Bug 128780

Summary: Spamassassin does not work when SELinux is enforcing strict policy
Product: [Fedora] Fedora Reporter: W. Michael Petullo <redhat>
Component: selinux-policy-strictAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: felicity, k.georgiou, reg+redhat, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-20 09:33:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 123268, 133471, 136451    
Attachments:
Description Flags
A more complete log none

Description W. Michael Petullo 2004-07-29 15:08:38 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7)
Gecko/20040625 Epiphany/1.2.6

Description of problem:
Procmail causes the following errors to be logged when it tries to
process email through spamassassin:

Jul 29 09:51:39 imp kernel: audit(1091112699.349:0): avc:  denied  {
setrlimit } for  pid=2739 exe=/usr/bin/fetchmail
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=process
Jul 29 09:51:43 imp kernel: audit(1091112703.800:0): avc:  denied  {
execute } for  pid=2748 exe=/usr/bin/procmail name=spamassassin
dev=dm-0 ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Jul 29 09:51:43 imp kernel: audit(1091112703.865:0): avc:  denied  {
execute } for  pid=2752 exe=/usr/bin/procmail name=spamassassin
dev=dm-0 ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Jul 29 09:51:43 imp kernel: audit(1091112703.877:0): avc:  denied  {
read } for  pid=2748 exe=/bin/bash name=spamassassin dev=dm-0
ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Jul 29 09:51:43 imp kernel: audit(1091112703.950:0): avc:  denied  {
read } for  pid=2752 exe=/bin/bash name=spamassassin dev=dm-0
ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Jul 29 09:51:44 imp kernel: audit(1091112704.227:0): avc:  denied  {
execute } for  pid=2755 exe=/usr/bin/procmail name=spamassassin
dev=dm-0 ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Jul 29 09:51:44 imp kernel: audit(1091112704.259:0): avc:  denied  {
read } for  pid=2755 exe=/bin/bash name=spamassassin dev=dm-0
ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file

I have configured procmail to use spamassassin by adding the following
to /etc/procmailrc:

INCLUDERC=/etc/mail/spamassassin/spamassassin-default.rc

Version-Release number of selected component (if applicable):
spamassassin-3.0-2.pre1

How reproducible:
Always

Steps to Reproduce:
Configure procmail to filter mail through spamassassin.
    

Actual Results:  The SELinux policy causes the execution of
spamassassin by procmail to fail.

Additional info:

Comment 1 W. Michael Petullo 2004-08-28 15:25:01 UTC
Created attachment 103205 [details]
A more complete log

This log was captured while running spamassassin and
selinux-policy-strict-1.17.4-2.

Comment 2 Justin Mason 2004-08-31 19:47:36 UTC
this looks like a bug in the SELinux policy that is blocking
reads/writes/etc., rather than a bug in Spamassassin.

Comment 3 W. Michael Petullo 2004-10-03 22:13:26 UTC
Spamassassin still does not like selinux-policy-strict as of 1.17.26-1.  

Comment 4 W. Michael Petullo 2004-10-21 02:28:26 UTC
When using selinux-policy-strict-1.17.30-2, I get:

Oct 20 21:26:12 imp kernel: audit(1098325572.691:0): avc:  denied  {
execute } for  pid=26825 exe=/usr/bin/procmail name=spamassassin
dev=dm-0 ino=636466 scontext=root:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Oct 20 21:26:12 imp kernel: audit(1098325572.695:0): avc:  denied  {
read } for  pid=26825 exe=/bin/bash name=spamassassin dev=dm-0
ino=636466 scontext=root:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file

Comment 5 Daniel Walsh 2005-05-12 19:59:20 UTC
Fixed in selinux-policy-strict-1.23.15-5