Bug 671486

Summary: dspam to be confined
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dwalsh, mcepl, mgrepl, nathanael
Target Milestone: ---Keywords: Reopened, SELinux
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: dspam-3.9.0-13.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-26 20:37:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
output of ausearch -m AVC -ts 16:34 none

Description Matěj Cepl 2011-01-21 16:15:28 UTC 
Description of problem:
dspam is a daemon communicating with MTA, it has public facing web frontend, so I think SELinux confinement would be useful.

Version-Release number of selected component (if applicable):
dspam-0:3.9.0-10.fc15.x86_64

How reproducible:
100%
Comment 1 Miroslav Grepl 2011-01-25 14:05:26 UTC 
Matej, 
could you try to treat DSPAM with spamd policy? I mean 

execute:

# chcon -t spamd_exec_t /usr/bin/dspam
# chcon -R -t spamd_var_lib_t /var/lib/dspam
# chcon -R -t spamd_log_t /var/log/dspam
# chcon -R -t spamd_var_run_t /var/run/dspam

Test it and run

# ausearch -m avc -ts recent

Thanks.
Comment 2 Matěj Cepl 2011-01-25 15:45:15 UTC 
Created attachment 475190 [details]
output of ausearch -m AVC -ts 16:34
Comment 3 Matěj Cepl 2011-01-25 15:46:00 UTC 
And this what audit2allow thinks:

[root@luther ~]# ausearch -m AVC -ts 16:34 |audit2allow


#============= httpd_sys_script_t ==============
allow httpd_sys_script_t spamd_var_lib_t:dir { write remove_name search add_name getattr };
allow httpd_sys_script_t spamd_var_lib_t:file { setattr read lock create ioctl write getattr unlink append };

#============= postfix_smtp_t ==============
allow postfix_smtp_t spamd_t:unix_stream_socket connectto;
allow postfix_smtp_t tmp_t:sock_file write;

#============= spamd_t ==============
allow spamd_t port_t:tcp_socket name_connect;
allow spamd_t self:capability net_admin;
allow spamd_t tmp_t:sock_file create;

#============= zarafa_deliver_t ==============
allow zarafa_deliver_t ld_so_cache_t:file { read getattr };
allow zarafa_deliver_t ld_so_t:file read;
allow zarafa_deliver_t lib_t:file execute;

#============= zarafa_gateway_t ==============
allow zarafa_gateway_t reserved_port_t:tcp_socket name_connect;
Comment 4 Matěj Cepl 2011-01-25 15:47:40 UTC 
Of course zarafa* AVC denials are subject to bug 574788
Comment 5 Miroslav Grepl 2011-01-26 09:03:33 UTC 
Ok, thanks for testing.

I will send you dspam policy.
Comment 6 Miroslav Grepl 2011-01-26 09:33:24 UTC 
Looking more into audit.log and I am seeing "dspam.socket" is created in /tmp

path="/tmp/dspam.sock"

I will allow it for now but

"DSPAM" maintainer, 
could it be changed to /var/run/dspam.sock?
Comment 7 Miroslav Grepl 2011-01-26 10:21:53 UTC 
I have sent you a new DSPAM policy which contains zarafa fixes and also a policy for the DSPAM cgi script. 

So just run the dspam.sh script to install this policy.

Also please check paths in the dspam.fc file since you test it on RHEL5.
Comment 8 Matěj Cepl 2011-01-26 12:17:11 UTC 
(In reply to comment #7)
> I have sent you a new DSPAM policy which contains zarafa fixes and also a
> policy for the DSPAM cgi script. 
> 
> So just run the dspam.sh script to install this policy.
> 
> Also please check paths in the dspam.fc file since you test it on RHEL5.

The only difference (I don't think it is related to RHELishness, but bug 672068) is that I don't have website proper in /usr/share/dspam-web but in /var/www/dspam/, but otherwise it went smoothly, and I will report on the results soon.
Comment 9 Matěj Cepl 2011-01-26 12:17:55 UTC 
(In reply to comment #6)
> Looking more into audit.log and I am seeing "dspam.socket" is created in /tmp
> 
> path="/tmp/dspam.sock"
> 
> I will allow it for now but
> 
> "DSPAM" maintainer, 
> could it be changed to /var/run/dspam.sock?

This is actually configurable, I will take a look.
Comment 10 Matěj Cepl 2011-01-26 12:26:11 UTC 
(In reply to comment #9)
> This is actually configurable, I will take a look.

I think the only change required is ServerDomainSocketPath variable in /etc/dspam.conf and in /etc/postfix/master.cf

Does it mean, I can just remove these lines in dspam.te

# FIXME
# /tmp/dspam.sock
type dspam_tmp_t;
files_tmp_file(dspam_tmp_t)

or should they be replaced by something else?
Comment 11 Miroslav Grepl 2011-01-26 12:41:53 UTC 
(In reply to comment #10)
> (In reply to comment #9)
> > This is actually configurable, I will take a look.
> 
> I think the only change required is ServerDomainSocketPath variable in
> /etc/dspam.conf and in /etc/postfix/master.cf
> 
> Does it mean, I can just remove these lines in dspam.te
> 
> # FIXME
> # /tmp/dspam.sock
> type dspam_tmp_t;
> files_tmp_file(dspam_tmp_t)
> 
> or should they be replaced by something else?

No, you can leave these rules in the policy file.
Comment 12 Nathanael Noblet 2011-01-26 17:54:09 UTC 
Hello - as package maintainer I have to profess I don't use the web-ui *or* dspam as a dameon. I agree that the best default place for dspam socket for daemon mode is either /var/run/dspam/dspam.sock or /var/run/dspam.sock.

I'm not sure the best, however I propose to use /var/run/dspam/dspam.sock since /var/run/dspam is 770 & owned by dspam:mail it allows anything running in the mail group access.

Does that sound reasonable?
Comment 13 Daniel Walsh 2011-01-26 18:07:52 UTC 
From an SELinux point of view /var/run/dspam/dspam.sock is best.
Comment 14 Fedora Update System 2011-01-26 19:26:47 UTC 
dspam-3.9.0-12.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/dspam-3.9.0-12.fc14
Comment 15 Fedora Update System 2011-01-26 19:26:54 UTC 
dspam-3.9.0-12.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/dspam-3.9.0-12.el5
Comment 16 Fedora Update System 2011-01-26 21:16:32 UTC 
dspam-3.9.0-13.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/dspam-3.9.0-13.fc14
Comment 17 Fedora Update System 2011-01-26 21:18:51 UTC 
dspam-3.9.0-13.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/dspam-3.9.0-13.el5
Comment 18 Fedora Update System 2011-01-27 18:24:47 UTC 
dspam-3.9.0-13.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update dspam'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/dspam-3.9.0-13.el5
Comment 19 Fedora Update System 2011-02-04 19:51:32 UTC 
dspam-3.9.0-13.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2011-02-13 00:18:10 UTC 
dspam-3.9.0-13.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.