787132 – clamd.exim.service fails to start because it can't access its log file

Bug 787132 - clamd.exim.service fails to start because it can't access its log file

Summary: clamd.exim.service fails to start because it can't access its log file

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-02-03 09:56 UTC by Jaroslav Škarvada
Modified:	2012-02-06 09:49 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-02-03 16:10:49 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jaroslav Škarvada 2012-02-03 09:56:36 UTC

Description of problem:
clamd.exim.service from exim-clamav package fails to start because it is blocked by selinux to access its log file (/var/log/clamd.exim).

Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-81.2.fc17

How reproducible:
Always

Steps to Reproduce:
1. yum install exim-clamav
2. systemctl start clamd.exim
  
Actual results:
It fails to start.

Expected results:
It starts.

Additional info:
type=1400 audit(1328192703.986:7): avc:  denied  { open } for  pid=906 comm="clamd" name="clamd.exim" dev="dm-0" ino=278405 scontext=system_u:system_r:clamd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file

Comment 1 Daniel Walsh 2012-02-03 16:10:37 UTC

Looks like the log file is mislabled?


matchpathcon /var/log/clamd.exim
/var/log/clamd.exim	system_u:object_r:clamd_var_log_t:s0


restorecon /var/log/clamd.exim

Will fix. any idea how this file got created originally?

Comment 2 Jaroslav Škarvada 2012-02-06 09:28:27 UTC

It is created by "touch" in %post. I workarounded it by explicit restorecon call. Thanks.

Comment 3 Miroslav Grepl 2012-02-06 09:40:07 UTC

Would be nice to have

/var/log/clamd

for example. Then we could add a label for this dir and the "restorecon" would not be needed.

Comment 4 Jaroslav Škarvada 2012-02-06 09:49:08 UTC

There is an effort to unify this across all clamd enabled packages. I am not sure whether we will finish it for F17, but it is on our radar.

Note You need to log in before you can comment on or make changes to this bug.