AVC denied for Spamassassin

Daniel J Walsh dwalsh at redhat.com
Thu Nov 9 13:13:48 UTC 2006 

Daniel J Walsh wrote:
> Volker Englisch wrote:
>> I have a lot of avc messages in my log file indicating a problem with 
>> spamassassin/mqueue.
>> I am running FC6 with a standard installation and don't know why 
>> there is a problem with the directory /var/spool/mqueue.
>>    $ ls -Zd mqueue
>>    drwx------  root mail system_u:object_r:mqueue_spool_t mqueue/
>>
>> Do I need to change the context for this directory?
>>
>> Below are some of the messages from my log file:
>>
>> Nov  8 23:02:32 kepler kernel: audit(1163044952.697:127322): avc: 
>> denied  { search } for  pid=14530 comm="spamassassin" name="mqueue" 
>> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 
>> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
>> Nov  8 23:02:33 kepler kernel: audit(1163044953.317:127323): avc: 
>> denied  { search } for  pid=14530 comm="spamassassin" name="mqueue" 
>> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 
>> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
>> Nov  8 23:02:33 kepler kernel: audit(1163044953.317:127324): avc: 
>> denied  { search } for  pid=14530 comm="spamassassin" name="mqueue" 
>> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 
>> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
>> Nov  8 23:02:33 kepler kernel: audit(1163044953.317:127325): avc: 
>> denied  { search } for  pid=14530 comm="spamassassin" name="mqueue" 
>> dev=sda8 ino=326413 scontext=user_u:system_r:procmail_t:s0 
>> tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
>>
> Does procmail need to read this directory?
> Does procmail need to be able to write this directory?
>
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
In policy there is a dontaudit rule

ifdef(`hide_broken_symptoms',`
    mta_dontaudit_rw_queue(procmail_t)
')

But we don't have hide_broken_symptons turned on right now.  So I guess 
this has been seen before but has been deemed broken behaviour from a 
SELinux point of view.

More information about the fedora-selinux-list mailing list