This was fixed for F17, but remains in F18 (selinux-policy-targeted-3.11.1-71.fc18) so I'm making a clone. +++ This bug was initially created as a clone of Bug #864501 +++ Description of problem: Cron emails me this report: config: path "/root/.spamassassin" is inaccessible: Permission denied config: path "/root/.spamassassin" is inaccessible: Permission denied config: path "/root/.spamassassin" is inaccessible: Permission denied 09-Oct-2012 04:20:50: SpamAssassin: Update processed successfully # grep 04:20:50 /var/log/messages Oct 9 04:20:50 balthasar setroubleshoot: SELinux is preventing /usr/bin/perl from using the dac_read_search capability. For complete SELinux messages. run sealert -l b4d39549-64ca-4654-aff1-c3e8d454f1b3 # sealert -l b4d39549-64ca-4654-aff1-c3e8d454f1b3 SELinux is preventing /usr/bin/perl from using the dac_read_search capability. ***** Plugin dac_override (91.4 confidence) suggests *********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that perl should have the dac_read_search capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sa-update /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:spamd_update_t:s0-s0:c0.c1023 Target Context system_u:system_r:spamd_update_t:s0-s0:c0.c1023 Target Objects [ capability ] Source sa-update Source Path /usr/bin/perl Port <Unknown> Host balthasar.cchtml.com Source RPM Packages perl-5.14.2-215.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-153.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name balthasar.cchtml.com Platform Linux balthasar.cchtml.com 3.5.6-1.fc17.x86_64 #1 SMP Sun Oct 7 19:31:14 UTC 2012 x86_64 x86_64 Alert Count 9 First Seen 2012-10-09 04:10:02 CDT Last Seen 2012-10-09 04:20:49 CDT Local ID b4d39549-64ca-4654-aff1-c3e8d454f1b3 Raw Audit Messages type=AVC msg=audit(1349774449.976:791): avc: denied { dac_read_search } for pid=7416 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1349774449.976:791): arch=x86_64 syscall=open success=no exit=EACCES a0=7f707aedd6eb a1=80000 a2=1b6 a3=238 items=0 ppid=7160 pid=7416 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=95 comm=sa-update exe=/usr/bin/perl subj=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 key=(null) Hash: sa-update,spamd_update_t,spamd_update_t,capability,dac_read_search audit2allow #============= spamd_update_t ============== allow spamd_update_t self:capability dac_read_search; audit2allow -R #============= spamd_update_t ============== allow spamd_update_t self:capability dac_read_search; Version-Release number of selected component (if applicable): selinux-policy-3.10.0-153.fc17.noarch --- Additional comment from Michael Cronenworth on 2012-10-09 09:19:05 EDT --- It is an empty directory with the correct context applied. # restorecon -Rv /root # ls -Zd .spamassassin/ drwx------. root root system_u:object_r:spamc_home_t:s0 .spamassassin/ # ls -la .spamassassin/ total 8 drwx------. 2 root root 4096 Oct 13 2011 . dr-xr-x---. 10 root root 4096 Sep 23 12:53 .. --- Additional comment from Daniel Walsh on 2012-10-09 12:10:33 EDT --- ls -lad /root --- Additional comment from Michael Cronenworth on 2012-10-09 12:14:16 EDT --- $ ls -Zlad /root dr-xr-x---. 10 system_u:object_r:admin_home_t:s0 root root 4096 Sep 23 12:53 /root --- Additional comment from Daniel Walsh on 2012-10-09 12:18:47 EDT --- chmod 750 /root --- Additional comment from Michael Cronenworth on 2012-10-09 12:24:15 EDT --- Daniel, what are you suggesting? I logged into a few Fedora 17 and RHEL6 boxes and they have /root set to 550. AFAIK this is the correct default setting. --- Additional comment from Daniel Walsh on 2012-10-09 12:40:42 EDT --- I guess this is the correct permission that the /root directory is supposed to have. Eric, why would I get a dac_read_search? --- Additional comment from Steve Grubb on 2012-10-09 12:46:32 EDT --- If its trying to read ~/.spamassassin it should be able to. My guess its its trying to create the file...which it probably does not need to do. --- Additional comment from Daniel Walsh on 2012-10-09 12:49:23 EDT --- I would figure that would be dac_override though? /* Override all DAC access, including ACL execute access if [_POSIX_ACL] is defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */ #define CAP_DAC_OVERRIDE 1 /* Overrides all DAC restrictions regarding read and search on files and directories, including ACL restrictions if [_POSIX_ACL] is defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */ #define CAP_DAC_READ_SEARCH 2 --- Additional comment from Steve Grubb on 2012-10-09 13:41:26 EDT --- The translated flags to open are: a1=O_RDONLY|O_CLOEXEC. If the dir is 0550 and the uid is 0 and the gid is 0...read access should be allowed without any capabilities. --- Additional comment from Michael Cronenworth on 2012-10-23 09:11:22 EDT --- Any update on this? (CC'ing SA maintainers) --- Additional comment from John Griffiths on 2013-01-16 11:23:41 EST --- This is still happening. Any progress? --- Additional comment from Daniel Walsh on 2013-01-16 15:53:22 EST --- We allow this in F18, Miroslav can you back port to F17. --- Additional comment from Daniel Walsh on 2013-01-16 15:54:50 EST --- *** Bug 880421 has been marked as a duplicate of this bug. *** --- Additional comment from Miroslav Grepl on 2013-01-17 07:25:31 EST --- This is already fixed. sesearch -A -s spamd_update_t -t spamd_update_t -c capability Found 2 semantic av rules: allow spamd_update_t spamd_update_t : capability dac_read_search ; --- Additional comment from John Griffiths on 2013-01-17 09:23:01 EST --- I beg to differ. I got this in an email from my Fedora 17 systems this morning. config: path "/root/.spamassassin" is inaccessible: Permission denied config: path "/root/.spamassassin" is inaccessible: Permission denied config: path "/root/.spamassassin" is inaccessible: Permission denied Yet, when I run: sesearch -A -s spamd_update_t -t spamd_update_t -c capability I get: Found 2 semantic av rules: allow spamd_update_t spamd_update_t : capability dac_read_search ; allow spamd_update_t spamd_update_t : capability net_bind_service ; This is not fixed and this bug needs to be reopened. If you don't want to do that, I will clone it. --- Additional comment from Michael Cronenworth on 2013-01-17 09:24:20 EST --- Yes, I see the added policy on my F17 box, but I am still getting Cron e-mails about read failures every morning. This is an e-mail from this morning: config: path "/root/.spamassassin" is inaccessible: Permission denied config: path "/root/.spamassassin" is inaccessible: Permission denied config: path "/root/.spamassassin" is inaccessible: Permission denied 17-Jan-2013 04:54:53: SpamAssassin: Update processed successfully --- Additional comment from Scott Shambarger on 2013-01-20 21:08:24 EST --- I finally chased this down today... the denials are caused by two "dontaudit" denials: type=AVC msg=audit(1358727584.642:16181): avc: denied { search } for pid=24396 comm="sa-update" name="root" dev="dm-0" ino=3932161 scontext=system_u:system_r:spamd_update_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir type=AVC msg=audit(1358729533.648:16336): avc: denied { getattr } for pid=24841 comm="sa-update" path="/root/.spamassassin" dev="dm-0" ino=3932264 scontext=system_u:system_r:spamd_update_t:s0 tcontext=unconfined_u:object_r:spamc_home_t:s0 tclass=dir (this assumes /root/.spamassassin exists, only the first is triggered if it doesn't) The code that causes this is in /usr/bin/sa-update calling the function lint_check_dir() when the downloaded spam rules are checked for correctness. A instance of Mail::SpamAssassin is created, and lint_rules() is called on it, which calls init(1) (use_user_pref=1) in turn calling get_and_create_userstate_dir(), which stats $self->{user_dir}, ".spamassassin") looking for a user pref. Adding the following semodule resolves the errors: module mysaupdate 1.0; require { type spamd_update_t; type admin_home_t; type spamc_home_t; class dir { search getattr }; } #============= spamd_update_t ============== allow spamd_update_t admin_home_t:dir search; allow spamd_update_t spamc_home_t:dir getattr; Both of these denials are currently dontaudit in the policy, so don't show up in ausearch w/o using semodule -DB (this also assumes current fcontext on /root/.spamassassin, if it exists) --- Additional comment from Miroslav Grepl on 2013-01-21 10:28:31 EST --- Great. Thank you. --- Additional comment from Paul Howarth on 2013-01-24 04:52:06 EST --- I see this in F-18 too. --- Additional comment from Miroslav Grepl on 2013-01-30 04:55:52 EST --- Added. --- Additional comment from Fedora Update System on 2013-02-04 17:03:20 EST --- selinux-policy-3.10.0-167.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-167.fc17 --- Additional comment from Scott Shambarger on 2013-02-04 18:17:02 EST --- Installed and ran from sa-update from cron, didn't see any warning output. Appears fixed. :) --- Additional comment from Fedora Update System on 2013-02-05 11:58:53 EST --- Package selinux-policy-3.10.0-167.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-167.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-1971/selinux-policy-3.10.0-167.fc17 then log in and leave karma (feedback). --- Additional comment from Fedora Update System on 2013-02-12 00:07:30 EST --- selinux-policy-3.10.0-167.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Added. commit 35d22e745e9a429dc2d9844de83a83433150f852 Author: Miroslav Grepl <mgrepl> Date: Thu Feb 14 08:37:19 2013 +0100 Allow spamd_update_t to search spamc_home_t
selinux-policy-3.11.1-78.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-78.fc18
Package selinux-policy-3.11.1-78.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-78.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-2588/selinux-policy-3.11.1-78.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-78.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.