The following was filed automatically by setroubleshoot: Summary: SELinux is preventing exim-tidydb (system_cronjob_t) "read" exim_spool_t. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by exim-tidydb. It is not expected that this access is required by exim-tidydb and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 Target Context system_u:object_r:exim_spool_t:s0 Target Objects /var/spool/exim/db/retry [ file ] Source exim-tidydb Source Path /bin/bash Port <Unknown> Host (removed) Source RPM Packages bash-4.0.28-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.28-4.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31-0.162.rc6.git2.fc12.x86_64 #1 SMP Mon Aug 17 16:06:42 EDT 2009 x86_64 x86_64 Alert Count 1 First Seen Sat 22 Aug 2009 09:09:01 IST Last Seen Sat 22 Aug 2009 09:09:01 IST Local ID 43f1ef25-8f58-4b78-9e2d-6a7cab86a98d Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1250928541.983:19545): avc: denied { read } for pid=2294 comm="exim-tidydb" name="retry" dev=dm-4 ino=68241 scontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tcontext=system_u:object_r:exim_spool_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1250928541.983:19545): arch=c000003e syscall=21 success=yes exit=0 a0=1b2c250 a1=4 a2=0 a3=8 items=0 ppid=2277 pid=2294 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="exim-tidydb" exe="/bin/bash" subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 key=(null) audit2allow suggests: #============= system_cronjob_t ============== allow system_cronjob_t exim_spool_t:file read;
Created attachment 358298 [details] Two exim\cronjob avc's
Two snippets from above report: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] Enforcing Mode Enforcing Which is correct?
The domain was a permissive domain, but the machine was in enforcing mode. I will work to fix the message.
I am changing the message to /var/spool/exim/db/retry has a permissive type, system_cronjob_t. This access was not denied. Fixed in selinux-policy-3.6.28-5.fc12.noarch
(In reply to comment #4) > I am changing the message to > > /var/spool/exim/db/retry has a permissive type, system_cronjob_t. This access > was not denied. > > Fixed in selinux-policy-3.6.28-5.fc12.noarch updated it, and policycore*
setroubleshoot contains the new message.