On Fri, 2006-07-14 at 18:14 +0100, Paul Howarth wrote:
<snip>
I think I've got to the bottom of this now. I actually installed perl-Razor-Agent myself (I'm using sendmail but that doesn't really matter) to figure out what was happening.
razor, like spamassassin, is written in perl. This allows spamassassin to call razor directly by simply using the razor perl modules rather than the razor client "binaries" in /usr/bin. Thus spamassassin runs a razor client in its own domain, spamd_t. There is in fact no need for a domain transition from spamd_t to razor_t.
Now to get rid of the AVCs. Please update to the policy modules included below. Then:
# mkdir /var/log/spamassassin # restorecon -v /var/log/spamassassin
Edit /etc/mail/spamassassin/razor/razor-agent.conf and set:
logfile = /var/log/spamassassin/razor-agent.log
Then restart spamassassin.
Thanks Paul. I appreciate your persistence with this.
All done.
Any thoughts on why dccproc might be wanting to read /root/.rh-fontconfig/.fonts.cache-2?
No definitive answer.
Checking the dcc source code tree using grep, the only references to 'font' are in the cgi-bin files (common and common.in) and then in the HTML files (FAQ.HTML and INSTALL.HTML).
I think this is probably a leaked file descriptor. I don't know where the leak is or what to do about it though.
<snip of policies>
Latest avc's below, subsequent to the updates and reboots. I have tried to remove a lot of the dups. If you need more info, let me know.
Marc
type=AVC msg=audit(1153023605.343:2448): avc: denied { getattr } for pid=11448 comm="spamd" name="dccproc" dev=hdc7 ino=1245188 s context=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_exec_t:s0 tclass=file type=SYSCALL msg=audit(1153023605.343:2448): arch=40000003 syscall=195 success=no exit=-13 a0=999da10 a1=95f30c8 a2=4891eff4 a3=999d a10 items=1 pid=11448 auid=500 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="spamd" exe="/usr/bin /perl" subj=system_u:system_r:spamd_t:s0 type=AVC_PATH msg=audit(1153023605.343:2448): path="/usr/local/bin/dccproc" type=CWD msg=audit(1153023605.343:2448): cwd="/" type=PATH msg=audit(1153023605.343:2448): item=0 name="/usr/local/bin/dccproc" inode=1245188 dev=16:07 mode=0104555 ouid=0 ogid=1 rd ev=00:00 obj=system_u:object_r:dcc_client_exec_t:s0 type=AVC msg=audit(1153023963.916:2467): avc: denied { getattr } for pid=11448 comm="spamd" name="dccproc" dev=hdc7 ino=1245188 s context=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_exec_t:s0 tclass=file type=SYSCALL msg=audit(1153023963.916:2467): arch=40000003 syscall=195 success=no exit=-13 a0=999da10 a1=95f30c8 a2=4891eff4 a3=999d a10 items=1 pid=11448 auid=500 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="spamd" exe="/usr/bin /perl" subj=system_u:system_r:spamd_t:s0 type=AVC_PATH msg=audit(1153023963.916:2467): path="/usr/local/bin/dccproc" type=CWD msg=audit(1153023963.916:2467): cwd="/" type=PATH msg=audit(1153024204.542:2488): item=0 name="/usr/local/bin/dccproc" inode=1245188 dev=16:07 mode=0104555 ouid=0 ogid=1 rd ev=00:00 obj=system_u:object_r:dcc_client_exec_t:s0 type=AVC msg=audit(1153024564.267:2507): avc: denied { name_bind } for pid=11448 comm="spamd" src=7002 scontext=system_u:system_r :spamd_t:s0 tcontext=system_u:object_r:afs_pt_port_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1153024564.267:2507): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfa7e6e0 a2=2b5b8c a3=10 items=0 pid=11448 auid=500 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="spamd" exe="/usr/bin/perl" subj= system_u:system_r:spamd_t:s0 type=SOCKADDR msg=audit(1153024564.267:2507): saddr=02001B5A000000000000000000000000 type=SOCKETCALL msg=audit(1153024564.267:2507): nargs=3 a0=b a1=a238438 a2=10 type=PATH msg=audit(1153028525.987:2792): item=0 name="/usr/local/bin/dccproc" inode=1245188 dev=16:07 mode=0104555 ouid=0 ogid=1 rd ev=00:00 obj=system_u:object_r:dcc_client_exec_t:s0 type=AVC msg=audit(1153029648.965:2883): avc: denied { search } for pid=9095 comm="dccproc" name="dcc" dev=dm-1 ino=58510 scontex t=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir type=SYSCALL msg=audit(1153029648.965:2883): arch=40000003 syscall=12 success=no exit=-13 a0=bfd65a42 a1=0 a2=4891eff4 a3=37 items=1 pid=9095 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/bin/dcc proc" subj=system_u:system_r:spamd_t:s0 type=CWD msg=audit(1153029648.965:2883): cwd="/" type=PATH msg=audit(1153029648.965:2883): item=0 name="/var/dcc" inode=58510 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=syst em_u:object_r:dcc_var_t:s0 type=AVC msg=audit(1153030201.398:2924): avc: denied { read } for pid=11167 comm="restorecon" name="[220111]" dev=pipefs ino=2201 11 scontext=user_u:system_r:restorecon_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=fifo_file type=AVC msg=audit(1153030201.398:2924): avc: denied { write } for pid=11167 comm="restorecon" name="[220112]" dev=pipefs ino=220 112 scontext=user_u:system_r:restorecon_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=fifo_file type=AVC msg=audit(1153030201.398:2924): avc: denied { write } for pid=11167 comm="restorecon" name="[220112]" dev=pipefs ino=220 112 scontext=user_u:system_r:restorecon_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=fifo_file type=SYSCALL msg=audit(1153030201.398:2924): arch=40000003 syscall=11 success=yes exit=0 a0=89ad188 a1=89ad320 a2=89ad258 a3=89acfc0 items=2 pid=11167 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="restorecon" exe="/sbin/restorecon " subj=user_u:system_r:restorecon_t:s0 type=AVC_PATH msg=audit(1153030201.398:2924): path="pipe:[220112]" type=AVC_PATH msg=audit(1153030201.398:2924): path="pipe:[220112]" type=AVC_PATH msg=audit(1153030201.398:2924): path="pipe:[220111]" type=CWD msg=audit(1153030201.398:2924): cwd="/" type=PATH msg=audit(1153030201.398:2924): item=0 name="/sbin/restorecon" inode=3542952 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00: 00 obj=system_u:object_r:restorecon_exec_t:s0 type=PATH msg=audit(1153030201.398:2924): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system _u:object_r:ld_so_t:s0 type=AVC msg=audit(1153030201.414:2925): avc: denied { sigchld } for pid=11161 comm="crond" scontext=user_u:system_r:restorecon_t :s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=process type=SYSCALL msg=audit(1153030201.414:2925): arch=40000003 syscall=114 success=no exit=-10 a0=ffffffff a1=bfbc27f0 a2=0 a3=0 items=0 pid=11161 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="crond" exe="/usr/sbin/crond" subj=system_ u:system_r:crond_t:s0-s0:c0.c255 type=AVC msg=audit(1153030261.495:2940): avc: denied { read } for pid=11202 comm="restorecon" name="[220497]" dev=pipefs ino=2204 97 scontext=user_u:system_r:restorecon_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=fifo_file type=AVC msg=audit(1153030261.495:2940): avc: denied { write } for pid=11202 comm="restorecon" name="[220498]" dev=pipefs ino=220 498 scontext=user_u:system_r:restorecon_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=fifo_file type=AVC msg=audit(1153030261.495:2940): avc: denied { write } for pid=11202 comm="restorecon" name="[220498]" dev=pipefs ino=220 498 scontext=user_u:system_r:restorecon_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=fifo_file type=AVC msg=audit(1153030261.515:2941): avc: denied { sigchld } for pid=11201 comm="crond" scontext=user_u:system_r:restorecon_t :s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=process type=SYSCALL msg=audit(1153030261.515:2941): arch=40000003 syscall=114 success=no exit=-10 a0=ffffffff a1=bfbc27f0 a2=0 a3=0 items=0 pid=11201 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="crond" exe="/usr/sbin/crond" subj=system_ u:system_r:crond_t:s0-s0:c0.c255 type=SYSCALL msg=audit(1153030261.495:2940): arch=40000003 syscall=11 success=yes exit=0 a0=84d91a0 a1=84d9340 a2=84d9278 a3=84d8fb8 items=2 pid=11202 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="restorecon" exe="/sbin/restorecon " subj=user_u:system_r:restorecon_t:s0 type=AVC_PATH msg=audit(1153030261.495:2940): path="pipe:[220498]" type=AVC_PATH msg=audit(1153030261.495:2940): path="pipe:[220498]" type=AVC_PATH msg=audit(1153030261.495:2940): path="pipe:[220497]" type=CWD msg=audit(1153030261.495:2940): cwd="/" type=PATH msg=audit(1153030261.495:2940): item=0 name="/sbin/restorecon" inode=3542952 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00: 00 obj=system_u:object_r:restorecon_exec_t:s0 type=PATH msg=audit(1153030261.495:2940): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system _u:object_r:ld_so_t:s0 type=AVC msg=audit(1153030444.617:2952): avc: denied { getattr } for pid=11448 comm="spamd" name="dccproc" dev=hdc7 ino=3135647 s context=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_exec_t:s0 tclass=file type=SYSCALL msg=audit(1153030444.617:2952): arch=40000003 syscall=195 success=no exit=-13 a0=999da10 a1=95f30c8 a2=4891eff4 a3=999d a10 items=1 pid=11448 auid=500 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="spamd" exe="/usr/bin /perl" subj=system_u:system_r:spamd_t:s0 type=AVC_PATH msg=audit(1153030444.617:2952): path="/usr/local/bin/dccproc" type=CWD msg=audit(1153030444.617:2952): cwd="/" type=PATH msg=audit(1153052884.204:4562): item=0 name="/usr/local/bin/dccproc" inode=3135647 dev=16:07 mode=0104555 ouid=0 ogid=1 rd ev=00:00 obj=system_u:object_r:dcc_client_exec_t:s0 type=AVC msg=audit(1153053408.030:4599): avc: denied { execmod } for pid=6019 comm="ld-linux.so.2" name="libGLcore.so.1.0.8762" d ev=hdc7 ino=3116816 scontext=user_u:system_r:prelink_t:s0 tcontext=root:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1153053408.030:4599): arch=40000003 syscall=125 success=no exit=-13 a0=5c8000 a1=78e000 a2=5 a3=bf84c100 item s=0 pid=6019 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ld-linux.so.2" exe="/lib/ld-2.4.so" sub j=user_u:system_r:prelink_t:s0 type=AVC_PATH msg=audit(1153053408.030:4599): path="/usr/lib/libGLcore.so.1.0.8762" type=AVC msg=audit(1153053408.034:4600): avc: denied { execmod } for pid=6022 comm="ld-linux.so.2" name="libnvidia-tls.so.1.0.876 2" dev=hdc7 ino=3117829 scontext=user_u:system_r:prelink_t:s0 tcontext=root:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1153053408.034:4600): arch=40000003 syscall=125 success=no exit=-13 a0=a3e000 a1=1000 a2=5 a3=bfc98d40 items= 0 pid=6022 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ld-linux.so.2" exe="/lib/ld-2.4.so" subj= user_u:system_r:prelink_t:s0 type=AVC_PATH msg=audit(1153053408.034:4600): path="/usr/lib/tls/libnvidia-tls.so.1.0.8762" type=AVC msg=audit(1153054263.049:4661): avc: denied { getattr } for pid=11448 comm="spamd" name="dccproc" dev=hdc7 ino=3135647 s context=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_exec_t:s0 tclass=file type=SYSCALL msg=audit(1153054263.049:4661): arch=40000003 syscall=195 success=no exit=-13 a0=999da10 a1=95f30c8 a2=4891eff4 a3=999d a10 items=1 pid=11448 auid=500 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="spamd" exe="/usr/bin /perl" subj=system_u:system_r:spamd_t:s0 type=AVC_PATH msg=audit(1153054263.049:4661): path="/usr/local/bin/dccproc" type=CWD msg=audit(1153054263.049:4661): cwd="/" type=PATH msg=audit(1153116601.146:9086): item=0 name="/sbin/restorecon" inode=3542952 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00: 00 obj=system_u:object_r:restorecon_exec_t:s0 type=PATH msg=audit(1153116601.146:9086): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system _u:object_r:ld_so_t:s0 type=AVC msg=audit(1153116605.562:9094): avc: denied { create } for pid=25363 comm="dccproc" scontext=system_u:system_r:spamd_t:s 0 tcontext=system_u:system_r:spamd_t:s0 tclass=netlink_route_socket type=SYSCALL msg=audit(1153116605.562:9094): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf9fbd58 a2=4891eff4 a3=806a0ff i tems=0 pid=25363 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/ bin/dccproc" subj=system_u:system_r:spamd_t:s0 type=SOCKETCALL msg=audit(1153116605.562:9094): nargs=3 a0=10 a1=3 a2=0 type=AVC msg=audit(1153116605.562:9095): avc: denied { search } for pid=25363 comm="dccproc" name="dcc" dev=dm-1 ino=58510 sconte xt=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_var_t:s0 tclass=dir type=SYSCALL msg=audit(1153116605.562:9095): arch=40000003 syscall=12 success=no exit=-13 a0=bf9faec2 a1=0 a2=4891eff4 a3=806a0ff it ems=1 pid=25363 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 tty=(none) comm="dccproc" exe="/usr/local/b in/dccproc" subj=system_u:system_r:spamd_t:s0 type=CWD msg=audit(1153116605.562:9095): cwd="/" type=PATH msg=audit(1153116605.562:9095): item=0 name="/var/dcc" inode=58510 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=syst em_u:object_r:dcc_var_t:s0 type=PATH msg=audit(1153116661.743:9100): item=0 name="/sbin/restorecon" inode=3542952 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00: 00 obj=system_u:object_r:restorecon_exec_t:s0 type=PATH msg=audit(1153116661.743:9100): item=1 name=(null) inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system _u:object_r:ld_so_t:s0 type=AVC msg=audit(1153116661.751:9101): avc: denied { sigchld } for pid=25592 comm="crond" scontext=user_u:system_r:restorecon_t :s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=process type=SYSCALL msg=audit(1153116661.751:9101): arch=40000003 syscall=114 success=no exit=-10 a0=ffffffff a1=bfbc27f0 a2=0 a3=0 items=0 pid=25592 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="crond" exe="/usr/sbin/crond" subj=system_ u:system_r:crond_t:s0-s0:c0.c255 type=AVC msg=audit(1153116905.512:9124): avc: denied { getattr } for pid=11448 comm="spamd" name="dccproc" dev=hdc7 ino=3135642 s context=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:dcc_client_exec_t:s0 tclass=file type=SYSCALL msg=audit(1153116905.512:9124): arch=40000003 syscall=195 success=no exit=-13 a0=999da10 a1=95f30c8 a2=4891eff4 a3=999d a10 items=1 pid=11448 auid=500 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="spamd" exe="/usr/bin /perl" subj=system_u:system_r:spamd_t:s0 type=AVC_PATH msg=audit(1153116905.512:9124): path="/usr/local/bin/dccproc" type=CWD msg=audit(1153116905.512:9124): cwd="/" type=PATH msg=audit(1153138559.711:8): item=0 name="/var/run/utmp" inode=87750 dev=fd:01 mode=0100664 ouid=0 ogid=22 rdev=00:00 obj= system_u:object_r:init_var_run_t:s0 type=AVC msg=audit(1153138559.715:9): avc: denied { read } for pid=2374 comm="mingetty" name="utmp" dev=dm-1 ino=87750 scontext=s ystem_u:system_r:getty_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1153138559.715:9): arch=40000003 syscall=5 success=no exit=-13 a0=48909fd4 a1=0 a2=804a000 a3=48909fda items= 1 pid=2374 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mingetty" exe="/sbin/mingetty" s ubj=system_u:system_r:getty_t:s0 type=CWD msg=audit(1153138559.715:9): cwd="/" type=PATH msg=audit(1153138559.715:9): item=0 name="/var/run/utmp" inode=87750 dev=fd:01 mode=0100664 ouid=0 ogid=22 rdev=00:00 obj= system_u:object_r:init_var_run_t:s0 type=AVC msg=audit(1153138559.715:10): avc: denied { read write } for pid=2374 comm="mingetty" name="utmp" dev=dm-1 ino=87750 sco ntext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1153138559.715:10): arch=40000003 syscall=5 success=no exit=-13 a0=48909fd4 a1=2 a2=0 a3=48909fda items=1 pid =2374 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mingetty" exe="/sbin/mingetty" subj=s ystem_u:system_r:getty_t:s0 type=CWD msg=audit(1153138559.715:10): cwd="/"