postfix_pipe_t ... execute_no_trans

[QingLong]

On Fri, Jun 16, 2006 at 07:14:56AM -0400, Daniel J Walsh wrote:
> QingLong wrote:
>> Would you be so kind as to give me a hint why postfix's pipe command
>> tries to execute a custom script with execute_no_trans? Details follow.
[...]
> Run the AVC's through audit2why?
>
   Yes, I have tried it:
|
| type=AVC msg=audit(1150288478.697:6253): avc:  denied  { execute_no_trans } for  pid=20218 comm="pipe" name="PostFix.mail.SpamAssassin.spamfilter.sh" dev=md9 ino=56842 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:ql_spamassassin_client_exec_t:s0 tclass=file
|	Was caused by:
|		Missing or disabled TE allow rule.
|		Allow rules may exist but be disabled by boolean settings; check boolean settings.
|
 The only booleans that may have something to do with the problem are
	setrans_disable_trans
	postfix_disable_trans
 and both of them have zero value. Did I miss some boolean?

|
|		You can see the necessary allow rules by running audit2allow with this audit message as input.
|
| You might be missing a role command.
|
 I thought that role wasn't the problem matter here.
 Nevertheless, I have added the role explicitly to .te file:
|
| role system_r types ql_spamassassin_client_t;
|
 Compiled the module, inserted it into the kernel, and that changed nothing.
 The problem is still there. :(

      QingLong.