Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/show_bug.cgi?id=452738 Summary: selinux denials when using razor and spamassassin (spamd) Product: Fedora Version: 9 Platform: All OS/Version: Linux Status: NEW Severity: low Priority: low Component: perl-Razor-Agent AssignedTo: redhat-bugzilla@xxxxxxxxxxxx ReportedBy: roth@xxxxxxxxx QAContact: extras-qa@xxxxxxxxxxxxxxxxx CC: dwalsh@xxxxxxxxxx,fedora-perl-devel-list@xxxxxxxxxx Description of problem: The selinux targeted policy allows the use of razor-admin and razor-report in selinux enforcing mode (razor_per_role_template etc.) but it not sufficient to allow spamassassin to launch razor via its Perl API. When using spamassassin, the razor libraries, config files, etc. are invoked from the spamd_t domain. Tying together razor and spamassassin (spamd_t) using the templates in razor.if results in module compilation errors due to conflicting rules. Version-Release number of selected component (if applicable): perl-Razor-Agent-2.84-4.fc9.i386 spamassassin-3.2.4-4.fc9.i386 selinux-policy-targeted-3.3.1-64.fc9.noarch How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: I did some quick cut-and-paste with razor.if and I came up with a simpler interface that can be used to interface to spamd_t: ######################################## ## <summary> ## Invoke razor libraries from the target domain ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`ursus_razor_perl_client',` gen_require(` type razor_t; type razor_log_t; type razor_var_lib_t; ') # subset of rules from razor_common_domain_template manage_dirs_pattern($1,razor_log_t,razor_log_t) manage_files_pattern($1,razor_log_t,razor_log_t) manage_lnk_files_pattern($1,razor_log_t,razor_log_t) # FIXME: this may end up depositing log files with incorrect labels manage_dirs_pattern($1,razor_var_lib_t,razor_var_lib_t) manage_files_pattern($1,razor_var_lib_t,razor_var_lib_t) manage_lnk_files_pattern($1,razor_var_lib_t,razor_var_lib_t) corenet_tcp_sendrecv_razor_port($1) dnl allow $1 { razor_t }:process { signal }; dnl probably only needed for scripts and such ') razor_per_role_template(user, user_t, user_r) ursus_razor_perl_client(spamd_t) -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl Fedora-perl-devel-list mailing list Fedora-perl-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-perl-devel-list