Bug 1058772

Summary:	/razor-agent.log is in / once system is in enforcing mode
Product:	Red Hat Enterprise Linux 6	Reporter:	Michal Bruncko <michal.bruncko>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED WONTFIX	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	6.5	CC:	dwalsh, jk, mgrepl, mmalik
Target Milestone:	rc
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-02-25 11:25:50 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Michal Bruncko 2014-01-28 14:01:50 UTC

I am observing the following issue on RHEL 6.5:

Once I have installed spamassassin on SELinux-enabled server, the razor component is writing its own logs in /razor-agent.log instead of home-directory of the user which executed spamd (spamd "-H" parameter without value - root by default).

The behavior is following:

1. "/etc/sysconfig/spamassassin": SPAMDOPTIONS="-d -c -m5 -H" (i.e. without defining specific home-directory) and with _enforcing_ selinux mode, razor is using /razor-agent.log as the log file.

2. "/etc/sysconfig/spamassassin": SPAMDOPTIONS="-d -c -m5 -H" (i.e. without defining specific home-directory) and with _permissive_ selinux mode, razor is using /root/.razor/razor-agent.log as the log file.

3. "/etc/sysconfig/spamassassin": SPAMDOPTIONS="-d -c -m5 -H /etc/mail/spamassassin/home-dir/" and with _enforcing_ selinux mode, razor is using /etc/mail/spamassassin/home-dir/.razor/razor-agent.log as the log file.
I have to use "spamd_spool_t" context for "/etc/mail/spamassassin/home-dir(/.*)".

3. "/etc/sysconfig/spamassassin": SPAMDOPTIONS="-d -c -m5 -H " and with _enforcing_ selinux mode, razor is using /razor-agent.log as the log file, even if I have used "spamd_spool_t" context for "/root/.razor(/.*)". Maybe the whole "home" directory have to be writable by spamd in order to be used for other component like razor and so on. But because it is not writable (as SELinux disallows to write to /root/ for spamd, it decides to not provide homedir for components - but this is only my explanation).

Currently the most acceptable choice is to have its own spamd explicit home directory where the razor log will be included as well on selinux enforcing system. Having razor-agent.log in the "/" directory is really not desirable state.

this case is follow of existing (closed) case BZ#514979

thank you

Comment 2 Kurt Seifried 2014-10-12 15:50:31 UTC

Bumping severity as this allows for DoS of root partition which may be small (e.g. cloud system).

Comment 3 Kurt Seifried 2014-10-12 15:52:48 UTC

Also this should probably be CLOSED DUPLICATE of Bz1058772

Comment 4 Kurt Seifried 2014-10-12 16:17:49 UTC

(In reply to Kurt Seifried from comment #3)
> Also this should probably be CLOSED DUPLICATE of Bz1058772

Whoops I take that back, I meant the other way around. Bz1058772 should be closed as a duplicate of this.

Comment 6 Michal Bruncko 2015-02-25 18:23:07 UTC

Why? Issue is still in place. The only problem what I see is that I am missing AVC record in audit.log for this issue. 

1. I have removed specific home-directory from /etc/sysconfig/spamassassin (it is not defined by default neither)
2. have enforcement mode enabled on system (setenforce 1)
3. restart spamd: /etc/init.d/spamassassin restart

immediatelly after restart /razor-agent.log file was created with contents:
Feb 25 19:16:37.939288 check[30902]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log

for me, selinux is preventing to use/create "razor-agent.log" in /root/.razor/ directory (as effective user for spamd is "root" by default).

this issue needs to be resolved either with:
1. adjusting existing selinux rules for /root/.razor/ directory  (hope including /root directory)
or
2. changing/set explicit home directory for spamd daemon for using different directory with correct selinux permissions

this issue is pretty reproducible as well.

Comment 7 Milos Malik 2015-02-26 09:40:55 UTC

The razor-agent.log file is created in / even if I run the reproducer in permissive mode. But following AVCs appear (they did not appear in enforcing mode):
----
type=PATH msg=audit(02/26/2015 10:35:20.307:458) : item=1 name=/root/.razor inode=344223 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=CREATE 
type=PATH msg=audit(02/26/2015 10:35:20.307:458) : item=0 name=/root/ inode=131077 dev=fc:03 mode=dir,550 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=PARENT 
type=CWD msg=audit(02/26/2015 10:35:20.307:458) :  cwd=/ 
type=SYSCALL msg=audit(02/26/2015 10:35:20.307:458) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x4511f00 a1=0755 a2=0x39f9742088 a3=0x10 items=2 ppid=26038 pid=26040 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7 comm=spamd exe=/usr/bin/perl subj=unconfined_u:system_r:spamd_t:s0 key=(null) 
type=AVC msg=audit(02/26/2015 10:35:20.307:458) : avc:  denied  { create } for  pid=26040 comm=spamd name=.razor scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir 
type=AVC msg=audit(02/26/2015 10:35:20.307:458) : avc:  denied  { add_name } for  pid=26040 comm=spamd name=.razor scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir 
type=AVC msg=audit(02/26/2015 10:35:20.307:458) : avc:  denied  { write } for  pid=26040 comm=spamd name=root dev=vda3 ino=131077 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir 
----
type=PATH msg=audit(02/26/2015 10:35:20.722:459) : item=1 name=/root/.razor/servers.discovery.lst.lock inode=341920 dev=fc:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=CREATE 
type=PATH msg=audit(02/26/2015 10:35:20.722:459) : item=0 name=/root/.razor/ inode=344223 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=PARENT 
type=CWD msg=audit(02/26/2015 10:35:20.722:459) :  cwd=/ 
type=SYSCALL msg=audit(02/26/2015 10:35:20.722:459) : arch=x86_64 syscall=open success=yes exit=9 a0=0x451deb0 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0666 a3=0x39f971dd50 items=2 ppid=26038 pid=26040 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7 comm=spamd exe=/usr/bin/perl subj=unconfined_u:system_r:spamd_t:s0 key=(null) 
type=AVC msg=audit(02/26/2015 10:35:20.722:459) : avc:  denied  { write open } for  pid=26040 comm=spamd name=servers.discovery.lst.lock dev=vda3 ino=341920 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file 
type=AVC msg=audit(02/26/2015 10:35:20.722:459) : avc:  denied  { create } for  pid=26040 comm=spamd name=servers.discovery.lst.lock scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file 
type=AVC msg=audit(02/26/2015 10:35:20.722:459) : avc:  denied  { add_name } for  pid=26040 comm=spamd name=servers.discovery.lst.lock scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir 
type=AVC msg=audit(02/26/2015 10:35:20.722:459) : avc:  denied  { write } for  pid=26040 comm=spamd name=.razor dev=vda3 ino=344223 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(02/26/2015 10:35:20.723:460) : arch=x86_64 syscall=ioctl success=no exit=-25(Inappropriate ioctl for device) a0=0x9 a1=0x5401 a2=0x7fffb152f350 a3=0x48 items=0 ppid=26038 pid=26040 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7 comm=spamd exe=/usr/bin/perl subj=unconfined_u:system_r:spamd_t:s0 key=(null) 
type=AVC msg=audit(02/26/2015 10:35:20.723:460) : avc:  denied  { ioctl } for  pid=26040 comm=spamd path=/root/.razor/servers.discovery.lst.lock dev=vda3 ino=341920 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file 
----
type=SYSCALL msg=audit(02/26/2015 10:35:20.723:461) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x9 a1=0x13890a0 a2=0x13890a0 a3=0x0 items=0 ppid=26038 pid=26040 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7 comm=spamd exe=/usr/bin/perl subj=unconfined_u:system_r:spamd_t:s0 key=(null) 
type=AVC msg=audit(02/26/2015 10:35:20.723:461) : avc:  denied  { getattr } for  pid=26040 comm=spamd path=/root/.razor/servers.discovery.lst.lock dev=vda3 ino=341920 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file 
----
type=PATH msg=audit(02/26/2015 10:35:20.723:462) : item=1 name=/root/.razor/servers.discovery.lst.lock inode=341920 dev=fc:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=DELETE 
type=PATH msg=audit(02/26/2015 10:35:20.723:462) : item=0 name=/root/.razor/ inode=344223 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=PARENT 
type=CWD msg=audit(02/26/2015 10:35:20.723:462) :  cwd=/ 
type=SYSCALL msg=audit(02/26/2015 10:35:20.723:462) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x451df40 a1=0x13890a0 a2=0x13890a0 a3=0x28 items=2 ppid=26038 pid=26040 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7 comm=spamd exe=/usr/bin/perl subj=unconfined_u:system_r:spamd_t:s0 key=(null) 
type=AVC msg=audit(02/26/2015 10:35:20.723:462) : avc:  denied  { unlink } for  pid=26040 comm=spamd name=servers.discovery.lst.lock dev=vda3 ino=341920 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file 
type=AVC msg=audit(02/26/2015 10:35:20.723:462) : avc:  denied  { remove_name } for  pid=26040 comm=spamd name=servers.discovery.lst.lock dev=vda3 ino=341920 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir 
----

Comment 8 Michal Bruncko 2015-02-26 10:42:49 UTC

Yes, you're right. If /root/.razor/ directory does not exist, razor-agent.log will be created in root directory even in permissive mode. 
But once that directory exists it will be selected for storing razor-agent.log file.

Now if you remove /razor-agent.log and restart spamd daemon, file will be created in /root/.razor/ directory instead of root directory.

Comment 9 Michal Bruncko 2015-02-26 10:49:00 UTC

I see there two issues:
1. /root/.razor/ is created in permissive mode, but not used for storing razor-agent.log file after its creation (but every next restart of spamd daemon new directory /root/.razor/ will be used for storing razor-agent.log file in permissive mode). 
2. In enforcing selinux mode, /root/.razor/ directory will not be created and thus file razor-agent.log will be always stored in root directory instead.

Summary:
First issue is caused by razor part of spamassasin package (perl-Razor-Agent-2.85-6.el6.x86_64 package?)
Second issue is caused by selinux restrictions.