On 08/31/2015 08:28 PM, Tom Rivers wrote: > Hello! > > I have posted information regarding the error message I'm seeing at > Github.com in the Pyzor forum located here: > > https://github.com/SpamExperts/pyzor/issues/41#issuecomment-135539930 > > Basically, I was looking at the output of "journalctl -f" on my Fedora > 21 system while trying to fine tune SpamAssassin the other day and found > the following: > > > Aug 27 09:33:16 impact-crater.com spamd[20895]: spamd: processing > message <20150827133258.6E19C61B70D1@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> > for sa-milt:986 > Aug 27 09:33:17 impact-crater.com python[22066]: detected unhandled > Python exception in '/usr/bin/pyzor' > Aug 27 09:33:17 impact-crater.com setroubleshoot[7528]: SELinux is > preventing pyzor from getattr access on the file /usr/bin/rpm. For > complete SELinux messages. run sealert -l > 09532028-c2c0-472e-b39f-c52ef00c5dc6 > Aug 27 09:33:17 impact-crater.com python[7528]: SELinux is preventing > pyzor from getattr access on the file /usr/bin/rpm. > > > Running the sealert command referenced above yields the following: > > > SELinux is preventing pyzor from getattr access on the file /usr/bin/rpm. > > ***** Plugin catchall (100. confidence) suggests > ************************** > > If you believe that pyzor should be allowed getattr access on the rpm > file by default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # grep pyzor /var/log/audit/audit.log | audit2allow -M mypol > # semodule -i mypol.pp > > > Additional Information: > Source Context system_u:system_r:spamc_t:s0 > Target Context system_u:object_r:rpm_exec_t:s0 > Target Objects /usr/bin/rpm [ file ] > Source pyzor > Source Path pyzor > Port <Unknown> > Host impact-crater.com > Source RPM Packages > Target RPM Packages rpm-4.12.0.1-7.fc21.x86_64 > Policy RPM selinux-policy-3.13.1-105.20.fc21.noarch > Selinux Enabled True > Policy Type targeted > Enforcing Mode Enforcing > Host Name impact-crater.com > Platform Linux impact-crater.com > 4.1.5-100.fc21.x86_64 #1 > SMP Tue Aug 11 00:24:23 UTC 2015 x86_64 > x86_64 > Alert Count 33 > First Seen 2015-08-27 08:35:55 EDT > Last Seen 2015-08-27 09:36:08 EDT > Local ID 09532028-c2c0-472e-b39f-c52ef00c5dc6 > > Raw Audit Messages > type=AVC msg=audit(1440682568.916:5869): avc: denied { getattr } for > pid=22308 comm="pyzor" path="/usr/bin/rpm" dev="dm-1" ino=1977835 > scontext=system_u:system_r:spamc_t:s0 > tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=0 > > Hash: pyzor,spamc_t,rpm_exec_t,file,getattr > > > Here is some relevant system info with respect to the system in question: > > > kernel-4.1.5-100.fc21.x86_64 > pyzor-0.5.0-10.fc21.noarch > Python 2.7.8 (default, Apr 15 2015, 09:26:43) > [GCC 4.9.2 20150212 (Red Hat 4.9.2-6)] on linux2 > > > One of the guys at Github who initially responded indicated that, > "There's nothing in Pyzor that would try to access /usr/bin/rpm." > Evidently SELinux is upset at something so I figured it would be a good > idea to also post on this list to see if anyone here knows anything I > can do to help identify what's happening. It will be a library call and it would require more debugging. Basically I would also try to run it in permissive mode # semanage permissive -a spamc_t to see if you can get more AVCs. > > Thanks! > > > Tom > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
