Re: Fedora 21 running sendmail, selinux preventing spamc write access to a fifo

["James T. Kirk" <jtkirk@xxxxxxxxxxxx>]

/var/log/audit/audit.log has several of these:

type=AVC msg=audit(1420286239.025:255316): avc:  denied  { write } for  
pid=29005 comm="spamc" path="pipe:[1505813]" dev="pipefs" ino=1505813 
scontext=system_u:system_r:spamc_t:s0 
tcontext=system_u:system_r:sendmail_t:s0 tclass=fifo_file permissive=0
type=SYSCALL msg=audit(1420286239.025:255316): arch=c000003e syscall=59 
success=yes exit=0 a0=7ff563343380 a1=7ff5633463b0 a2=7ff5633462f0 a3=8 
items=0 ppid=29004 pid=29005 auid=4294967295 uid=1001 gid=1001 euid=1001 
suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) 
ses=4294967295 comm="spamc" exe="/usr/bin/spamc" 
subj=system_u:system_r:spamc_t:s0 key=(null)
type=PROCTITLE msg=audit(1420286239.025:255316): proctitle="/usr/bin/spamc"

On 1/3/15 4:58 AM, Daniel J Walsh wrote:
> You need to include the AVC messages.
>
>
> On 01/02/2015 11:17 PM, jtkirk wrote:
> > I'm running a Fedora 21 64-bit system, sendmail and spamassassin.
> > Upgraded a little over a week ago from Fedora 20.
> >
> > Don't recall seeing these alerts with Fedora 20.... Only been using
> > SELinux in enforcing mode for a couple months now (apologies in
> > advance if I'm not providing the relevant details - please let me know
> > what else to include). I searched for similar issues but couldn't find
> > anything more recent than 2009.
> >
> > SELinux Alert:
> >
> > The source process: /usr/bin/spamc
> > Attempted this access: write
> > On this fifo_file: fifo_file
> >
> > SETroubleshoot Details Window reports:
> >
> > SELinux is preventing /usr/bin/spamc from write access on the
> > fifo_file fifo_file.
> >
> > *****  Plugin leaks (86.2 confidence) suggests
> > *****************************
> >
> > If you want to ignore spamc trying to write access the fifo_file
> > fifo_file, because you believe it should not need this access.
> > Then you should report this as a bug.
> > You can generate a local policy module to dontaudit this access.
> > Do
> > # grep /usr/bin/spamc /var/log/audit/audit.log | audit2allow -D -M mypol
> > # semodule -i mypol.pp
> >
> > *****  Plugin catchall (14.7 confidence) suggests
> > **************************
> >
> > If you believe that spamc should be allowed write access on the
> > fifo_file fifo_file by default.
> > Then you should report this as a bug.
> > You can generate a local policy module to allow this access.
> > Do
> > allow this access for now by executing:
> > # grep spamc /var/log/audit/audit.log | audit2allow -M mypol
> > # semodule -i mypol.pp
> >
> > Additional Information:
> > Source Context                system_u:system_r:spamc_t:s0
> > Target Context                system_u:system_r:sendmail_t:s0
> > Target Objects                fifo_file [ fifo_file ]
> > Source                        spamc
> > Source Path                   /usr/bin/spamc
> > Port                          <Unknown>
> > Host                          mail.streetparknyc.com
> > Source RPM Packages           spamassassin-3.4.0-12.fc21.x86_64
> > Target RPM Packages
> > Policy RPM                    selinux-policy-3.13.1-103.fc21.noarch
> > Selinux Enabled               True
> > Policy Type                   targeted
> > Enforcing Mode                Enforcing
> > Host Name                     mail.streetparknyc.com
> > Platform                      Linux mail.streetparknyc.com
> >                                3.17.7-300.fc21.x86_64 #1 SMP Wed Dec 17
> > 03:08:44
> > --
> > selinux mailing list
> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux