Hello all,
I use Spamassassin on my server. It regularly downloads updated signatures
and checks the download using GPG. Since I upgraded to
selinux-policy-targeted-3.9.16-44.fc15.noarch this week I have been
getting errors reported by Spamassassin:
========8<==============================================================
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel: GPG validation failed, channel failed
02-Nov-2011 06:05:06: SpamAssassin: Update available, but download or
extract failed
========8<==============================================================
I also get the an SELinux AVC (full details below).
What is the best way to deal with this?
Thanks in advance...
Mark
========8<==============================================================
SELinux is preventing /usr/bin/gpg from read access on the file
.spamassassin12765zsyG6Ftmp.
***** Plugin catchall (100. confidence) suggests
***************************
If you believe that gpg should be allowed read access on the
.spamassassin12765zsyG6Ftmp file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gpg /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:gpg_t:s0-s0:c0.c1023
Target Context system_u:object_r:spamd_tmp_t:s0
Target Objects .spamassassin12765zsyG6Ftmp [ file ]
Source gpg
Source Path /usr/bin/gpg
Port <Unknown>
Host mydomain.org.uk
Source RPM Packages gnupg-1.4.11-3.fc15
Target RPM Packages
Policy RPM selinux-policy-3.9.16-44.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name troodos.org.uk
Platform Linux mydomain.org.uk
2.6.40.6-0.fc15.i686.PAE #1
SMP Tue Oct 4 00:44:38 UTC 2011 i686 i686
Alert Count 2
First Seen Mon Oct 31 05:22:55 2011
Last Seen Wed Nov 2 06:05:06 2011
Local ID bb4e6159-04a3-4e8c-b5f5-f41c0ff80d56
Raw Audit Messages
type=AVC msg=audit(1320213906.154:7990): avc: denied { read } for
pid=12766
comm="gpg" name=".spamassassin12765zsyG6Ftmp" dev=sda5 ino=1058383
scontext=system_u:system_r:gpg_t:s0-s0:c0.c1023
tcontext=system_u:object_r:spamd_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1320213906.154:7990): arch=i386 syscall=open
success=no
exit=EACCES a0=bfe78f49 a1=8000 a2=0 a3=bfe78f49 items=0 ppid=12765
pid=12766 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=1070 comm=gpg
exe=/usr/bin/gpg subj=system_u:system_r:gpg_t:s0-s0:c0.c1023 key=(null)
Hash: gpg,gpg_t,spamd_tmp_t,file,read
audit2allow
#============= gpg_t ==============
allow gpg_t spamd_tmp_t:file read;
audit2allow -R
#============= gpg_t ==============
allow gpg_t spamd_tmp_t:file read;