Additional info: libreport version: 2.0.18 kernel: 3.6.7-4.fc17.x86_64 description: :SELinux is preventing /usr/bin/perl from using the 'dac_read_search' capabilities. : :***** Plugin dac_override (91.4 confidence) suggests *********************** : :If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system :Then turn on full auditing to get path information about the offending file and generate the error again. :Do : :Turn on full auditing :# auditctl -w /etc/shadow -p w :Try to recreate AVC. Then execute :# ausearch -m avc -ts recent :If you see PATH record check ownership/permissions on file, and fix it, :otherwise report as a bugzilla. : :***** Plugin catchall (9.59 confidence) suggests *************************** : :If you believe that perl should have the dac_read_search capability by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep sa-update /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:spamd_update_t:s0-s0:c0.c1023 :Target Context system_u:system_r:spamd_update_t:s0-s0:c0.c1023 :Target Objects [ capability ] :Source sa-update :Source Path /usr/bin/perl :Port <Unknown> :Host (removed) :Source RPM Packages perl-5.14.3-217.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-161.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.6.7-4.fc17.x86_64 #1 SMP Tue Nov : 20 19:40:01 UTC 2012 x86_64 x86_64 :Alert Count 8 :First Seen 2012-11-28 04:10:02 EST :Last Seen 2012-11-28 06:00:13 EST :Local ID 1b4806a6-15a3-4228-af1c-733a70c9767d : :Raw Audit Messages :type=AVC msg=audit(1354100413.729:1255): avc: denied { dac_read_search } for pid=17354 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability : : :type=SYSCALL msg=audit(1354100413.729:1255): arch=x86_64 syscall=open success=no exit=EACCES a0=7f3654b1e6eb a1=80000 a2=1b6 a3=238 items=0 ppid=16908 pid=17354 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=138 comm=sa-update exe=/usr/bin/perl subj=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 key=(null) : :Hash: sa-update,spamd_update_t,spamd_update_t,capability,dac_read_search : :audit2allow : :#============= spamd_update_t ============== :allow spamd_update_t self:capability dac_read_search; : :audit2allow -R : :#============= spamd_update_t ============== :allow spamd_update_t self:capability dac_read_search; :
Created attachment 653512 [details] File: type
Created attachment 653513 [details] File: hashmarkername
Is spamd_update_t running as root while the sa_update directory is owned by spamd user?
Not sure how to tell. This is a standard installation of spamassassin-3.3.2-14.fc17.x86_64 that I use with evolution-spamassassin-3.4.4-2.fc17.x86_64. I haven't made any changes post-install except to turn on spam checking in evolution.
Confirm. # grep SELinux /var/log/messages Dec 8 05:05:19 srv08 setroubleshoot: SELinux is preventing /usr/bin/perl from using the dac_read_search capability. For complete SELinux messages. run sealert -l b9c001bb-5858-4c78-9d3f-a7515f00e96a # rpm -q selinux-policy spamassassin perl selinux-policy-3.10.0-161.fc17.noarch spamassassin-3.3.2-14.fc17.x86_64 perl-5.14.3-217.fc17.x86_64
commit 0230bde3e44dd9f0e6cfcea387e51742f8b9430d Author: Miroslav Grepl <mgrepl> Date: Mon Dec 10 10:39:25 2012 +0100 Allow spamd_update to create spamd_var_lib_t directories and ignore DAC when searching for directories
selinux-policy-3.10.0-165.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-165.fc17
Package selinux-policy-3.10.0-165.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-165.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-165.fc17 then log in and leave karma (feedback).
Package selinux-policy-3.10.0-166.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-166.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-166.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-166.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.