AVC denied for Spamassassin
Daniel J Walsh
dwalsh at redhat.com
Thu Nov 9 13:13:48 UTC 2006
Daniel J Walsh wrote:
> Volker Englisch wrote:
>> I have a lot of avc messages in my log file indicating a problem with
>> spamassassin/mqueue.
>> I am running FC6 with a standard installation and don't know why
>> there is a problem with the directory /var/spool/mqueue.
>> $ ls -Zd mqueue
>> drwx------ root mail system_u:object_r:mqueue_spool_t mqueue/
>>
>> Do I need to change the context for this directory?
>>
>> Below are some of the messages from my log file:
>>
>> Nov 8 23:02:32 kepler kernel: audit(1163044952.697:127322): avc:
>> denied { search } for pid=14530 comm="spamassassin" name="mqueue"
>> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0
>> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
>> Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127323): avc:
>> denied { search } for pid=14530 comm="spamassassin" name="mqueue"
>> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0
>> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
>> Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127324): avc:
>> denied { search } for pid=14530 comm="spamassassin" name="mqueue"
>> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0
>> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
>> Nov 8 23:02:33 kepler kernel: audit(1163044953.317:127325): avc:
>> denied { search } for pid=14530 comm="spamassassin" name="mqueue"
>> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0
>> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
>>
> Does procmail need to read this directory?
> Does procmail need to be able to write this directory?
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
In policy there is a dontaudit rule
ifdef(`hide_broken_symptoms',`
mta_dontaudit_rw_queue(procmail_t)
')
But we don't have hide_broken_symptons turned on right now. So I guess
this has been seen before but has been deemed broken behaviour from a
SELinux point of view.
More information about the fedora-selinux-list
mailing list