seliux denying spamd write access to its own user home dir

Gene Heskett gene.heskett at verizon.net
Thu Nov 20 03:43:50 UTC 2008


On Wednesday 19 November 2008, Paul Howarth wrote:
>On Wed, 19 Nov 2008 13:00:18 -0500
>
>Gene Heskett <gene.heskett at verizon.net> wrote:
>> Greetings;
>>
>> Just recovering from a drive failure, and just now managed to get
>> enough perl deps installed to run spamassassin.
>>
>> I modified the spamassassin script in /etc/init.d to run it as the
>> same user that fetches the mail, also fixed the spamassassin
>> in /etc/sysconfig to match, and according to htop, the spamd's are
>> running as that user.
>>
>> But, selinux is still having a cow for every incoming message.
>> =========
>> Source Context:  system_u:system_r:spamd_t:s0
>> Target Context:  system_u:object_r:home_root_t:s0
>> Target Objects:  ./user_prefs [ file ]
>> ===temp end of snip
>>
>> >From that, here is that file:
>>
>> [root at coyote .spamassassin]# ls -l user_prefs
>> -rw-r--r-- 1 gene gene 1164 2006-01-16 13:45 user_prefs
>> [root at coyote .spamassassin]# ls -l --context user_prefs
>> -rw-r--r--  gene gene system_u:object_r:home_root_t:s0 user_prefs
>>
>> ===back to troubleshooter output
>>
>> host=coyote.coyote.den type=AVC msg=audit(1227116423.127:797): avc:
>> denied { write } for pid=7118 comm="spamd" name="user_prefs" dev=sda3
>> ino=74942440 scontext=system_u:system_r:spamd_t:s0
>> tcontext=system_u:object_r:home_root_t:s0 tclass=file
>>
>> host=coyote.coyote.den type=SYSCALL msg=audit(1227116423.127:797):
>> arch=40000003 syscall=5 success=no exit=-13 a0=9a83590 a1=8241 a2=1b6
>> a3=8241 items=0 ppid=7116 pid=7118 auid=0 uid=501 gid=501 euid=501
>> suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1
>> comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0
>> key=(null) =========
>> Secondary Q: when are we going to be able to copy & paste from the
>> selinuxtroubleshooter screen and preserve the ^%$*^%$( formatting?
>>
>> I have performed the troubleshooter recommended fix:
>>
>> setsebool -P spamd_enable_home_dirs=1
>>
>> and restarted spamassassin several times.
>>
>> Perms or context problem with the /home dirs?
>>
>> A bug?
>>
>> Or I need to do an autorelabel?
>>
>> The /home dirs, FWIW, were copied from another drive by mc & then
>> 'chown -R user:user' when the copy was finished which may not have
>> been the correct thing to do FAIK.  But it was the only way I could
>> preserve an email corpus that is in the 10Gb area for size.
>>
>> There are no entries for spamassassin or spamd in /etc/group that I
>> could use to make that file a member of.
>>
>> Fix please?
>
>Regular unix usernames and groups will make little difference to
>SELinux. What you need is the right SELinux labelling for the files.
>
>Try this:
># restorecon -RF /home/*/.spamassassin/
>
I can do this right now, hang on.  Quick, less than a second.  Now we wait to 
see if it throw up another icon to match the incoming mail beep.  Yes, it 
took nearly a minute after procmail.log showed it, for it to get here, and 
now another mail has arrived with no alert and denial.

Thanks Paul, and a big bow in your direction.

>On F9 at least, I believe ~/.spamassassin should have context type
>user_spamassassin_home_t rather than home_root_t which is what you seem
>to have now.
>
>If this fixes things for you, it's likely that there are other similar
>issues that will need fixing up, and doing a relabel will be a good
>idea when you can spare the time.
>
>Paul.

I did a "touch /.autorelabel" about tuesday evening after one install, and it 
seemed to be ignored on the reboot.  Is that not the correct method?

Thanks again.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Sic transit gloria mundi.
	[So passes away the glory of this world.]
		-- Thomas `a Kempis




More information about the fedora-selinux-list mailing list