-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vadym Chepkov wrote:
> I got an interesting denial which took me a bit to figure out.
>
> type=AVC msg=audit(1232788787.310:1787): avc: denied { read } for pid=9836 comm="mail" path="/var/run/yum-cron.EHQJws" dev=dm-3 ino=77843 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_run_t:s0 tclass=file
>
> It comes from yum-cron package. What happens is a script starts from cron and creates a temporary file which inherits directory security context. Later it mails it using redirection syntax:
> "mail $MAILTO < $YUMTMP"
>
> mailx transitions to system_mail_t and is denied to read such a temporary file.
>
> I don't think this is a unique script that has similar logic and I suspect some other directory needs to be used, but I didn't find any suitable in sources/sendmail.fc and before I create new type/directory I would like to know maybe there is more proper way to handle cases like this?
>
> Thank you.
> Sincerely yours,
> Vadym Chepkov
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This is a case where I believe we can use the open access.
I think a global saying tools like mailers could read ANY tmp file that
is handed to them, but can not open any would be ok.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkl/FJoACgkQrlYvE4MpobMslQCeNOEuDRECvl/VENyiVpGm/tCL
XWMAn2+XD7yQu5VVJgtfNb1hnzn0JHOp
=eYWh
-----END PGP SIGNATURE-----
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
