Operating system: Scientific Linux 5 (a clone of Red Hat Enterprise 5), fully updated
I don't really understand SELinux. As far as I can tell, it has prevented me from doing some things that I want to do, but I haven't seen it block a real threat yet. I'm using it as installed with the O/S, set to permissive mode. It's filling up the log file with messages like
Quote:
Jul 15 04:02:10 hostname setroubleshoot: SELinux is preventing the spamassassin from using potentially mislabeled files (.spamassassin8228JHeKs1tmp).
For complete SELinux messages. run sealert -l 90f3574b-2d67-4d61-af41-3a1a282b716f
|
Here's what the sealert report says:
Quote:
# sealert -l 90f3574b-2d67-4d61-af41-3a1a282b716f
Summary
SELinux is preventing the spamassassin from using potentially mislabeled
files (.spamassassin8228JHeKs1tmp).
Detailed Description
SELinux has denied spamassassin access to potentially mislabeled file(s)
(.spamassassin8228JHeKs1tmp). This means that SELinux will not allow
spamassassin to use these files. It is common for users to edit files in
their home directory or tmp directories and then move (mv) them to system
directories. The problem is that the files end up with the wrong file
context which confined applications are not allowed to access.
Allowing Access
If you want spamassassin to access this files, you need to relabel them
using restorecon -v .spamassassin8228JHeKs1tmp. You might want to relabel
the entire directory using restorecon -R -v .
Additional Information
Source Context system_u:system_r:procmail_t
Target Context system_u:object_r:tmp_t
Target Objects .spamassassin8228JHeKs1tmp [ file ]
Affected RPM Packages
Policy RPM selinux-policy-2.4.6-30.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.home_tmp_bad_labels
Host Name hostname.domain
Platform Linux hostname.domain 2.6.18-8.1.6.el5 #1 SMP
Thu Jun 14 16:07:18 EDT 2007 x86_64 x86_64
Alert Count 1
Line Numbers
Raw Audit Messages
avc: denied { create } for comm="spamassassin" dev=cciss/c0d0p2 egid=500
euid=500 exe="/usr/bin/perl" exit=3 fsgid=500 fsuid=500 gid=500 items=0
name=".spamassassin8228JHeKs1tmp" pid=8228
scontext=system_u:system_r:procmail_t:s0 sgid=500
subj=system_u:system_r:procmail_t:s0 suid=500 tclass=file
tcontext=system_u:object_r:tmp_t:s0 tty=(none) uid=500
|
It does no good to run restorecon on the file, since it uses a different file name each time. I have tried restorecon on my home directory and /tmp with no apparent effect. (I'm not sure where it's trying to create the file.)
Is there a way to convince SELinux not to do this? Please be gentle.