Bug 663866 - SELinux is preventing the spamd daemon from reading users' home directories.
Summary: SELinux is preventing the spamd daemon from reading users' home directories.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:a617801d47d...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-17 05:14 UTC by Paul
Modified: 2010-12-17 07:04 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-17 07:04:22 UTC


Attachments (Terms of Use)

Description Paul 2010-12-17 05:14:59 UTC
Summary:

SELinux is preventing the spamd daemon from reading users' home directories.

Detailed Description:

SELinux has denied the spamd daemon access to users' home directories. Someone
is attempting to access your home directories via your spamd daemon. If you only
setup spamd to share non-home directories, this probably signals an intrusion
attempt.

Allowing Access:

If you want spamd to share home directories you need to turn on the
spamd_enable_home_dirs boolean: "setsebool -P spamd_enable_home_dirs=1"

Fix Command:

setsebool -P spamd_enable_home_dirs=1

Additional Information:

Source Context                system_u:system_r:spamd_t:s0
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/qamun/.razor [ dir ]
Source                        spamd
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           perl-5.12.2-140.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-16.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   spamd_enable_home_dirs
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.6-48.fc14.i686 #1
                              SMP Fri Oct 22 15:34:36 UTC 2010 i686 i686
Alert Count                   10
First Seen                    Thu 16 Dec 2010 05:18:45 PM CST
Last Seen                     Thu 16 Dec 2010 11:13:10 PM CST
Local ID                      202abf22-f004-4ba1-bc84-6bb5243fa2fe
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1292562790.581:24555): avc:  denied  { getattr } for  pid=5899 comm="spamd" path="/home/qamun/.razor" dev=dm-2 ino=18743767 scontext=system_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1292562790.581:24555): arch=40000003 syscall=195 success=no exit=-13 a0=92205d8 a1=82080c4 a2=51aff4 a3=8208008 items=0 ppid=28619 pid=5899 auid=0 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=162 comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(null)



Hash String generated from  spamd_enable_home_dirs,spamd,spamd_t,user_home_t,dir,getattr
audit2allow suggests:

#============= spamd_t ==============
#!!!! This avc can be allowed using the boolean 'spamd_enable_home_dirs'

allow spamd_t user_home_t:dir getattr;

Comment 1 Miroslav Grepl 2010-12-17 07:04:22 UTC
The alert told you what to do.

Fix Command:

setsebool -P spamd_enable_home_dirs=1


Note You need to log in before you can comment on or make changes to this bug.