[CentOS] procmail can't invoke spamc/spamassassin in 5.3 due to SElinux denials
Mike A. Harris
mharris at mharris.caFri Apr 3 13:52:11 UTC 2009
- Previous message: [CentOS] Kickstart regression
- Next message: [CentOS] Install CentOS directly from usb drive?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I just discovered that my spam filters are not being properly executed
in CentOS 5.3 because when procmail attempts to invoke spamc. I have
spamd running properly, and can invoke spamassassin and spamc from the
bash prompt manually without any issues, however procmail fails with
"permission denied" then bails. Watching the procmail.log I get the
following:
procmail: Executing "/usr/bin/spamc"
/bin/sh: /usr/bin/spamc: Permission denied
procmail: Program failure (126) of "/usr/bin/spamc"
procmail: Rescue of unfiltered data succeeded
Examining the SElinux audit logs, I discovered:
type=AVC msg=audit(1238765234.301:1752): avc: denied { execute } for
pid=20177 comm="procmail" name="spamc" dev=hda1 ino=936505
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1238765234.301:1752): arch=40000003 syscall=11
success=no exit=-13 a0=95c0d90 a1=95c0020 a2=95c3cf0 a3=0 items=0
ppid=20176 pid=20177 auid=4294967295 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=12 fs
gid=500 tty=(none) ses=4294967295 comm="procmail"
exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1238765234.325:1753): avc: denied { read } for
pid=20177 comm="sh" name="spamc" dev=hda1 ino=936505
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1238765234.325:1753): arch=40000003 syscall=5
success=no exit=-13 a0=9a95718 a1=8000 a2=0 a3=8000 items=0 ppid=20176
pid=20177 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=50
0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
subj=system_u:system_r:procmail_t:s0 key=(null)
Here is a similar web forum report from someone else:
http://tinyurl.com/cpkvpg
Didn't find any reports in CentOS bugzilla about this yet, however I
found one in Red Hat bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=486187
Shall I file a tracking bug in CentOS bugzilla, or just wait for the
trickle down?
- Previous message: [CentOS] Kickstart regression
- Next message: [CentOS] Install CentOS directly from usb drive?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list