Bug 128780
| Summary: | Spamassassin does not work when SELinux is enforcing strict policy | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | W. Michael Petullo <redhat> | ||||
| Component: | selinux-policy-strict | Assignee: | Daniel Walsh <dwalsh> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | rawhide | CC: | felicity, k.georgiou, reg+redhat, wtogami | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2005-05-20 09:33:26 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 123268, 133471, 136451 | ||||||
| Attachments: |
|
||||||
Created attachment 103205 [details]
A more complete log
This log was captured while running spamassassin and
selinux-policy-strict-1.17.4-2.
this looks like a bug in the SELinux policy that is blocking reads/writes/etc., rather than a bug in Spamassassin. Spamassassin still does not like selinux-policy-strict as of 1.17.26-1. When using selinux-policy-strict-1.17.30-2, I get:
Oct 20 21:26:12 imp kernel: audit(1098325572.691:0): avc: denied {
execute } for pid=26825 exe=/usr/bin/procmail name=spamassassin
dev=dm-0 ino=636466 scontext=root:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Oct 20 21:26:12 imp kernel: audit(1098325572.695:0): avc: denied {
read } for pid=26825 exe=/bin/bash name=spamassassin dev=dm-0
ino=636466 scontext=root:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Fixed in selinux-policy-strict-1.23.15-5 |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7) Gecko/20040625 Epiphany/1.2.6 Description of problem: Procmail causes the following errors to be logged when it tries to process email through spamassassin: Jul 29 09:51:39 imp kernel: audit(1091112699.349:0): avc: denied { setrlimit } for pid=2739 exe=/usr/bin/fetchmail scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=process Jul 29 09:51:43 imp kernel: audit(1091112703.800:0): avc: denied { execute } for pid=2748 exe=/usr/bin/procmail name=spamassassin dev=dm-0 ino=636589 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:spamassassin_exec_t tclass=file Jul 29 09:51:43 imp kernel: audit(1091112703.865:0): avc: denied { execute } for pid=2752 exe=/usr/bin/procmail name=spamassassin dev=dm-0 ino=636589 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:spamassassin_exec_t tclass=file Jul 29 09:51:43 imp kernel: audit(1091112703.877:0): avc: denied { read } for pid=2748 exe=/bin/bash name=spamassassin dev=dm-0 ino=636589 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:spamassassin_exec_t tclass=file Jul 29 09:51:43 imp kernel: audit(1091112703.950:0): avc: denied { read } for pid=2752 exe=/bin/bash name=spamassassin dev=dm-0 ino=636589 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:spamassassin_exec_t tclass=file Jul 29 09:51:44 imp kernel: audit(1091112704.227:0): avc: denied { execute } for pid=2755 exe=/usr/bin/procmail name=spamassassin dev=dm-0 ino=636589 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:spamassassin_exec_t tclass=file Jul 29 09:51:44 imp kernel: audit(1091112704.259:0): avc: denied { read } for pid=2755 exe=/bin/bash name=spamassassin dev=dm-0 ino=636589 scontext=system_u:system_r:procmail_t tcontext=system_u:object_r:spamassassin_exec_t tclass=file I have configured procmail to use spamassassin by adding the following to /etc/procmailrc: INCLUDERC=/etc/mail/spamassassin/spamassassin-default.rc Version-Release number of selected component (if applicable): spamassassin-3.0-2.pre1 How reproducible: Always Steps to Reproduce: Configure procmail to filter mail through spamassassin. Actual Results: The SELinux policy causes the execution of spamassassin by procmail to fail. Additional info: