Bug 410781
| Summary: | Selinux-policy preventing spamassassin from accessing home directory | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Todd Taft <taft> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 5.1 | CC: | ebenes |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | RHBA-2008-0465 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-05-21 16:06:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Todd Taft
2007-12-04 18:06:10 UTC
Didn't mean to hit submit yet. Let's try again:
Relevant package versions:
selinux-policy-2.4.6-106.el5_1.3
spamassassin-3.1.8-2.el5
Detailed description:
user home directory is local to mail server.
user does not have a ~/.spamassassin directory
spamd is running
spamassassin is called from /etc/procmailrc by:
INCLUDERC=/etc/mail/spamassassin/spamassassin-spamc.rc
# getsebool spamd_enable_home_dirs
spamd_enable_home_dirs --> on
~/.spamassassin (and files below it) are not created
Selinux alert is created (see below)
Expected results:
~/.spamassassin created
No selinux alert
Error message from setroubleshoot:
Summary
SELinux is preventing the spamd daemon from reading users home directories.
Detailed Description
SELinux has denied the spamd daemon access to users home directories.
Someone is attempting to access your home directories via your spamd daemon.
If you only setup spamd to share non home directories, this probably signals
a intrusion attempt.
Allowing Access
If you want spamd to share home directories you need to turn on the
spamd_enable_home_dirs boolean: "setsebool -P spamd_enable_home_dirs=1"
The following command will allow this access:
setsebool -P spamd_enable_home_dirs=1
Additional Information
Source Context system_u:system_r:spamd_t
Target Context system_u:object_r:user_home_dir_t
Target Objects user_prefs [ file ]
Affected RPM Packages
Policy RPM selinux-policy-2.4.6-106.el5_1.3
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.spamd_enable_home_dirs
Host Name host.example.com
Platform Linux host.example.com 2.6.18-53.1.4.el5 #1 SMP
Fri Nov 30 00:45:16 EST 2007 i686 i686
Alert Count 22780
Line Numbers
Raw Audit Messages
avc: denied { create } for comm="spamd" egid=0 euid=0 exe="/usr/bin/perl"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="user_prefs" pid=2809
scontext=system_u:system_r:spamd_t:s0 sgid=0 subj=system_u:system_r:spamd_t:s0
suid=0 tclass=file tcontext=system_u:object_r:user_home_dir_t:s0 tty=(none)
uid=0
This avc looks like spamd is trying to create the file user_prefs in a directory labeled user_home_dir_t? user_prefs is usually created in the .spamassassin directroy which should be labeled user_spamassassin_home_t. Are you sure this directory was not there? Can you remove rm -rf ~/.spamassasin And try it again to see if the labeling gets done correctly I don't have a ~/.spamassassin directory. My home directory itself is labeled user_home_dir_t. [~]$ ls -ldZ ~ drwx------ taft taft system_u:object_r:user_home_dir_t /home/taft [~]$ ls -ldZ ~/.spamassasin ls: /home/taft/.spamassasin: No such file or directory Fixed in selinux-policy-2.4.6-121.el5 This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. I've upgraded, and I'm still having the same issue. Am I missing something?
From setroubleshoot:
Summary
SELinux is preventing the spamd daemon from reading users home directories.
Detailed Description
SELinux has denied the spamd daemon access to users home directories.
Someone is attempting to access your home directories via your spamd daemon.
If you only setup spamd to share non home directories, this probably signals
a intrusion attempt.
Allowing Access
If you want spamd to share home directories you need to turn on the
spamd_enable_home_dirs boolean: "setsebool -P spamd_enable_home_dirs=1"
The following command will allow this access:
setsebool -P spamd_enable_home_dirs=1
Additional Information
Source Context system_u:system_r:spamd_t
Target Context system_u:object_r:user_home_dir_t
Target Objects user_prefs [ file ]
Affected RPM Packages
Policy RPM selinux-policy-2.4.6-121.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.spamd_enable_home_dirs
Host Name host.example.com
Platform Linux host.example.com 2.6.18-53.1.14.el5 #1
SMP Wed Mar 5 11:36:49 EST 2008 i686 i686
Alert Count 77990
Line Numbers
Raw Audit Messages
avc: denied { create } for comm="spamd" egid=0 euid=0 exe="/usr/bin/perl"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="user_prefs" pid=2812
scontext=system_u:system_r:spamd_t:s0 sgid=0 subj=system_u:system_r:spamd_t:s0
suid=0 tclass=file tcontext=system_u:object_r:user_home_dir_t:s0 tty=(none)
uid=0
[~]$ rpm -qa |grep selinux
libselinux-python-1.33.4-5.el5
selinux-policy-strict-2.4.6-121.el5
libselinux-1.33.4-5.el5
selinux-policy-mls-2.4.6-121.el5
selinux-policy-2.4.6-121.el5
selinux-policy-devel-2.4.6-121.el5
selinux-policy-targeted-2.4.6-121.el5
libselinux-devel-1.33.4-5.el5
[~]$ rpm -qa |grep spam
spamass-milter-0.3.1-1.el5.rf
spamassassin-3.2.4-1.el5
[~]$ ls -ldZ ~taft
drwx------ taft taft system_u:object_r:user_home_dir_t /home/taft
[~]$ ls -ldZ ~taft/.spam*
ls: /home/taft/.spam*: No such file or directory
[~]# getsebool spamd_enable_home_dirs
spamd_enable_home_dirs --> on
It looks like it is trying to create the file user_prefs in a directory labeled user_home_dir_t. Spamassissin should have created a directory call .spamassassin which would be labeled user_home_t and the user_prefs could be created in that directory as user_home_t? Do you have some kind of configuration change to create user_prefs directly in /home/taft? I didn't think I had changed any configurations that would affect the location of files: [root@platypus ~]# rpm -V spamassassin S.5....T c /etc/cron.d/sa-update If you run in permissive mode, where does the file get created? In /root/.spamassassin/user_prefs I'm not sure why it got created there, but it did make the /root/.spamassassin directory. Mail to root is forwarded to taft in /etc/aliases, but I'm still not sure why the file would be created in root's homedir rather than mine. I suppose I have an issue with both selinux and spamassassin... I think this is a configuration problem, or some strange behavior, andyways. I do not believe this is standard. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0465.html |