Description of problem: The spamd process needs access to update razor configuration files. Users who integrate razor will find log entries such as the following: type=AVC msg=audit(1337010822.138:931223): avc: denied { write } for pid=688 comm="spamd" name="server.c303.cloudmark.com.conf" dev=dm-0 ino=136915 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:spamd_etc_t:s0 tclass=file Please add write access for spamd_etc_t to the spamd_t context. Version-Release number of selected component (if applicable): selinux-policy-3.7.19-126.el6_2.10.noarch spamassassin-3.3.1-2.el6.x86_64 perl-Razor-Agent-2.85-6.el6.x86_64
We allow read this config files. Where is "server.c303.cloudmark.com.conf" exactly located in the /etc directory? Is this a startup issue?
The file is located in /etc/razor. restorecon will mark the files as razor_etc_t, which appears to be an alias of spamd_etc_t. I believe that this is not a startup issue, but razor will update its configuration files during runtime. As this is normal operation for the program, please update policy to reflect that. mailfilter.rpr.com:~# restorecon -rv /etc/razor/ restorecon reset /etc/razor context unconfined_u:object_r:spamd_etc_t:s0->unconfined_u:object_r:razor_etc_t:s0 restorecon reset /etc/razor/server.c301.cloudmark.com.conf context system_u:object_r:spamd_etc_t:s0->system_u:object_r:razor_etc_t:s0 ... mailfilter.rpr.com:~# ls -lZ /etc/razor/ lrwxrwxrwx. root root unconfined_u:object_r:spamd_etc_t:s0 identity -> identity-ru7Bzeylm5 -rw-------. root root unconfined_u:object_r:spamd_etc_t:s0 identity-ru7Bzeylm5 -rw-r--r--. root root unconfined_u:object_r:spamd_etc_t:s0 razor-agent.conf ...
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux.
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Added.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html