On 03/16/2010 05:37 PM, Paul Howarth wrote:
> I think these are leaked file descriptors from spamass-milter but the
> curious thing is, I don't see them when I run the milter in its normal
> configuration as a non root user; they only appear when it's run as
> root (which I'm only doing to test a patch for a security
> vulnerability, and I have to do that in permissive mode too since
> SELinux makes the vulnerability very difficult to test ;-) )
>
> type=AVC msg=audit(1268768820.019:35365): avc: denied { read write } for pid=4941 comm="spamc" name="1" dev=devpts ino=4 scontext=unconfined_u:system_r:spamc_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
>
> type=SYSCALL msg=audit(1268768820.019:35365): arch=c000003e syscall=59 success=yes exit=0 a0=409fae a1=7f6c98000f70 a2=7fff2c255858 a3=7f6ca0ffa7c0 items=0 ppid=1368 pid=4941 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3170 comm="spamc" exe="/usr/bin/spamc" subj=unconfined_u:system_r:spamc_t:s0 key=(null)
>
> Why would they only appear when the process that calls spamc is running
> as root?
>
> Paul.
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
I would figure there is some DAC Permission that is preventing the
access before SELinux gets involved. Like the terminal device is owned
by root, so you are blocked when you are non root.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
