Bug 562584

Summary: DCC not allowed by SELinux.
Product: [Fedora] Fedora Reporter: Eddie Lania <eddie>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: dwalsh, mgrepl, sorrow.about.alice
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.6.32-89.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-02-20 00:22:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
sealert -l messages for cdcc denials none

Description Eddie Lania 2010-02-07 15:14:14 UTC 
Description of problem: After latest SELinux updates on Fedora 12 I am getting constantly messages in the syslog:

Feb  7 16:00:37 ls2ka setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" cdcc_exec_t. For complete SELinux messages. run sealert -l ebd6d331-0049-4af3-86ae-bf15e98b2a1f
Feb  7 16:00:37 ls2ka setroubleshoot: SELinux is preventing cdcc (spamd_t) "execute" cdcc_exec_t. For complete SELinux messages. run sealert -l 2a632908-8572-4c2d-9f06-a9791c8d0d32
Feb  7 16:00:38 ls2ka setroubleshoot: SELinux is preventing cdcc (spamd_t) "execute" cdcc_exec_t. For complete SELinux messages. run sealert -l 2a632908-8572-4c2d-9f06-a9791c8d0d32
Feb  7 16:00:38 ls2ka setroubleshoot: SELinux is preventing cdcc (spamd_t) "execute" cdcc_exec_t. For complete SELinux messages. run sealert -l 2a632908-8572-4c2d-9f06-a9791c8d0d32
Feb  7 16:00:39 ls2ka setroubleshoot: SELinux is preventing cdcc (spamd_t) "read write" dcc_client_map_t. For complete SELinux messages. run sealert -l 5f32d8ca-1269-4329-aa17-ec3c7f221e39
Feb  7 16:00:39 ls2ka setroubleshoot: SELinux is preventing cdcc (spamd_t) "read write" dcc_client_map_t. For complete SELinux messages. run sealert -l 5f32d8ca-1269-4329-aa17-ec3c7f221e39
Feb  7 16:00:39 ls2ka setroubleshoot: SELinux is preventing cdcc (spamd_t) "getattr" dcc_client_map_t. For complete SELinux messages. run sealert -l 604c3c80-f462-4adf-97ca-7bf1eaa88fbd
Feb  7 16:00:40 ls2ka setroubleshoot: SELinux is preventing cdcc (spamd_t) "lock" dcc_client_map_t. For complete SELinux messages. run sealert -l cab17498-d6c9-4ca3-890f-a7977749d511


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.6.12-94.fc11.noarch
libselinux-2.0.80-1.fc11.i586
libselinux-utils-2.0.80-1.fc11.i586
selinux-policy-3.6.12-94.fc11.noarch
libselinux-python-2.0.80-1.fc11.i586


How reproducible: With every incoming message processed by spamassassin.


Steps to Reproduce:
1. Enable spamassassin on incoming messages
2. Install and enable DCC in spamassassin
3. Receive messages and observe
  
Actual results: SELinux is preventing spamd to execute several cdcc operations.


Expected results: SELinux not to prevent cdcc


Additional info:
Comment 1 Eddie Lania 2010-02-07 15:21:28 UTC 
Created attachment 389389 [details]
sealert -l messages for cdcc denials
Comment 2 Daniel Walsh 2010-02-08 20:12:16 UTC 
Miroslav add
	dcc_domtrans_cdcc(spamd_t)
Comment 3 Miroslav Grepl 2010-02-09 11:37:50 UTC 
Fixed in selinux-policy-3.6.32-86.fc12
Comment 4 Eddie Lania 2010-02-09 20:58:57 UTC 
I am sorry but i have made a little mistake. I reported this against F12 while the machine I encountered this on is actually running F11.

Can you rebuild for F11 as well please?

Sorry.

Regards,

Eddie.
Comment 5 Fedora Update System 2010-02-11 22:01:43 UTC 
selinux-policy-3.6.32-89.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-89.fc12
Comment 6 Eddie Lania 2010-02-11 22:39:52 UTC 
Thanks for the new rpm. Can you do this for F11 as well please?
Comment 7 Miroslav Grepl 2010-02-12 08:21:54 UTC 
I will add it also to F11.
Comment 8 Fedora Update System 2010-02-13 00:40:53 UTC 
selinux-policy-3.6.32-89.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1836
Comment 9 Eddie Lania 2010-02-17 16:03:24 UTC 
Please provide F11 rpm.
Comment 10 Miroslav Grepl 2010-02-19 17:13:12 UTC 
F11 rpm is available.
Comment 11 Fedora Update System 2010-02-20 00:19:55 UTC 
selinux-policy-3.6.32-89.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Eddie Lania 2010-02-20 09:31:54 UTC 
(In reply to comment #10)
> F11 rpm is available.    

I just checked but the F11 rpm is still not available.
yum --enablerepo=updates-testing check-update selinux*
Loaded plugins: changelog, dellsysidplugin2, downloadonly, fastestmirror,
              : presto, refresh-packagekit
Loading mirror speeds from cached hostfile
 * fedora: ftp.nluug.nl
 * rpmfusion-free: mirror.andreas-mueller.com
 * rpmfusion-free-updates: mirror.andreas-mueller.com
 * rpmfusion-nonfree: mirror.andreas-mueller.com
 * rpmfusion-nonfree-updates: mirror.andreas-mueller.com
 * updates: ftp.nluug.nl
 * updates-testing: ftp.nluug.nl
[root@ls2ka ~]#
Comment 13 Eddie Lania 2010-02-20 09:47:55 UTC 
On F12, when updating selinux using yum, i get:

Updating       : selinux-policy-targeted-3.6.32-89.fc12.noarch                                                                            30/66 
/etc/mock/koji* /etc/rc.d/init.d/dirsrv* /srv/git* /usr/autodesk/maya2010-x64/lib /usr/lib{64,}/nagios/plugins/check_mailq /usr/sbin/ns-slapd /usr/share/e16/misc* /usr/share/shorewall/compiler.pl /var/cache/cgit* /var/lib/git* /var/lib/koji* /var/www/git/gitweb.cgi /var/www/git/gitweb.cgi

Is that supposed to be displayed or is something wrong?