Bug 330561

Summary: SELINUX prevents Spamassassin to statr
Product: [Fedora] Fedora Reporter: Jan Willem Huijbers <jan.willem>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 7Keywords: Reopened
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-18 13:13:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Willem Huijbers 2007-10-13 09:38:32 UTC 
Description of problem:
SELINUX prevents Spamassissan to start

Version-Release number of selected component (if applicable):
Latest updated SELINUX policy Fedora 7

How reproducible:
start spamassassin
/etc/init.d/spamassassin start/restart
cat /var/log/messages

Steps to Reproduce:
1.
2.
3.
  
Actual results:
no spamd running and 
sealert -l 9a216d11-d62e-47f8-a7c4-cb8df0c62dcc

Expected results:
spamd running

Additional info:

[root@fedora-pc mail]# sealert -l 9a216d11-d62e-47f8-a7c4-cb8df0c62dcc
Summary
    SELinux is preventing spamd (spamd_t) "search" to mail
    (httpd_sys_content_t).

Detailed Description
    SELinux denied access requested by spamd. It is not expected that this
    access is required by spamd and this access may signal an intrusion attempt.
    It is also possible that the specific version or configuration of the
    application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for mail, restorecon -v mail If this
    does not work, there is currently no automatic way to allow this access.
    Instead,  you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information

Source Context                user_u:system_r:spamd_t
Target Context                system_u:object_r:httpd_sys_content_t
Target Objects                mail [ dir ]
Affected RPM Packages
Policy RPM                    selinux-policy-2.6.4-46.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     fedora-pc.huijbers.net
Platform                      Linux fedora-pc.huijbers.net 2.6.22.9-91.fc7 #1
                              SMP Thu Sep 27 23:10:59 EDT 2007 i686 i686
Alert Count                   8
First Seen                    Sat Oct 13 11:26:35 2007
Last Seen                     Sat Oct 13 11:30:07 2007
Local ID                      9a216d11-d62e-47f8-a7c4-cb8df0c62dcc
Line Numbers

Raw Audit Messages

avc: denied { search } for comm="spamd" dev=dm-0 egid=0 euid=0
exe="/usr/bin/perl" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="mail" pid=3263
scontext=user_u:system_r:spamd_t:s0 sgid=0 subj=user_u:system_r:spamd_t:s0
suid=0 tclass=dir tcontext=system_u:object_r:httpd_sys_content_t:s0 tty=(none)
uid=0
Comment 1 Daniel Walsh 2007-10-15 17:19:08 UTC 
This says that smapd is searching a mail directory which is labeled
httpd_sys_content_t.

This loooks like a labeling problem.  If you find the directory that is
mislabeled you will need to execute

restorecon -F -v mail
Comment 2 Jan Willem Huijbers 2007-10-15 18:36:52 UTC 
You're correct, but the relabeling the etc/mail directory (and subdirs) fixed 
this issue, but created a problem with squirrelmail sending mails through 
sendmail. See bug 312181 additional for info on that.

Below the "new" Sealert messages when sending an messages created in webmail

Oct 15 20:28:51 fedora-pc setsebool: The httpd_can_sendmail policy boolean was 
changed to 1 by root
Oct 15 20:29:30 fedora-pc setroubleshoot:      SELinux is preventing 
the /usr/sbin/sendmail.sendmail from using potentially mislabeled files 
anon_inode:[eventpoll] (anon_inodefs_t).      For complete SELinux messages. 
run sealert -l b1d79fa7-d7f6-4b8c-b94e-3b43b60229bb
Oct 15 20:29:30 fedora-pc setroubleshoot:      SELinux is preventing 
the /usr/sbin/sendmail.sendmail from using potentially mislabeled files mail 
(etc_mail_t).      For complete SELinux messages. run sealert -l 5ce8af75-5ef0-
4c33-a371-2f5067356977
Oct 15 20:29:30 fedora-pc setroubleshoot:      SELinux is preventing 
the /usr/sbin/sendmail.sendmail from using potentially mislabeled files mail 
(etc_mail_t).      For complete SELinux messages. run sealert -l 5ce8af75-5ef0-
4c33-a371-2f5067356977
Oct 15 20:29:30 fedora-pc setroubleshoot:      SELinux is preventing 
the /usr/sbin/sendmail.sendmail from using potentially mislabeled 
files /etc/mail (etc_mail_t).      For complete SELinux messages. run sealert -
l c605f30f-9512-4d7b-b7f7-a39d5f62cd74
Oct 15 20:29:30 fedora-pc setroubleshoot:      SELinux is 
preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t) "create" to 
<Unknown> (httpd_sys_script_t).      For complete SELinux messages. run 
sealert -l eec295ce-257d-4ce7-ac56-c771da1c854c
Comment 3 Daniel Walsh 2007-10-15 21:04:56 UTC 
What is /usr/sbin/sendmail.sendmail labeled as?

matchpathcon /usr/sbin/sendmail.sendmail   

Seems like a transition is not happeing here.

Could you attach your audit.log?
Comment 4 Jan Willem Huijbers 2007-10-16 05:35:18 UTC 
[root@fedora-pc ~]# matchpathcon /usr/sbin/sendmail.sendmail
/usr/sbin/sendmail.sendmail     system_u:object_r:sendmail_exec_t

[root@fedora-pc ~]# tail -f /var/log/audit/audit.log
type=USER_ACCT msg=audit(1192512734.706:2885): user pid=3666 uid=0 
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: 
accounting acct=janwillem : exe="/usr/sbin/sshd" (hostname=chieftec-xp-
64.huijbers.net, addr=192.168.1.85, terminal=ssh res=success)'
type=CRED_ACQ msg=audit(1192512735.100:2886): user pid=3666 uid=0 
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: setcred 
acct=janwillem : exe="/usr/sbin/sshd" (hostname=chieftec-xp-64.huijbers.net, 
addr=192.168.1.85, terminal=ssh res=success)'
type=LOGIN msg=audit(1192512735.139:2887): login pid=3666 uid=0 old 
auid=4294967295 new auid=500
type=USER_START msg=audit(1192512735.144:2888): user pid=3666 uid=0 auid=500 
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: session open 
acct=janwillem : exe="/usr/sbin/sshd" (hostname=chieftec-xp-64.huijbers.net, 
addr=192.168.1.85, terminal=ssh res=success)'
type=CRED_REFR msg=audit(1192512735.150:2889): user pid=3668 uid=0 auid=500 
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: setcred acct=janwillem : 
exe="/usr/sbin/sshd" (hostname=chieftec-xp-64.huijbers.net, addr=192.168.1.85, 
terminal=ssh res=success)'
type=USER_LOGIN msg=audit(1192512735.189:2890): user pid=3666 uid=0 auid=500 
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='uid=500: exe="/usr/sbin/sshd" 
(hostname=chieftec-xp-64.huijbers.net, addr=192.168.1.85, terminal=/dev/pts/0 
res=success)'
type=USER_AUTH msg=audit(1192512740.470:2891): user pid=3697 uid=500 auid=500 
subj=user_u:system_r:unconfined_t:s0 msg='PAM: authentication acct=root : 
exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_ACCT msg=audit(1192512740.472:2892): user pid=3697 uid=500 auid=500 
subj=user_u:system_r:unconfined_t:s0 msg='PAM: accounting acct=root : 
exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_START msg=audit(1192512740.483:2893): user pid=3697 uid=500 auid=500 
subj=user_u:system_r:unconfined_t:s0 msg='PAM: session open acct=root : 
exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=CRED_ACQ msg=audit(1192512740.485:2894): user pid=3697 uid=500 auid=500 
subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred acct=root : 
exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_AUTH msg=audit(1192512858.798:2895): user pid=3739 uid=0 
auid=4294967295 subj=system_u:system_r:dovecot_auth_t:s0 msg='PAM: 
authentication acct=janwillem : exe="/usr/libexec/dovecot/dovecot-auth" 
(hostname=127.0.0.1, addr=127.0.0.1, terminal=dovecot res=success)'
type=USER_ACCT msg=audit(1192512858.808:2896): user pid=3739 uid=0 
auid=4294967295 subj=system_u:system_r:dovecot_auth_t:s0 msg='PAM: accounting 
acct=janwillem : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=127.0.0.1, 
addr=127.0.0.1, terminal=dovecot res=success)'
type=USER_AUTH msg=audit(1192512859.331:2897): user pid=3743 uid=0 
auid=4294967295 subj=system_u:system_r:dovecot_auth_t:s0 msg='PAM: 
authentication acct=janwillem : exe="/usr/libexec/dovecot/dovecot-auth" 
(hostname=127.0.0.1, addr=127.0.0.1, terminal=dovecot res=success)'
type=USER_ACCT msg=audit(1192512859.340:2898): user pid=3743 uid=0 
auid=4294967295 subj=system_u:system_r:dovecot_auth_t:s0 msg='PAM: accounting 
acct=janwillem : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=127.0.0.1, 
addr=127.0.0.1, terminal=dovecot res=success)'
type=USER_AUTH msg=audit(1192512859.637:2899): user pid=3750 uid=0 
auid=4294967295 subj=system_u:system_r:dovecot_auth_t:s0 msg='PAM: 
authentication acct=janwillem : exe="/usr/libexec/dovecot/dovecot-auth" 
(hostname=127.0.0.1, addr=127.0.0.1, terminal=dovecot res=success)'
type=USER_ACCT msg=audit(1192512859.645:2900): user pid=3750 uid=0 
auid=4294967295 subj=system_u:system_r:dovecot_auth_t:s0 msg='PAM: accounting 
acct=janwillem : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=127.0.0.1, 
addr=127.0.0.1, terminal=dovecot res=success)'
type=AVC msg=audit(1192512878.561:2901): avc:  denied  { read write } for  
pid=3757 comm="sendmail" name="[eventpoll]" dev=anon_inodefs ino=270 
scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=SYSCALL msg=audit(1192512878.561:2901): arch=40000003 syscall=11 
success=yes exit=0 a0=839dda0 a1=839e120 a2=839dea0 a3=40 items=0 ppid=2503 
pid=3757 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51 
fsgid=51 tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.sendmail" 
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC_PATH msg=audit(1192512878.561:2901):  path="anon_inode:[eventpoll]"
type=AVC msg=audit(1192512878.579:2902): avc:  denied  { search } for  pid=3757 
comm="sendmail" name="mail" dev=dm-0 ino=36930447 
scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir
type=SYSCALL msg=audit(1192512878.579:2902): arch=40000003 syscall=195 
success=no exit=-13 a0=800f81c0 a1=bfdee3c0 a2=5ecff4 a3=3 items=0 ppid=2503 
pid=3757 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51 
fsgid=51 tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.sendmail" 
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1192512878.582:2903): avc:  denied  { search } for  pid=3757 
comm="sendmail" name="mail" dev=dm-0 ino=36930447 
scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir
type=SYSCALL msg=audit(1192512878.582:2903): arch=40000003 syscall=195 
success=no exit=-13 a0=bfde9988 a1=bfde9820 a2=5ecff4 a3=3 items=0 ppid=2503 
pid=3757 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51 
fsgid=51 tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.sendmail" 
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1192512878.584:2904): avc:  denied  { getattr } for  
pid=3757 comm="sendmail" name="mail" dev=dm-0 ino=36930447 
scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir
type=SYSCALL msg=audit(1192512878.584:2904): arch=40000003 syscall=196 
success=no exit=-13 a0=bfdd4878 a1=bfdc0760 a2=5ecff4 a3=3 items=0 ppid=2503 
pid=3757 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51 
fsgid=51 tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.sendmail" 
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC_PATH msg=audit(1192512878.584:2904):  path="/etc/mail"
type=AVC msg=audit(1192512878.587:2905): avc:  denied  { create } for  pid=3757 
comm="sendmail" scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1192512878.587:2905): arch=40000003 syscall=102 
success=no exit=-13 a0=1 a1=bfdea088 a2=5ecff4 a3=14 items=0 ppid=2503 pid=3757 
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 
tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.sendmail" 
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
Comment 5 Daniel Walsh 2007-10-17 18:26:59 UTC 
ls -lZ /usr/sbin/sendmail.sendmail
Comment 6 Jan Willem Huijbers 2007-10-18 05:09:38 UTC 
[janwillem@fedora-pc ~]$ ls -lZ /usr/sbin/sendmail.sendmail
-rwxr-sr-x  root smmsp 
system_u:object_r:httpd_sys_content_t /usr/sbin/sendmail.sendmail
Comment 7 Daniel Walsh 2007-10-18 13:13:31 UTC 
# restorecon -F -v /usr/sbin/sendmail.sendmail
File should be labeled 

/usr/sbin/sendmail.sendmail     system_u:object_r:sendmail_exec_t

The file is labeled incorrectly.  

If an setroubleshoot plugin told you to label this, this way please report that
as a bug on setroubleshoot.