SELinux is preventing /sbin/consoletype from 'read' accesses on the file /tmp/update_spamassassin.0102. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that consoletype should be allowed read access on the update_spamassassin.0102 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /sbin/consoletype /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:consoletype_t:s0 Target Context system_u:object_r:system_cronjob_tmp_t:s0 Target Objects /tmp/update_spamassassin.0102 [ file ] Source consoletype Source Path /sbin/consoletype Port <Unknown> Host (removed) Source RPM Packages initscripts-9.20.1-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-18.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.10-72.fc14.i686 #1 SMP Mon Dec 20 22:05:49 UTC 2010 i686 i686 Alert Count 8 First Seen Sun 26 Dec 2010 04:02:36 AM EST Last Seen Sun 02 Jan 2011 03:49:07 AM EST Local ID f50d6be0-6c3d-447c-8e3a-1af2f8853f90 Raw Audit Messages type=AVC msg=audit(1293958147.42:62296): avc: denied { read } for pid=30430 comm="consoletype" path="/tmp/update_spamassassin.0102" dev=dm-0 ino=1450 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:system_cronjob_tmp_t:s0 tclass=file consoletype,consoletype_t,system_cronjob_tmp_t,file,read type=SYSCALL msg=audit(1293958147.42:62296): arch=i386 syscall=execve success=yes exit=0 a0=8305500 a1=8305578 a2=82fe9e0 a3=8305578 items=0 ppid=30429 pid=30430 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3355 comm=consoletype exe=/sbin/consoletype subj=system_u:system_r:consoletype_t:s0 key=(null) consoletype,consoletype_t,system_cronjob_tmp_t,file,read #============= consoletype_t ============== allow consoletype_t system_cronjob_tmp_t:file read;
Looks like a leak descriptor. You can dontaudit it using # grep consoletype /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp
Hi - rather than paper over the alert ... is this likely from /etc/cron.daily/update_spamassassin ? Should the spamassassin guys be taking a look? I'd be happy to modify the script to help find out, but not sure of the techniques.
Yes, they should be closing this file descriptor on exec. Also why are they using /tmp for a process running as root?
I'm sure we would be open to adjustments to our spamassassin cron script, but is that ours or did you install from upstream? We use /etc/cron.d/sa-update It sounds like you have a /etc/cron.daily/update_spamassassin script? Where did you get it?
Ah, dang. My bad for not checking: rpm -qf /etc/cron.daily/update_spamassassin mailscanner-4.81.4-1.noarch I'll work with the MailScanner.info guys to get this fixed. Closing. Thank you!