Bug 1414366

Summary: avc: denied { search } for pid=3096 comm="spamassassin" name=".maildir" dev="dm-13" ino=13107213 scontext=system_u:system_r:spamc_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=dir permissive=0
Product: [Fedora] Fedora Reporter: Dan Callaghan <dcallagh>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, pmoore, ssekidde
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-260.17.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-19 21:33:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dan Callaghan 2017-01-18 10:47:08 UTC 
Description of problem:
spamassassin crashes due to SELinux denials when it's invoked through procmail.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-225.6.fc25.noarch
spamassassin-3.4.1-9.fc25.x86_64
procmail-3.22-39.fc24.x86_64
postfix-2:3.1.4-1.fc25.x86_64

How reproducible:
maybe not that easily...

Steps to Reproduce:
1. In /etc/postfix/main.cfg set: mailbox_command = /usr/bin/procmail
2. In ~/.procmailrc add a rule to filter through spamassassin:
:0 f
| /usr/bin/spamassassin
3. Receive a mail
(Note that there might be simpler ways to get spamassassin inside spamc_t than doing steps 1 and 2 above, not sure. Obviously the denial does not reproduce when spamassassin is invoked directly from unconfined_t.)

Actual results:
spamassassin crashes with many "Permission denied" errors, and then the mail is lost (written as 0 bytes).

Jan 18 20:09:30.450 [3096] warn: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/SpamCop.pm: lib/Mail/SpamAssassin/Plugin/SpamCop.pm: Permission denied at (eval 43) line 1.
Jan 18 20:09:30.451 [3096] warn: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/AWL.pm: lib/Mail/SpamAssassin/Plugin/AWL.pm: Permission denied at (eval 44) line 1.
[...]
Can't locate Mail/SpamAssassin/Bayes.pm:   lib/Mail/SpamAssassin/Bayes.pm: Permission denied at /usr/share/perl5/vendor_perl/Mail/SpamAssassin.pm line 1772. at /usr/bin/spamassassin line 410.

Expected results:
spamassassin should run successfully.

Additional info:
If I do semodule -DB to turn off dontaudit rules, audit.log shows many identical denials like this, which I assume are the cause:

type=AVC msg=audit(1484734170.395:476): avc:  denied  { search } for  pid=3096 comm="spamassassin" name=".maildir" dev="dm-13" ino=13107213 scontext=system_u:system_r:spamc_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=dir permissive=0

Note that this seems to be a regression from F23->F25. The identical configuration worked on F23, specifically with the following packages:
selinux-policy-3.13.1-158.24.fc23.noarch
procmail-3.22-38.fc23.x86_64
postfix-2:3.0.7-1.fc23.x86_64
spamassassin-3.4.1-6.fc23.x86_64
Comment 1 Fedora End Of Life 2017-11-16 18:35:43 UTC 
This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Comment 2 Dan Callaghan 2017-11-20 05:57:57 UTC 
Still happens with selinux-policy-targeted-3.13.1-260.13.fc26.noarch.
Comment 3 Fedora Update System 2017-11-21 16:21:37 UTC 
selinux-policy-3.13.1-260.17.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-39e6a2f7e7
Comment 4 Fedora Update System 2017-11-21 16:23:39 UTC 
selinux-policy-3.13.1-260.17.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-39e6a2f7e7
Comment 5 Fedora Update System 2017-11-22 11:08:13 UTC 
selinux-policy-3.13.1-260.17.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-39e6a2f7e7
Comment 6 Fedora Update System 2017-12-19 21:33:09 UTC 
selinux-policy-3.13.1-260.17.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.