Bug 452738
| Summary: | selinux denials when using razor and spamassassin (spamd) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Carl Roth <roth> | ||||
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 9 | CC: | perl-devel, redhat-bugzilla | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-11-17 22:04:48 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
This is not a problem of razor/spamassassin, but of selinux-policy. Re- assigning to selinux-policy. Daniel, can you take care of it, please? Could you please attach the audit.log file that you used to generate this policy. Currently razor should be transitioning to spamd_t If you update to the current policy (selinux-policy-3.3.1-72.fc9.noarch) do you still need your custom policy? Yes, it transitions to spamd_t, at which point it no longer has access to razor's data and config files. I'm attaching the output of 'sealert -l' for the various AVCs generated when I disable my above-posted policy changes. These were generated on a system running with selinux-policy-targeted-3.3.1-74.fc9.noarch. Created attachment 311501 [details]
sealert output
You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-78.fc9.noarch Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed. |
Description of problem: The selinux targeted policy allows the use of razor-admin and razor-report in selinux enforcing mode (razor_per_role_template etc.) but it not sufficient to allow spamassassin to launch razor via its Perl API. When using spamassassin, the razor libraries, config files, etc. are invoked from the spamd_t domain. Tying together razor and spamassassin (spamd_t) using the templates in razor.if results in module compilation errors due to conflicting rules. Version-Release number of selected component (if applicable): perl-Razor-Agent-2.84-4.fc9.i386 spamassassin-3.2.4-4.fc9.i386 selinux-policy-targeted-3.3.1-64.fc9.noarch How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: I did some quick cut-and-paste with razor.if and I came up with a simpler interface that can be used to interface to spamd_t: ######################################## ## <summary> ## Invoke razor libraries from the target domain ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`ursus_razor_perl_client',` gen_require(` type razor_t; type razor_log_t; type razor_var_lib_t; ') # subset of rules from razor_common_domain_template manage_dirs_pattern($1,razor_log_t,razor_log_t) manage_files_pattern($1,razor_log_t,razor_log_t) manage_lnk_files_pattern($1,razor_log_t,razor_log_t) # FIXME: this may end up depositing log files with incorrect labels manage_dirs_pattern($1,razor_var_lib_t,razor_var_lib_t) manage_files_pattern($1,razor_var_lib_t,razor_var_lib_t) manage_lnk_files_pattern($1,razor_var_lib_t,razor_var_lib_t) corenet_tcp_sendrecv_razor_port($1) dnl allow $1 { razor_t }:process { signal }; dnl probably only needed for scripts and such ') razor_per_role_template(user, user_t, user_r) ursus_razor_perl_client(spamd_t)