Bug 1823061

Summary: pyzor wants to access /proc/net/unix
Product: [Fedora] Fedora Reporter: Laurent Jacquot <jk>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 31CC: dwalsh, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-05 02:40:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Laurent Jacquot 2020-04-11 09:55:46 UTC 
This is f31 fully updated

The package pyzor, used for checking mails to avoid spam, wants to access /proc/net when used from procmail:

# grep spamc /etc/procmailrc 
| /usr/bin/spamc -u $USER -d 127.0.0.1 -p 783

spamassassin is configured to uses pyzor:
# grep pyzor /etc/mail/spamassassin/local.cf 
use_pyzor 1
pyzor_timeout 20

# grep Pyzor /etc/mail/spamassassin/v310.pre 
loadplugin Mail::SpamAssassin::Plugin::Pyzor

but then each time a mail is checked there is this avc:
# ausearch -m avc -su spamc_t -ts 07/04/2020 |tail -1
type=AVC msg=audit(1586353691.120:6538): avc:  denied  { read } for  pid=343477 comm="pyzor" name="unix" dev="proc" ino=4026532056 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0

# ll -i /proc/net/unix 
4026532056 -r--r--r--. 1 root root 0 11 avril 11:52 /proc/net/unix

this custom module stops those avc, but maybe a don't audit rules is better?

# cat selinux/localSpam.te

require {
	type proc_net_t;
	type spamc_t;
	class file read;
}

#============= spamc_t ==============
allow spamc_t proc_net_t:file read;

regards
Laurent Jacquot
Comment 1 Zdenek Pytela 2020-04-16 10:32:00 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/235
Comment 2 Lukas Vrabec 2020-04-16 10:41:55 UTC 
commit 14d69bd0bab57b057a1cb94fcf150fdeee0c98c4 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date:   Thu Apr 16 12:27:10 2020 +0200

    Allow spamc_t domain to read network state
    
    Resolves: rhbz#1823061


Backported to F32 and F31.
Comment 3 Fedora Update System 2020-05-20 13:47:40 UTC 
FEDORA-2020-6d33cc238c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-6d33cc238c
Comment 4 Fedora Update System 2020-05-21 04:16:18 UTC 
FEDORA-2020-6d33cc238c has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-6d33cc238c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-6d33cc238c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2020-06-05 02:40:03 UTC 
FEDORA-2020-6d33cc238c has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.