Bug 571319

Summary: Spamassassin is denied operations
Product: Red Hat Enterprise Linux 5 Reporter: Joshua Wulf <jwulf>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 5.5CC: dwalsh, lcarlon, mmalik, orion
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
When running SELinux in the enforcing mode, various SpamAssassin operations may have been denied, and multiple denial messages could be written to the /var/log/messages log file. This error has been fixed, and selinux-policy packages now contain updated SELinux rules, which permit appropriate operations.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-13 21:48:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joshua Wulf 2010-03-08 05:49:50 UTC 
Description of problem: Multiple selinux denial messages appear in /var/log/messages relating to spamassassin


Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-277.el5
selinux-policy-2.4.6-277.el5
libselinux-1.33.4-5.5.el5
libselinux-utils-1.33.4-5.5.el5
spamassassin-3.2.5-1.el5

How reproducible: 100%


Steps to Reproduce:
1. Send mail to spamassassin by editing /etc/sysconfig/spamassassin:
SPAMDOPTIONS="-d -c -m5 -H -u mail"
and restarting the spamassassin service
2. watch /var/log/messages
3. observe avc denials
4. run 'restorecon -v mail'

  
Actual results:
avc denials continue to appear

Expected results:
no avc denails should be observed

Additional info:
Mar  8 15:07:05 atmayogi setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./user_prefs (mail_spool_t). For complete SELinux messages. run sealert -l 62198810-eede-4bd7-bfb7-0d40c977dd59
Mar  8 15:07:05 atmayogi setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/spool/mail/.spamassassin/user_prefs (mail_spool_t). For complete SELinux messages. run sealert -l 5a8870e3-0521-46ba-becc-dd7663473be9
Mar  8 15:07:05 atmayogi setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to ./user_prefs (mail_spool_t). For complete SELinux messages. run sealert -l 4b11da28-7c1b-4e3a-a4a8-3b53aa42a024
Mar  8 15:07:05 atmayogi setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/spool/mail/.spamassassin/bayes_toks (mail_spool_t). For complete SELinux messages. run sealert -l 801c3d02-0893-4339-9d79-dbc749eef6cc
Mar  8 15:07:05 atmayogi setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/spool/mail/.spamassassin/bayes_toks (mail_spool_t). For complete SELinux messages. run sealert -l 801c3d02-0893-4339-9d79-dbc749eef6cc
Mar  8 15:07:19 atmayogi setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./.spamassassin (mail_spool_t). For complete SELinux messages. run sealert -l cd2e8187-879f-4de8-9483-b15340dd64c6
Comment 1 Daniel Walsh 2010-03-08 20:37:49 UTC 
Miroslav,

Add

mta_manage_spool(spamd_t)

This is what RHEL6 has.
Comment 3 Daniel Walsh 2010-03-09 14:59:41 UTC 
Miroslav, if other bugs in beta come in please add this.  Or add it to 5.6.
Comment 4 Joshua Wulf 2010-04-22 22:01:11 UTC 
Is there anything that I can install to test this?
Comment 5 Daniel Walsh 2010-04-23 12:51:19 UTC 
You can build a policy module to allow this.

# cat > myspamd.te  << _EOF
policy_module(myspamd, 1.0)
gen_require(`
           type spamd_t;
')
mta_manage_spool(spamd_t)
_EOF
# make -f /usr/share/selinux/devel/Makefile
# semodule -i myspamd.pp

This will add the rules and then you can test if this solves your problems.
Comment 6 Joshua Wulf 2010-04-26 23:07:58 UTC 
I got a syntax error for the ` not being closed by another `, or something like that, so I did:

policy_module(myspamd, 1.0)
gen_require(
           type spamd_t;
)
mta_manage_spool(spamd_t)

This seemed to work, and I loaded the resultant SELinux module. Now I get the following:


Source Context                system_u:system_r:spamc_t
Target Context                system_u:system_r:sendmail_t
Target Objects                pipe [ fifo_file ]
Source                        spamc
Source Path                   /usr/bin/spamc
Port                          <Unknown>
Host                          atmayogi.com
Source RPM Packages           spamassassin-3.2.5-1.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-279.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     atmayogi.com
Platform                      Linux atmayogi.com 2.6.18-194.el5 #1 SMP Tue Mar
                              16 21:52:43 EDT 2010 i686 i686
Alert Count                   18696
First Seen                    Mon Sep  7 09:21:12 2009
Last Seen                     Tue Apr 27 09:04:46 2010
Local ID                      dfe5db79-9ffe-4b82-bd80-da23ce8d6674
Line Numbers                  

Raw Audit Messages            

host=atmayogi.com type=AVC msg=audit(1272323086.489:69590): avc:  denied  { write } for  pid=17442 comm="spamc" path="pipe:[2864779]" dev=pipefs ino=2864779 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=fifo_file

host=atmayogi.com type=SYSCALL msg=audit(1272323086.489:69590): arch=40000003 syscall=11 success=yes exit=0 a0=8f30d98 a1=8f33498 a2=8f333d8 a3=3 items=0 ppid=17441 pid=17442 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0 key=(null)
Comment 7 Daniel Walsh 2010-04-27 14:18:28 UTC 
Miroslav, F13 has

	sendmail_rw_pipes(spamc_t)


This needs to be back ported.
Comment 8 Joshua Wulf 2010-04-29 23:38:44 UTC 
This has fixed it. The messages no longer appear in syslog.
Comment 9 Orion Poplawski 2010-05-18 18:08:50 UTC 
What is this fixed in?  With selinux-policy-2.4.6-279.el5 I still get:

type=AVC msg=audit(1274205757.808:10460): avc:  denied  { write } for  pid=3779 comm="spamc" path="pipe:[2731252]" dev=pipefs ino=2731252 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=fifo_file
type=AVC msg=audit(1274205757.808:10460): avc:  denied  { read write } for  pid=3779 comm="spamc" path="socket:[2731050]" dev=sockfs ino=2731050 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket

although spam assassin appears to work.

# semodule -l | grep spam
spamassassin    1.9.0
Comment 11 Miroslav Grepl 2010-07-22 09:27:29 UTC 
Fixed in selinux-policy-2.4.6-281.el5.noarch
Comment 14 Jaromir Hradilek 2011-01-05 16:10:04 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
When running SELinux in the enforcing mode, various SpamAssassin operations may have been denied, and multiple denial messages could be written to the /var/log/messages log file. This error has been fixed, and selinux-policy packages now contain updated SELinux rules, which permit appropriate operations.
Comment 16 errata-xmlrpc 2011-01-13 21:48:33 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html