Bug 738140

Summary: spamd/exim AVCs on delivery attempt when unconfined is off
Product: [Fedora] Fedora Reporter: Robin Powell <rlpowell>
Component: spamassassinAssignee: Warren Togami <wtogami>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: dominick.grift, dwalsh, kevin, mgrepl, nb, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-15 21:15:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Robin Powell 2011-09-14 05:52:52 UTC 
Pretty straightforward:

type=AVC msg=audit(1315979064.478:125461): avc:  denied  { read } for  pid=26788 comm="spamd" name="shadow" dev=vda2 ino=264049 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1315979064.478:125461): avc:  denied  { open } for  pid=26788 comm="spamd" name="shadow" dev=vda2 ino=264049 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1315979064.482:125462): avc:  denied  { getattr } for  pid=26788 comm="spamd" path="/etc/shadow" dev=vda2 ino=264049 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file

Note that I had to turn dontaudit off to see these.

-Robin
Comment 1 Miroslav Grepl 2011-09-14 07:50:59 UTC 
I don't think these AVC causes spamd fails.

So spamd doesn't work in enforcing mode and if you switch to permissive then spamd works but without AVC msgs?
Comment 2 Robin Powell 2011-09-14 08:20:30 UTC 
I don't think they cause fails either, but I haven't looked all that hard, and spamd is fairly robust to errors; it could be failing to perform a particular check but otherwise succeeding.

Which doesn't mean you want to allow this necessarily; this was a "just FYI" sort of thing; struck me as worth mentioning.

-Robin
Comment 3 Miroslav Grepl 2011-09-15 14:04:23 UTC 
But still I don't know it the spamd works for you in enforcing mode or not?
Comment 4 Daniel Walsh 2011-09-15 14:27:50 UTC 
Spamd should definitely not be trying to read the /etc/shadow file. 
Does this use the pam stack somehow?
Comment 5 Robin Powell 2011-09-16 01:07:28 UTC 
Sorry about that.  Yes, it totally works even if it can't open /etc/shadow.  I can give you an strace of the two cases if you care.

-Robin
Comment 6 Daniel Walsh 2011-09-16 15:22:26 UTC 
Ok Do you know if it is using the pam stack?  I guess we can dontaudit the access.
Comment 7 Robin Powell 2011-09-17 07:21:52 UTC 
I don't know, no.  If you can tell me how to figure that out, I'll look.

The access already is dontaudit; I said that at the beginning.

Sorry, I didn't mean to waste people's time like this.

-Robin