On Fri, 2008-05-16 at 10:10 +0200, Daniel Fazekas wrote:
> SELinux appears to stop spamc from being called from procmail:
> type=1401 audit(1210924808.115:14): security_compute_sid: invalid
> context system_u:system_r:spamc_t:s0 for
> scontext=system_u:system_r:procmail_t:s0
> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=process
Create a local policy module either via audit2allow or by hand to permit
it. The rule in particular that is missing is "role system_r types
spamc_t;".
The audit2allow way:
# grep spamc /var/log/audit/audit.log | audit2allow -M myspamc
# semodule -i myspamc.pp
The hand-written way:
# cat myspamc.te
policy_module(myspamc, 1.0)
require {
role system_r;
type spamc_t;
}
role system_r types spamc_t;
# make -f /usr/share/selinux/devel/Makefile myspamc.pp
# semodule -i myspamc.pp
>
> procmail logs:
> /usr/bin/spamc: /usr/bin/spamc: cannot execute binary file
> procmail: Error while writing to "/usr/bin/spamc"
> procmail: Rescue of unfiltered data succeeded
>
> In my .procmailrc I have this line:
> INCLUDERC=/etc/mail/spamassassin/spamassassin-spamc.rc
>
> Used to work fine in previous releases of Fedora.
> Is there anything I could set to allow this?
>
> I have already tried a full touch ./autorelabel && reboot, it didn't
> help.
>
> SELinux is using
> selinux-policy-targeted-3.3.1-42.fc9.noarch
> selinux-policy-3.3.1-42.fc9.noarch
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Stephen Smalley
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
