Additional info: libreport version: 2.0.18 kernel: 3.6.7-4.fc17.x86_64 description: :SELinux is preventing /usr/bin/perl from 'create' accesses on the directory 3.003002. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that perl should be allowed create access on the 3.003002 directory by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep sa-update /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:spamd_update_t:s0-s0:c0.c1023 :Target Context system_u:object_r:spamd_var_lib_t:s0 :Target Objects 3.003002 [ dir ] :Source sa-update :Source Path /usr/bin/perl :Port <Unknown> :Host (removed) :Source RPM Packages perl-5.14.3-217.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-161.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.6.7-4.fc17.x86_64 #1 SMP Tue Nov : 20 19:40:01 UTC 2012 x86_64 x86_64 :Alert Count 1 :First Seen 2012-11-28 06:00:13 EST :Last Seen 2012-11-28 06:00:13 EST :Local ID 987ec2bd-e190-4994-bc6c-447aca89fa55 : :Raw Audit Messages :type=AVC msg=audit(1354100413.879:1256): avc: denied { create } for pid=17354 comm="sa-update" name="3.003002" scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:object_r:spamd_var_lib_t:s0 tclass=dir : : :type=SYSCALL msg=audit(1354100413.879:1256): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=3ff2a40 a1=1ff a2=344955291b a3=0 items=0 ppid=16908 pid=17354 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=138 comm=sa-update exe=/usr/bin/perl subj=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 key=(null) : :Hash: sa-update,spamd_update_t,spamd_var_lib_t,dir,create : :audit2allow : :#============= spamd_update_t ============== :allow spamd_update_t spamd_var_lib_t:dir create; : :audit2allow -R : :#============= spamd_update_t ============== :allow spamd_update_t spamd_var_lib_t:dir create; :
Added to F18.
This has been happening since the updateto spamassasin. Package: (null) Architecture: i686 OS Release: Fedora release 17 (Beefy Miracle)
Confirm. # grep SELinux /var/log/messages Dec 8 05:05:24 srv08 setroubleshoot: SELinux is preventing /usr/bin/perl from create access on the directory 3.003002. For complete SELinux messages. run sealert -l 7b472211-b064-4361-b43a-64c794044d28 # ls -laZ /var/lib/spamassassin/ drwxr-xr-x. root root system_u:object_r:spamd_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. # grep -Ev '^#|^$' /etc/cron.d/sa-update 10 4 * * * root /usr/share/spamassassin/sa-update.cron 2>&1 | tee -a /var/log/sa-update.log # tail /var/log/sa-update.log mkdir /var/lib/spamassassin/3.003002: Permission denied at /usr/bin/sa-update line 834 08-Dec-2012 05:05:24: SpamAssassin: Unknown error code 13 from sa-update # rpm -q selinux-policy spamassassin perl selinux-policy-3.10.0-161.fc17.noarch spamassassin-3.3.2-14.fc17.x86_64 perl-5.14.3-217.fc17.x86_64
Added to F17, commit 0230bde3e44dd9f0e6cfcea387e51742f8b9430d Author: Miroslav Grepl <mgrepl> Date: Mon Dec 10 10:39:25 2012 +0100 Allow spamd_update to create spamd_var_lib_t directories and ignore DAC when searching for directories
selinux-policy-3.10.0-165.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-165.fc17
Package selinux-policy-3.10.0-165.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-165.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-165.fc17 then log in and leave karma (feedback).
Package selinux-policy-3.10.0-166.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-166.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-166.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-166.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.