5

I tried to change it, but it wouldn't let me.

# ls -dZ /usr/local/spamassassin
drwx------. spam spam system_u:object_r:usr_t:s0       /usr/local/spamassassin

# chcon -v --type=spamd_t /usr/local/spamassassin
changing security context of `/usr/local/spamassassin'
chcon: failed to change context of `/usr/local/spamassassin' to `system_u:object_r:spamd_t:s0': Permission denied
audit.log 
type=AVC msg=audit(1483587389.449:354941): avc:  denied  { append } for  pid=31588 comm="spamd" name="spamfilter.log" dev=xvde ino=24109 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file

CentOS release 6.8 (Final)

Community
  • 1
Chloe
  • 5,776
  • 23
  • 71
  • 118

2 Answers2

3

The reason why you received permission denied is that the spamd_t type is not a valid SELiunx type. You may need some packages to be installed to make it a valid type. I'm not sure there. But I'll go over your answer to ensure you're following best practices.

semanage fcontext -a -t spamc_home_t "/usr/local/spamassassin(/.*)?"

This will add a rule to recursively change the SELinux type to spamc_home_t for anything under /usr/local/spamassassin including the directory itself but these changes will not take effect immediately.

To make these changes take effect immediately I would run the following immediately after the above command:

restorecon -rv /usr/local/spamassassin

This will restore the default SELinux contexts based on the rules the system has. Effectively the same behavior that happens when the system is rebooted or a new file is created. It's better than using chcon because it reads from the rule set (that you just modified with the above command) rather than making an ad-hoc non-persistent change.

1
# chcon -vR --type=spamc_home_t /usr/local/spamassassin
changing security context of `/usr/local/spamassassin/.bash_profile'
changing security context of `/usr/local/spamassassin/.bash_logout'
changing security context of `/usr/local/spamassassin/.bashrc'
changing security context of `/usr/local/spamassassin/spamfilter.log'
changing security context of `/usr/local/spamassassin'


# semanage fcontext -a -t spamc_home_t "/usr/local/spamassassin(/.*)?"


# service spamassassin restart
Stopping spamd:                                            [  OK  ]
Starting spamd:                                            [  OK  ]

https://wiki.centos.org/HowTos/SELinux#head-0f6390ddacfab39ee973ed8018a32212c2a02199

I used 

# grep spamd_t /var/log/audit/audit.log | audit2allow

which spit out a bunch of contexts in a comment and I just had to guess at which one. I don't know how to pick the correct one.

Chloe
  • 5,776
  • 23
  • 71
  • 118