Package: amavisd-new
Severity: normal
The current cron.d cronjob is problematic with SELinux.
It will cause audit errors like this:
Jul 31 06:18:10 elrond kernel: audit(1154319490.015:4543): avc: denied
{ read } for pid=23754 comm="sa-learn" name="bayes_toks" dev=md2 ino=143614
scontext=system_u:system_r:system_crond_t:s0-s0:c0.c255
tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=file
This is because "system_crond_t" is writing to "amavis_var_lib_t".
A hackish solution would give all system cron jobs write access to the
amavis lib files; but that sounds like a bad idea, actually.
It would be easy to work around if the cron.d file wouldn't be calling
"sa-learn --rebuild" directly, but via a helper script. For SELinux, the
helper script could then transition into the appropriate domain.
e.g. /usr/sbin/amavisd-new-cron
---
#!/bin/sh
exec /usr/bin/sa-learn --rebuild >/dev/null 2>&1
---
should be sufficient. The rest could then be handled with some policy
rules and appropriate file labeling of /usr/sbin/amavisd-new-cron
Thank you.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.16.18
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=UTF-8)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
