Bug 410781
Summary: | Selinux-policy preventing spamassassin from accessing home directory | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Todd Taft <taft> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 5.1 | CC: | ebenes |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RHBA-2008-0465 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-05-21 16:06:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Todd Taft
2007-12-04 18:06:10 UTC
Didn't mean to hit submit yet. Let's try again: Relevant package versions: selinux-policy-2.4.6-106.el5_1.3 spamassassin-3.1.8-2.el5 Detailed description: user home directory is local to mail server. user does not have a ~/.spamassassin directory spamd is running spamassassin is called from /etc/procmailrc by: INCLUDERC=/etc/mail/spamassassin/spamassassin-spamc.rc # getsebool spamd_enable_home_dirs spamd_enable_home_dirs --> on ~/.spamassassin (and files below it) are not created Selinux alert is created (see below) Expected results: ~/.spamassassin created No selinux alert Error message from setroubleshoot: Summary SELinux is preventing the spamd daemon from reading users home directories. Detailed Description SELinux has denied the spamd daemon access to users home directories. Someone is attempting to access your home directories via your spamd daemon. If you only setup spamd to share non home directories, this probably signals a intrusion attempt. Allowing Access If you want spamd to share home directories you need to turn on the spamd_enable_home_dirs boolean: "setsebool -P spamd_enable_home_dirs=1" The following command will allow this access: setsebool -P spamd_enable_home_dirs=1 Additional Information Source Context system_u:system_r:spamd_t Target Context system_u:object_r:user_home_dir_t Target Objects user_prefs [ file ] Affected RPM Packages Policy RPM selinux-policy-2.4.6-106.el5_1.3 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.spamd_enable_home_dirs Host Name host.example.com Platform Linux host.example.com 2.6.18-53.1.4.el5 #1 SMP Fri Nov 30 00:45:16 EST 2007 i686 i686 Alert Count 22780 Line Numbers Raw Audit Messages avc: denied { create } for comm="spamd" egid=0 euid=0 exe="/usr/bin/perl" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="user_prefs" pid=2809 scontext=system_u:system_r:spamd_t:s0 sgid=0 subj=system_u:system_r:spamd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:user_home_dir_t:s0 tty=(none) uid=0 This avc looks like spamd is trying to create the file user_prefs in a directory labeled user_home_dir_t? user_prefs is usually created in the .spamassassin directroy which should be labeled user_spamassassin_home_t. Are you sure this directory was not there? Can you remove rm -rf ~/.spamassasin And try it again to see if the labeling gets done correctly I don't have a ~/.spamassassin directory. My home directory itself is labeled user_home_dir_t. [~]$ ls -ldZ ~ drwx------ taft taft system_u:object_r:user_home_dir_t /home/taft [~]$ ls -ldZ ~/.spamassasin ls: /home/taft/.spamassasin: No such file or directory Fixed in selinux-policy-2.4.6-121.el5 This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. I've upgraded, and I'm still having the same issue. Am I missing something? From setroubleshoot: Summary SELinux is preventing the spamd daemon from reading users home directories. Detailed Description SELinux has denied the spamd daemon access to users home directories. Someone is attempting to access your home directories via your spamd daemon. If you only setup spamd to share non home directories, this probably signals a intrusion attempt. Allowing Access If you want spamd to share home directories you need to turn on the spamd_enable_home_dirs boolean: "setsebool -P spamd_enable_home_dirs=1" The following command will allow this access: setsebool -P spamd_enable_home_dirs=1 Additional Information Source Context system_u:system_r:spamd_t Target Context system_u:object_r:user_home_dir_t Target Objects user_prefs [ file ] Affected RPM Packages Policy RPM selinux-policy-2.4.6-121.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.spamd_enable_home_dirs Host Name host.example.com Platform Linux host.example.com 2.6.18-53.1.14.el5 #1 SMP Wed Mar 5 11:36:49 EST 2008 i686 i686 Alert Count 77990 Line Numbers Raw Audit Messages avc: denied { create } for comm="spamd" egid=0 euid=0 exe="/usr/bin/perl" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="user_prefs" pid=2812 scontext=system_u:system_r:spamd_t:s0 sgid=0 subj=system_u:system_r:spamd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:user_home_dir_t:s0 tty=(none) uid=0 [~]$ rpm -qa |grep selinux libselinux-python-1.33.4-5.el5 selinux-policy-strict-2.4.6-121.el5 libselinux-1.33.4-5.el5 selinux-policy-mls-2.4.6-121.el5 selinux-policy-2.4.6-121.el5 selinux-policy-devel-2.4.6-121.el5 selinux-policy-targeted-2.4.6-121.el5 libselinux-devel-1.33.4-5.el5 [~]$ rpm -qa |grep spam spamass-milter-0.3.1-1.el5.rf spamassassin-3.2.4-1.el5 [~]$ ls -ldZ ~taft drwx------ taft taft system_u:object_r:user_home_dir_t /home/taft [~]$ ls -ldZ ~taft/.spam* ls: /home/taft/.spam*: No such file or directory [~]# getsebool spamd_enable_home_dirs spamd_enable_home_dirs --> on It looks like it is trying to create the file user_prefs in a directory labeled user_home_dir_t. Spamassissin should have created a directory call .spamassassin which would be labeled user_home_t and the user_prefs could be created in that directory as user_home_t? Do you have some kind of configuration change to create user_prefs directly in /home/taft? I didn't think I had changed any configurations that would affect the location of files: [root@platypus ~]# rpm -V spamassassin S.5....T c /etc/cron.d/sa-update If you run in permissive mode, where does the file get created? In /root/.spamassassin/user_prefs I'm not sure why it got created there, but it did make the /root/.spamassassin directory. Mail to root is forwarded to taft in /etc/aliases, but I'm still not sure why the file would be created in root's homedir rather than mine. I suppose I have an issue with both selinux and spamassassin... I think this is a configuration problem, or some strange behavior, andyways. I do not believe this is standard. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0465.html |