Bug 480129

Summary: Error at calling service amavisd restart when SELinux is in enforce mode
Product: Red Hat Enterprise Linux 5 Reporter: Frank Büttner <bugzilla>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 5.7CC: dwalsh, ejacobs, ksrot, mmalik, perl-devel, steve
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: ActualBug
Fixed In Version: selinux-policy-2.4.6-328.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-08 03:30:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Frank Büttner 2009-01-15 09:52:41 UTC
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.5.30729)

Version: amavisd-new-2.4.5-1.el5
When run service amavisd restart I get the message:
amavisd beenden:  Error: /proc must be mounted
  To mount /proc at boot you need an /etc/fstab line like:
      /proc   /proc   proc    defaults
  In the meantime, run "mount /proc /proc -t proc"
Daemon [2389] terminated by SIGTERM
                                                           [  OK  ]
amavisd stopped
amavisd starten:                                           [  OK  ]


Reproducible: Always

Steps to Reproduce:
1. run service amavisd restart

Actual Results:  
Getting the message above.

Expected Results:  
restart without the messeage

Comment 1 Erik M Jacobs 2012-03-31 16:31:22 UTC
I can confirm that I am also having this issue, except I am not experiencing it on all machines.  Using the same package as Frank:

[root@shrugged ~]$ service amavisd restart
Shutting down amavisd: Error: /proc must be mounted
  To mount /proc at boot you need an /etc/fstab line like:
      /proc   /proc   proc    defaults
  In the meantime, run "mount /proc /proc -t proc"
Daemon [28085] terminated by SIGTERM
                                                           [  OK  ]
amavisd stopped
Starting amavisd:                                          [  OK  ]

Note that there was an old thread that discussed this:
http://old.nabble.com/-etc-init.d-amavisd-stop-Error-td21979008.html

The uptime program is provided by the procps package, and I have updated to the latest version on all machines: procps.x86_64 3.2.7-18.el5

I still get the error.

My dev server is running a slightly newer kernel and is not experiencing this issue:
dev (2.6.18-274.el5) vs prod (2.6.18-238.el5)

The oddity here is that if I do exactly what the system script is doing, I don't get the error:
action $"Shutting down ${prog_base}:" ${prog} -c ${prog_config_file} stop

Updating to the latest version of initscripts doesn't fix the problem either:
initscripts-8.45.42-1.el5

I'm not sure exactly how to further troubleshoot/locate this issue. But it's rather annoying that every time amavis gets restarted this proc error gets generated.

Comment 2 Erik M Jacobs 2012-03-31 16:45:29 UTC
OK, looking at the topic of the bug, it says "only in enforcing mode."

I can confirm that the issue does not present in permissive mode:
[root@shrugged ~]$ setenforce permissive
[root@shrugged ~]$ service amavisd restart
Shutting down amavisd: Daemon [28225] terminated by SIGTERM
                                                           [  OK  ]
amavisd stopped
Starting amavisd:                                          [  OK  ]

[root@shrugged ~]$ setenforce enforcing
[root@shrugged ~]$ service amavisd restart
Shutting down amavisd: Error: /proc must be mounted
  To mount /proc at boot you need an /etc/fstab line like:
      /proc   /proc   proc    defaults
  In the meantime, run "mount /proc /proc -t proc"
Daemon [28261] terminated by SIGTERM
                                                           [  OK  ]
amavisd stopped
Starting amavisd:                                          [  OK  ]

Here is the painful irony:
In enforcing mode, there are no denials logged!!  the system needs to be in permissive mode in order to even see the AVC denials:
type=MAC_STATUS msg=audit(1333211543.148:58687): enforcing=0 old_enforcing=1 auid=501 ses=8891
type=SYSCALL msg=audit(1333211543.148:58687): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fffcc69c460 a2=1 a3=30733a745f6465 items=0 ppid=27960 pid=28239 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="setenforce" exe="/usr/sbin/setenforce" subj=user_u:system_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1333211546.444:58688): avc:  denied  { read } for  pid=28254 comm="uptime" name="utmp" dev=md1 ino=357728263 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1333211546.444:58688): arch=c000003e syscall=2 success=yes exit=4 a0=340a1220f2 a1=0 a2=2 a3=0 items=0 ppid=28253 pid=28254 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="uptime" exe="/usr/bin/uptime" subj=user_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1333211546.444:58689): avc:  denied  { lock } for  pid=28254 comm="uptime" path="/var/run/utmp" dev=md1 ino=357728263 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1333211546.444:58689): arch=c000003e syscall=72 success=yes exit=0 a0=4 a1=7 a2=7fff2445b700 a3=8 items=0 ppid=28253 pid=28254 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="uptime" exe="/usr/bin/uptime" subj=user_u:system_r:amavis_t:s0 key=(null)
type=MAC_STATUS msg=audit(1333211551.191:58690): enforcing=1 old_enforcing=0 auid=501 ses=8891
type=SYSCALL msg=audit(1333211551.191:58690): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fffa8f0fce0 a2=1 a3=30733a745f6465 items=0 ppid=27960 pid=28269 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="setenforce" exe="/usr/sbin/setenforce" subj=user_u:system_r:unconfined_t:s0 key=(null)

So, it looks like there are selinux issues with trying to access uptime:
[root@shrugged ~]$ ausearch -m avc -ts 12:00
----
time->Sat Mar 31 16:32:26 2012
type=SYSCALL msg=audit(1333211546.444:58689): arch=c000003e syscall=72 success=yes exit=0 a0=4 a1=7 a2=7fff2445b700 a3=8 items=0 ppid=28253 pid=28254 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="uptime" exe="/usr/bin/uptime" subj=user_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1333211546.444:58689): avc:  denied  { lock } for  pid=28254 comm="uptime" path="/var/run/utmp" dev=md1 ino=357728263 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
----
time->Sat Mar 31 16:32:26 2012
type=SYSCALL msg=audit(1333211546.444:58688): arch=c000003e syscall=2 success=yes exit=4 a0=340a1220f2 a1=0 a2=2 a3=0 items=0 ppid=28253 pid=28254 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="uptime" exe="/usr/bin/uptime" subj=user_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1333211546.444:58688): avc:  denied  { read } for  pid=28254 comm="uptime" name="utmp" dev=md1 ino=357728263 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

Into audit2allow:
#============= amavis_t ==============
allow amavis_t initrc_var_run_t:file { read lock };

Now, I'm not sure if this should be default SELinux policy or not, or if there should be a boolean... but this is what's causing the issue.  It's not in amavis, and I'll be updating the bug appropriately.

Comment 3 Erik M Jacobs 2012-03-31 16:45:49 UTC
[root@shrugged ~]$ rpm -qa | grep selinux
libselinux-1.33.4-5.7.el5
libselinux-python-1.33.4-5.7.el5
libselinux-utils-1.33.4-5.7.el5
selinux-policy-2.4.6-300.el5
selinux-policy-targeted-2.4.6-300.el5
libselinux-ruby-1.33.4-5.7.el5

Comment 4 Erik M Jacobs 2012-03-31 16:48:03 UTC
With the latest versions of the policy installed, this error persists:

[root@atlas /var/log]$ rpm -qa | grep selinux-policy
selinux-policy-targeted-2.4.6-327.el5
selinux-policy-2.4.6-327.el5

[root@atlas /var/log]$ service amavisd restart
Shutting down amavisd: Error: /proc must be mounted
  To mount /proc at boot you need an /etc/fstab line like:
      /proc   /proc   proc    defaults
  In the meantime, run "mount /proc /proc -t proc"
Daemon [23101] terminated by SIGTERM
                                                           [  OK  ]
amavisd stopped
Starting amavisd:                                          [  OK  ]

Comment 5 Erik M Jacobs 2012-03-31 16:49:27 UTC
Updated bug to be assigned to selinux-policy for el5.

Comment 6 Erik M Jacobs 2012-03-31 22:36:12 UTC
OK, think I spoke too soon.  Here's the latest situation:

[root@atlas /etc/puppet]$ rpm -qa | grep selinux-policy
selinux-policy-targeted-2.4.6-327.el5
selinux-policy-2.4.6-327.el5

[root@atlas /etc/puppet]$ getenforce
Permissive

[root@atlas /etc/puppet]$ service amavisd restart
Shutting down amavisd: Daemon [3230] terminated by SIGTERM 
                                                           [  OK  ]
amavisd stopped
Starting amavisd:                                          [  OK  ]

In this configuration, nothing gets logged to the audit log (yes, permissive).

If we switch to enforcing:
[root@atlas /etc/puppet]$ setenforce 1
[root@atlas /etc/puppet]$ getenforce
Enforcing
[root@atlas /etc/puppet]$ service amavisd restart
Shutting down amavisd: Error: /proc must be mounted
  To mount /proc at boot you need an /etc/fstab line like:
      /proc   /proc   proc    defaults
  In the meantime, run "mount /proc /proc -t proc"
Daemon [3286] terminated by SIGTERM
                                                           [  OK  ]
amavisd stopped
Starting amavisd:                                          [  OK  ]

SELinux is definitely doing something naughty.  Apparently there are some things that default policies set to not audit:
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/9234

Disabling the dontaudit and going to permissive:
[root@atlas /etc/puppet]$ semodule -DB
[root@atlas /etc/puppet]$ setenforce 0
[root@atlas /etc/puppet]$ getenforce
Permissive
[root@atlas /etc/puppet]$ service amavisd restart
Shutting down amavisd: Daemon [3315] terminated by SIGTERM
                                                           [  OK  ]
amavisd stopped
Starting amavisd:                                          [  OK  ]

[root@atlas /etc/puppet]$ date
Sat Mar 31 22:33:06 GMT 2012
[root@atlas /etc/puppet]$ ausearch -m avc -ts 22:33 | audit2allow


#============= amavis_t ==============
allow amavis_t proc_t:file read;
allow amavis_t security_t:dir search;
allow amavis_t security_t:file read;
allow amavis_t selinux_config_t:dir search;
allow amavis_t selinux_config_t:file { read getattr };
allow amavis_t shadow_t:file { read getattr };
allow amavis_t user_home_dir_t:dir search;

This looks good I guess. But this module won't compile and install:
[root@atlas ~]$ ausearch -m avc -ts 22:33 | audit2allow -M amavisd
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i amavisd.pp
[root@atlas ~]$ cat amavisd.te

module amavisd 1.0;

require {
        type amavis_t;
        type security_t;
        type proc_t;
        type user_home_dir_t;
        type selinux_config_t;
        type shadow_t;
        class file { read getattr };
        class dir search;
}

#============= amavis_t ==============
allow amavis_t proc_t:file read;
allow amavis_t security_t:dir search;
allow amavis_t security_t:file read;
allow amavis_t selinux_config_t:dir search;
allow amavis_t selinux_config_t:file { read getattr };
allow amavis_t shadow_t:file { read getattr };
allow amavis_t user_home_dir_t:dir search;
[root@atlas ~]$ semodule -i amavisd.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow amavis_t shadow_t:file { read };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!

So I'm at a loss as to actually how to generate a policy here that will work.

Comment 7 Erik M Jacobs 2012-03-31 22:47:31 UTC
So the violation is because of a read shadow restraint.  Since I can't think of a good reason why amavisd should be reading shadow, I just commented it out.

[root@atlas ~]$ cat amavisd.te 

module amavisd 1.0;

require {
        type amavis_t;
        type security_t;
        type proc_t;
        type user_home_dir_t;
        type selinux_config_t;
        #type shadow_t;
        class file { read getattr };
        class dir search;
}

#============= amavis_t ==============
allow amavis_t proc_t:file read;
allow amavis_t security_t:dir search;
allow amavis_t security_t:file read;
allow amavis_t selinux_config_t:dir search;
allow amavis_t selinux_config_t:file { read getattr };
#allow amavis_t shadow_t:file { read getattr };
allow amavis_t user_home_dir_t:dir search;

Installing this module works, and when in enforcing mode, no error is generated:
[root@atlas ~]$ getenforce
Enforcing
[root@atlas ~]$ service amavisd restart
Shutting down amavisd: Daemon [3347] terminated by SIGTERM
                                                           [  OK  ]
amavisd stopped
Starting amavisd:                                          [  OK  ]

The only selinux denial that still happens is the shadow read:
[root@atlas ~]$ ausearch -m avc -ts 22:45:50 | audit2allow


#============= amavis_t ==============
allow amavis_t shadow_t:file read;

Now, this policy module can probably be clamped down to fix what's going on, because it seems to me like it opens up a fair number of holes.

Comment 8 Miroslav Grepl 2012-04-02 10:54:01 UTC
Could you test it only with this rule

allow amavis_t proc_t:file read;

Comment 9 Erik M Jacobs 2012-04-05 18:18:31 UTC
Looks like it works.

[root@atlas ~]$ cat amavisd-miro.te
module amavisd-miro 1.0;

require {
  type amavis_t;
  type proc_t;
  class file read;
}

#============= amavis_t ==============
allow amavis_t proc_t:file read;

[root@atlas ~]$ service amavisd restart
Shutting down amavisd: Daemon [28091] terminated by SIGTERM
                                                           [  OK  ]
amavisd stopped
Starting amavisd:                                          [  OK  ]

Still getting errors:
type=AVC msg=audit(1333649748.098:11411): avc:  denied  { read } for  pid=28571 comm="amavisd" name="shadow" dev=dm-0 ino=354339 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=SYSCALL msg=audit(1333649748.098:11411): arch=c000003e syscall=2 success=yes exit=5 a0=2ba41721d2da a1=0 a2=1b6 a3=0 items=0 ppid=28567 pid=28571 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl" subj=user_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1333649748.098:11412): avc:  denied  { getattr } for  pid=28571 comm="amavisd" path="/etc/shadow" dev=dm-0 ino=354339 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=SYSCALL msg=audit(1333649748.098:11412): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7fff158c5960 a2=7fff158c5960 a3=0 items=0 ppid=28567 pid=28571 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl" subj=user_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1333649748.099:11413): avc:  denied  { search } for  pid=28571 comm="amavisd" name="root" dev=dm-0 ino=545089 scontext=user_u:system_r:amavis_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1333649748.099:11413): arch=c000003e syscall=4 success=no exit=-2 a0=c93c730 a1=c806140 a2=c806140 a3=7 items=0 ppid=28567 pid=28571 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl" subj=user_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1333649749.867:11414): avc:  denied  { search } for  pid=28578 comm="amavisd" name="selinux" dev=dm-0 ino=353080 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=AVC msg=audit(1333649749.867:11414): avc:  denied  { read } for  pid=28578 comm="amavisd" name="config" dev=dm-0 ino=353317 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=SYSCALL msg=audit(1333649749.867:11414): arch=c000003e syscall=2 success=yes exit=4 a0=3b91e12a64 a1=0 a2=1b6 a3=0 items=0 ppid=28574 pid=28578 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl" subj=user_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1333649749.867:11415): avc:  denied  { getattr } for  pid=28578 comm="amavisd" path="/etc/selinux/config" dev=dm-0 ino=353317 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=SYSCALL msg=audit(1333649749.867:11415): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7fffd9c7dfd0 a2=7fffd9c7dfd0 a3=0 items=0 ppid=28574 pid=28578 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl" subj=user_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1333649749.867:11416): avc:  denied  { search } for  pid=28578 comm="amavisd" name="/" dev=selinuxfs ino=392 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir
type=AVC msg=audit(1333649749.867:11416): avc:  denied  { read } for  pid=28578 comm="amavisd" name="mls" dev=selinuxfs ino=12 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1333649749.867:11416): arch=c000003e syscall=2 success=yes exit=4 a0=7fffd9c7d0e0 a1=0 a2=0 a3=0 items=0 ppid=28574 pid=28578 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl" subj=user_u:system_r:amavis_t:s0 key=(null)

(audit2allow)
#============= amavis_t ==============
allow amavis_t security_t:dir search;
allow amavis_t security_t:file read;
allow amavis_t selinux_config_t:dir search;
allow amavis_t selinux_config_t:file { read getattr };
allow amavis_t shadow_t:file { read getattr };
allow amavis_t user_home_dir_t:dir search;

But they don't cause any issue with the proc errors or anything like that.

Comment 10 Daniel Walsh 2012-04-09 20:27:25 UTC
We seem to dontaudit all of these in Fedora.

Comment 11 RHEL Program Management 2012-06-13 12:09:05 UTC
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 16 errata-xmlrpc 2013-01-08 03:30:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0060.html