Bug 1398437

Summary: SELinux is preventing 7370616D64206368696C64 from search access on the directory mail.
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 25CC: dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, pmoore, redhat-bugzilla, ssekidde
Target Milestone: ---Keywords: CommonBugs
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: https://fedoraproject.org/wiki/Common_F25_bugs#spamd-selinux-varspoolmail
Fixed In Version: selinux-policy-3.13.1-225.1.fc25 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-08 18:23:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Adam Williamson 2016-11-24 21:26:31 UTC 
Description of problem:

Normal system boot of my mail server after Fedora 25 upgrade. Note: I'm manually filing a report in sealert style, since I can't figure out how to do it with sealert without a GUI. The process here seems to be a spamd child or something. The directory is probably /var/spool/mail .

SELinux is preventing 7370616D64206368696C64 from search access on the directory mail.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that 7370616D64206368696C64 should be allowed search access on the mail directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '7370616D64206368696C64' --raw | audit2allow -M my-7370616D64206368696C64
# semodule -X 300 -i my-7370616D64206368696C64.pp


Additional Information:
Source Context                system_u:system_r:spamd_t:s0
Target Context                system_u:object_r:mail_spool_t:s0
Target Objects                mail [ dir ]
Source                        7370616D64206368696C64
Source Path                   7370616D64206368696C64
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-224.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     mail.happyassassin.net
Platform                      Linux mail.happyassassin.net 4.8.8-300.fc25.x86_64
                              #1 SMP Tue Nov 15 18:10:06 UTC 2016 x86_64 x86_64
Alert Count                   7
First Seen                    2016-11-24 12:44:49 PST
Last Seen                     2016-11-24 12:44:49 PST
Local ID                      fb61201d-0cb2-43e1-bfaf-260e1673d888

Raw Audit Messages
type=AVC msg=audit(1480020289.305:330): avc:  denied  { search } for  pid=753 comm=7370616D64206368696C64 name="mail" dev="vda3" ino=130571 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir permissive=0


Hash: 7370616D64206368696C64,spamd_t,mail_spool_t,dir,search

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch
Comment 1 Adam Williamson 2016-11-24 21:35:16 UTC 
There's several similar ones after:

----

SELinux is preventing 7370616D64206368696C64 from open access on the file /var/spool/mail/.spamassassin/user_prefs.

type=AVC msg=audit(1480020849.670:460): avc:  denied  { open } for  pid=753 comm=7370616D64206368696C64 path="/var/spool/mail/.spamassassin/user_prefs" dev="vda3" ino=182572 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=1

----

SELinux is preventing 7370616D64206368696C64 from read access on the directory .razor.

type=AVC msg=audit(1480021083.641:504): avc:  denied  { read } for  pid=753 comm=7370616D64206368696C64 name=".razor" dev="vda3" ino=255524 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir permissive=1

----

SELinux is preventing 7370616D64206368696C64 from open access on the directory /var/spool/mail/.razor.

type=AVC msg=audit(1480021015.40:497): avc:  denied  { open } for  pid=753 comm=7370616D64206368696C64 path="/var/spool/mail/.razor" dev="vda3" ino=255524 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir permissive=1

----

SELinux is preventing 7370616D64206368696C64 from ioctl access on the file /var/spool/mail/.spamassassin/user_prefs.

type=AVC msg=audit(1480020858.737:476): avc:  denied  { ioctl } for  pid=753 comm=7370616D64206368696C64 path="/var/spool/mail/.spamassassin/user_prefs" dev="vda3" ino=182572 ioctlcmd=0x5401 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=1

----

SELinux is preventing 7370616D64206368696C64 from create access on the file servers.discovery.lst.lock.

type=AVC msg=audit(1480020850.195:468): avc:  denied  { create } for  pid=753 comm=7370616D64206368696C64 name="servers.discovery.lst.lock" scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=1

----

SELinux is preventing 7370616D64206368696C64 from read access on the file user_prefs.

type=AVC msg=audit(1480021014.862:491): avc:  denied  { read } for  pid=753 comm=7370616D64206368696C64 name="user_prefs" dev="vda3" ino=182572 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=1

----

SELinux is preventing 7370616D64206368696C64 from append access on the file razor-agent.log.

type=AVC msg=audit(1480021015.40:495): avc:  denied  { append } for  pid=753 comm=7370616D64206368696C64 name="razor-agent.log" dev="vda3" ino=135377 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=1

----

SELinux is preventing 7370616D64206368696C64 from getattr access on the directory /var/spool/mail/.razor.

type=AVC msg=audit(1480020869.420:478): avc:  denied  { getattr } for  pid=754 comm=7370616D64206368696C64 path="/var/spool/mail/.razor" dev="vda3" ino=255524 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir permissive=1

----

etc etc - basically it seems like spamd (spamassassin) ought to be allowed to do stuff to /var/spool/mail .
Comment 2 Fedora Update System 2016-11-29 17:04:42 UTC 
selinux-policy-3.13.1-225.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-9d027c3768
Comment 3 Fedora Update System 2016-12-03 04:31:55 UTC 
selinux-policy-3.13.1-225.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9d027c3768
Comment 4 Fedora Update System 2016-12-05 17:03:14 UTC 
selinux-policy-3.13.1-225.1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e3864b8972
Comment 5 Fedora Update System 2016-12-07 02:26:07 UTC 
selinux-policy-3.13.1-225.1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e3864b8972
Comment 6 Fedora Update System 2016-12-08 18:23:14 UTC 
selinux-policy-3.13.1-225.1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.