/identity (var_lib_t). For complete SELinux messages. run sealert -l 24674f18-5479-493b-8e80-6b64576215ac Mar 27 10:11:52 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to identity (var_lib_t). For complete SELinux messages. run sealert -l 6a85153b-e63d-48b3-b7be-f9a6d27a61e7 Mar 27 10:11:53 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "getattr" to /var/lib/spamass-milter/.pyzor/servers (var_lib_t). For complete SELinux messages. run sealert -l 4e33741d-ba92-4f84-b7a9-53f9b07d8f24 Mar 27 10:11:53 ls2ka setroubleshoot: SELinux is preventing pyzor (spamc_t) "read" to ./servers (var_lib_t). For complete SELinux messages. run sealert -l bc451cf1-96c1-498e-910a-c55a9a4f89cf Mar 27 10:11:53 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "read write" to ./map (var_lib_t). For complete SELinux messages. run sealert -l f494a200-6ff8-4dc0-9ed1-c486cd437d0e Mar 27 10:11:53 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "getattr" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 03fb9e23-0db5-4cf8-bfdf-635f0ce29b0e Mar 27 10:11:53 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "lock" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 24d61ef4-6871-4f09-8129-750c0660cb1e Mar 27 10:11:53 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./auto-whitelist (var_lib_t). For complete SELinux messages. run sealert -l e50421b4-5d29-4e40-b157-a145ae2c6240 Mar 27 10:12:01 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "rename" to ./bayes_journal (var_lib_t). For complete SELinux messages. run sealert -l 8d52e2d1-a418-48bf-a0f8-1f13dbfcb8de Mar 27 10:12:01 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "unlink" to ./bayes_journal.old (var_lib_t). For complete SELinux messages. run sealert -l ff76b78f-555b-42ec-95b9-41d53641b566 Mar 27 10:14:46 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "read write" to ./map (var_lib_t). For complete SELinux messages. run sealert -l f494a200-6ff8-4dc0-9ed1-c486cd437d0e Mar 27 10:14:46 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "getattr" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 03fb9e23-0db5-4cf8-bfdf-635f0ce29b0e Mar 27 10:14:46 ls2ka setroubleshoot: SELinux is preventing dccproc (dcc_client_t) "lock" to /var/lib/dcc/map (var_lib_t). For complete SELinux messages. run sealert -l 24d61ef4-6871-4f09-8129-750c0660cb1e I can't get those messages out of the way, restorecon doesn't seem to help.
Eddie, it would be better open a new separate bugzillas for each your report with appropriate component in this case selinux-policy.