sa-compile scripts puts them there, it runs manually from the cron.
sa-compile call is not part of the standard Fedora package and as I said earlier, this context already exists in the standard policy, furthermore, Dan, you added it the by my request :) But even though it exists, it is being ignored when the library is created, I am not really sure how sa-compile script does it, but 'restorecon -R' afterward seems like an appropriate workaround.
Sincerely yours,
Vadym Chepkov
--- On Mon, 7/13/09, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
> Subject: Re: spamassassin pre-compiled rules
> To: "Vadym Chepkov" <chepkov@xxxxxxxxx>
> Cc: "Fedora SELinux" <fedora-selinux-list@xxxxxxxxxx>
> Date: Monday, July 13, 2009, 11:06 AM
> On 07/11/2009 08:06 AM, Vadym Chepkov
> wrote:
> > spamassassin rules got updated recently and I got this
> avc
> >
> > type=AVC msg=audit(1247216252.200:31900): avc:
> denied { execute } for pid=24001 comm="spamd"
> path="/var/lib/spamassassin/compiled/5.010/3.002005/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so"
> dev=dm-3 ino=124989 scontext=system_u:system_r:spamd_t:s0
> tcontext=system_u:object_r:spamd_var_lib_t:s0 tclass=file
> >
> > audit2allow suggests this
> > #============= spamd_t ==============
> > allow spamd_t spamd_var_lib_t:file execute;
> > seems reasonable, but why is it missing in standard
> policy?
> >
> > Sincerely yours,
> > Vadym Chepkov
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Vadym, What puts the files in this directory? Are
> they all shared libraries?
>
> One solution would be to label this directory
>
> # semanage fcontext -a -t lib_t
> '/var/lib/spamassassin/compiled(/.*)?'
> # restorecon -R -v /var/lib/spamassassin
>
>
>
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
