I am currently trying to tidy up my local modules which have been in place for a number of years and which have probably been superseded by more recent policies. I put SE into permissive mode and removed the relevant local policy module. One resulting denial suggested allowing access with: setsebool -P spamd_enable_home_dirs=1 This surprised me because I thought I had this set. Sure enough: # getsebool -a | grep spam spamassassin_can_network --> off spamd_enable_home_dirs --> on Surely SETroubleshoot should realise that this bool is already set? I can of course recreate a local policy module to deal with this denial, but I just wondered why this came up as a suggested remedy? The full avc is listed below. Thank you to all involved in this this great endeavour... Mark Summary SELinux is preventing the spamd daemon from reading users' home directories. Detailed Description [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux has denied the spamd daemon access to users' home directories. Someone is attempting to access your home directories via your spamd daemon. If you only setup spamd to share non-home directories, this probably signals a intrusion attempt. Allowing Access If you want spamd to share home directories you need to turn on the spamd_enable_home_dirs boolean: "setsebool -P spamd_enable_home_dirs=1" Fix Command setsebool -P spamd_enable_home_dirs=1 Additional Information Source Context: unconfined_u:system_r:spamd_t:s0 Target Context: system_u:object_r:user_pyzor_home_t:s0 Target Objects: /home/mark/.pyzor/servers [ file ] Source: pyzor Source Path: /usr/bin/python Port: <Unknown> Host: mydomain.com Source RPM Packages: python-2.5.1-26.fc9 Target RPM Packages: Policy RPM: selinux-policy-3.3.1-118.fc9 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: spamd_enable_home_dirs Host Name: mydomain.com Platform: Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686 Alert Count: 723 First Seen: Sun Nov 2 01:13:46 2008 Last Seen: Mon Feb 2 14:57:22 2009 Local ID: 22265a4e-86dd-4a61-a314-7c3fc363d5ee Line Numbers: Raw Audit Messages : node=mydomain.com type=AVC msg=audit(1233586642.291:4900): avc: denied { getattr } for pid=17929 comm="pyzor" path="/home/mark/.pyzor/servers" dev=sda8 ino=3172618 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:user_pyzor_home_t:s0 tclass=file node=mydomain.com type=SYSCALL msg=audit(1233586642.291:4900): arch=40000003 syscall=195 success=yes exit=0 a0=8774db0 a1=bfc5c3c8 a2=cd9ff4 a3=86f01b8 items=0 ppid=9197 pid=17929 auid=0 uid=500 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=726 comm="pyzor" exe="/usr/bin/python" subj=unconfined_u:system_r:spamd_t:s0 key=(null)
Attachment:
pgpwQZ2ZGrw8z.pgp
Description: PGP signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list