Re: yum-cron fails trying to mail a temporary file

[Daniel J Walsh <dwalsh redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vadym Chepkov wrote:
> I got an interesting denial which took me a bit to figure out.
> 
> type=AVC msg=audit(1232788787.310:1787): avc:  denied  { read } for  pid=9836 comm="mail" path="/var/run/yum-cron.EHQJws" dev=dm-3 ino=77843 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_run_t:s0 tclass=file
> 
> It comes from yum-cron package. What happens is a script starts from cron and creates a temporary file which inherits directory security context. Later it mails it using redirection syntax:
> "mail $MAILTO < $YUMTMP"
> 
> mailx transitions to system_mail_t and is denied to read such a temporary file.
> 
> I don't think this is a unique script that has similar logic and I suspect some other directory needs to be used, but I didn't find any suitable in sources/sendmail.fc and before I create new type/directory I would like to know maybe there is more proper way to handle cases like this? 
> 
> Thank you.
> Sincerely yours,
>   Vadym Chepkov
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


This is a case where I believe we can use the open access.

I think a global saying tools like mailers could read ANY tmp file that
is handed to them, but can not open any would be ok.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkl/FJoACgkQrlYvE4MpobMslQCeNOEuDRECvl/VENyiVpGm/tCL
XWMAn2+XD7yQu5VVJgtfNb1hnzn0JHOp
=eYWh
-----END PGP SIGNATURE-----