Bug 753962

Summary:	Selinux blocks mimedefang communicating with clamav
Product:	[Fedora] Fedora	Reporter:	Philip Prindeville <philipp>
Component:	selinux-policy-targeted	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED RAWHIDE	QA Contact:	Ben Levenson <benl>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	rawhide	CC:	dwalsh, philipp
Target Milestone:	---	Keywords:	Reopened, SELinux
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-12-09 08:45:43 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Philip Prindeville 2011-11-14 23:30:34 UTC

Description of problem:

Mimedefang fails to open clamd socket.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:

No SE policy to allow communication between mimedefang and clamav.


Expected results:

allow spamd_t clamd_var_run_t:sock_file write;

Additional info:

type=AVC msg=audit(1321121780.780:3544): avc:  denied  { write } for  pid=28494 comm="mimedefang.pl" name="clamd.sock" dev=tmpfs ino=740848 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1321121780.780:3544): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=2bf8a90 a2=6e a3=0 items=0 ppid=28493 pid=28494 auid=4294967295 uid=491 gid=478 euid=491 suid=491 fsuid=491 egid=478 sgid=478 fsgid=478 tty=(none) ses=4294967295 comm="mimedefang.pl" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(null)

Comment 1 Philip Prindeville 2011-11-15 08:23:12 UTC

Hmmm... that apparently wasn't enough:

module local 1.0;

require {
	type spamd_var_run_t;
	type spamd_t;
	type clamd_var_run_t;
	type clamd_t;
	class sock_file write;
	class unix_stream_socket connectto;
	class dir { read search open getattr };
	class file { read getattr open };
}

#============= clamd_t ==============
allow clamd_t spamd_var_run_t:dir { read search open getattr };
allow clamd_t spamd_var_run_t:file { read getattr open };

#============= spamd_t ==============
allow spamd_t clamd_t:unix_stream_socket connectto;
allow spamd_t clamd_var_run_t:sock_file write;

Comment 2 Daniel Walsh 2011-11-15 14:19:05 UTC

I have no problem with this and checked in the fixes.  This should be back ported to RHEL6, F15 and F16


0117b6b5c9191579de9210597511cbad489086c0

Comment 3 Philip Prindeville 2011-11-16 22:32:54 UTC

Also seeing:

[root@mail tmp]# audit2allow -m local
type=AVC msg=audit(1321446394.000:6867): avc:  denied  { read } for  pid=28360 comm="gpg" name=".spamassassin28359K8dpY7tmp" dev=sda3 ino=526169 scontext=system_u:system_r:gpg_t:s0-s0:c0.c1023 tcontext=system_u:object_r:spamd_tmp_t:s0 tclass=file

module local 1.0;

require {
	type gpg_t;
	type spamd_tmp_t;
	class file read;
}

#============= gpg_t ==============
allow gpg_t spamd_tmp_t:file read;
[root@mail tmp]# 

and:

[root@mail tmp]# audit2allow -m local
type=AVC msg=audit(1321482565.921:6978): avc:  denied  { write } for  pid=30589 comm="mimedefang.pl" name="clamd.sock" dev=tmpfs ino=997944 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1321482565.921:6978): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=3a4c320 a2=6e a3=0 items=0 ppid=18474 pid=30589 auid=4294967295 uid=491 gid=478 euid=491 suid=491 fsuid=491 egid=478 sgid=478 fsgid=478 tty=(none) ses=4294967295 comm="mimedefang.pl" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(null)

module local 1.0;

require {
	type spamd_t;
	type clamd_var_run_t;
	class sock_file write;
}

#============= spamd_t ==============
allow spamd_t clamd_var_run_t:sock_file write;
[root@mail tmp]#

Comment 4 Miroslav Grepl 2011-11-17 09:25:41 UTC

You need to update to the latest policy.

Comment 5 Philip Prindeville 2011-11-17 18:14:48 UTC

(In reply to comment #4)
> You need to update to the latest policy.

Can you release the latest sources for F15 as well then please?

Comment 6 Miroslav Grepl 2011-11-21 09:07:03 UTC

(In reply to comment #5)
> (In reply to comment #4)
> > You need to update to the latest policy.
> 
> Can you release the latest sources for F15 as well then please?

Yes, added to selinux-policy-3.9.16-48.fc15

Comment 7 Philip Prindeville 2011-11-22 18:19:31 UTC

Even with the current policy on F16, I'm seeing problems with mimedefang not being able to connect to clamd.

Comment 8 Philip Prindeville 2011-11-22 18:20:53 UTC

 --------------------- Selinux Audit Begin ------------------------ 

 *** Denials ***
    system_u:system_r:spamd_t:s0 system_u:object_r:clamd_var_run_t:s0 (dir): 105 times
    system_u:system_r:spamd_t:s0 system_u:object_r:sendmail_exec_t:s0 (file): 2 times
 
 ---------------------- Selinux Audit End -------------------------

Comment 9 Philip Prindeville 2011-11-22 19:39:10 UTC

(In reply to comment #6)
> (In reply to comment #5)
> > (In reply to comment #4)
> > > You need to update to the latest policy.
> > 
> > Can you release the latest sources for F15 as well then please?
> 
> Yes, added to selinux-policy-3.9.16-48.fc15

Please confirm that the policy in comment #1 is present.

Comment 10 Miroslav Grepl 2011-11-23 07:47:40 UTC

Could you add me appropriate AVC msgs for denials from the comment #8. 

A new F15 policy will be available today from koji.

Comment 11 Philip Prindeville 2011-11-23 16:29:07 UTC

----
time->Tue Nov 22 12:35:36 2011
type=AVC msg=audit(1321990536.725:453): avc:  denied  { search } for  pid=8565 comm="mimedefang.pl" name="clamd.mimedefang" dev=tmpfs ino=13416 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=dir
----
time->Tue Nov 22 12:37:26 2011
type=AVC msg=audit(1321990646.954:455): avc:  denied  { search } for  pid=8565 comm="mimedefang.pl" name="clamd.mimedefang" dev=tmpfs ino=13416 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=dir
----
time->Tue Nov 22 12:37:26 2011
type=AVC msg=audit(1321990646.952:454): avc:  denied  { search } for  pid=8565 comm="mimedefang.pl" name="clamd.mimedefang" dev=tmpfs ino=13416 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=dir
----
time->Tue Nov 22 12:37:26 2011
type=AVC msg=audit(1321990646.955:456): avc:  denied  { search } for  pid=8565 comm="mimedefang.pl" name="clamd.mimedefang" dev=tmpfs ino=13416 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=dir
----
time->Tue Nov 22 12:38:35 2011
type=AVC msg=audit(1321990715.018:457): avc:  denied  { search } for  pid=8565 comm="mimedefang.pl" name="clamd.mimedefang" dev=tmpfs ino=13416 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=dir
----
time->Tue Nov 22 12:39:59 2011
type=AVC msg=audit(1321990799.265:458): avc:  denied  { search } for  pid=8565 comm="mimedefang.pl" name="clamd.mimedefang" dev=tmpfs ino=13416 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=dir
----
time->Wed Nov 23 00:07:37 2011
type=SYSCALL msg=audit(1322032057.218:572): arch=c000003e syscall=59 success=no exit=-13 a0=4791460 a1=3318330 a2=ce8070 a3=8 items=0 ppid=11441 pid=11464 auid=4294967295 uid=491 gid=478 euid=491 suid=491 fsuid=491 egid=478 sgid=478 fsgid=478 tty=(none) ses=4294967295 comm="mimedefang.pl" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1322032057.218:572): avc:  denied  { execute } for  pid=11464 comm="mimedefang.pl" name="sendmail.sendmail" dev=sda3 ino=266985 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
----
time->Wed Nov 23 00:07:37 2011
type=SYSCALL msg=audit(1322032057.339:573): arch=c000003e syscall=59 success=no exit=-13 a0=4791460 a1=3318330 a2=ce8070 a3=8 items=0 ppid=11441 pid=11467 auid=4294967295 uid=491 gid=478 euid=491 suid=491 fsuid=491 egid=478 sgid=478 fsgid=478 tty=(none) ses=4294967295 comm="mimedefang.pl" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1322032057.339:573): avc:  denied  { execute } for  pid=11467 comm="mimedefang.pl" name="sendmail.sendmail" dev=sda3 ino=266985 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
----
time->Wed Nov 23 01:01:57 2011
type=SYSCALL msg=audit(1322035317.074:583): arch=c000003e syscall=59 success=no exit=-13 a0=3bdd740 a1=4bc20d0 a2=ce8070 a3=8 items=0 ppid=11441 pid=11623 auid=4294967295 uid=491 gid=478 euid=491 suid=491 fsuid=491 egid=478 sgid=478 fsgid=478 tty=(none) ses=4294967295 comm="mimedefang.pl" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1322035317.074:583): avc:  denied  { execute } for  pid=11623 comm="mimedefang.pl" name="sendmail.sendmail" dev=sda3 ino=266985 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
----
time->Wed Nov 23 01:01:57 2011
type=SYSCALL msg=audit(1322035317.196:584): arch=c000003e syscall=59 success=no exit=-13 a0=3bdd740 a1=3be35e0 a2=ce8070 a3=8 items=0 ppid=11441 pid=11626 auid=4294967295 uid=491 gid=478 euid=491 suid=491 fsuid=491 egid=478 sgid=478 fsgid=478 tty=(none) ses=4294967295 comm="mimedefang.pl" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1322035317.196:584): avc:  denied  { execute } for  pid=11626 comm="mimedefang.pl" name="sendmail.sendmail" dev=sda3 ino=266985 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
----

Comment 12 Philip Prindeville 2011-11-23 20:06:11 UTC

So setting permissive mode, and deleting the local work-around policies, I get:

type=AVC msg=audit(1322078626.729:7740): avc:  denied  { write } for  pid=15115 comm="mimedefang.pl" name="clamd.sock" dev=tmpfs ino=6404553 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1322078626.729:7740): avc:  denied  { connectto } for  pid=15115 comm="mimedefang.pl" path="/var/run/clamd.mimedefang/clamd.sock" scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:system_r:clamd_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1322078626.729:7740): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=33ff590 a2=6e a3=0 items=0 ppid=15114 pid=15115 auid=4294967295 uid=491 gid=478 euid=491 suid=491 fsuid=491 egid=478 sgid=478 fsgid=478 tty=(none) ses=4294967295 comm="mimedefang.pl" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1322078626.730:7741): avc:  denied  { getattr } for  pid=15148 comm="clamd" path="/var/spool/MIMEDefang/mdefang-pANK3fSD015146/Work/msg-15115-1.txt" dev=sda2 ino=1105434 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1322078626.730:7741): arch=c000003e syscall=6 success=yes exit=0 a0=2228c00 a1=7f756de1bb40 a2=7f756de1bb40 a3=31bdb35ba0 items=0 ppid=1 pid=15148 auid=4294967295 uid=491 gid=478 euid=491 suid=491 fsuid=491 egid=478 sgid=478 fsgid=478 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1322078626.730:7742): avc:  denied  { read } for  pid=15148 comm="clamd" name="msg-15115-1.txt" dev=sda2 ino=1105434 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1322078626.730:7742): arch=c000003e syscall=21 success=yes exit=0 a0=7f7564000900 a1=4 a2=625d80 a3=0 items=0 ppid=1 pid=15148 auid=4294967295 uid=491 gid=478 euid=491 suid=491 fsuid=491 egid=478 sgid=478 fsgid=478 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1322078626.730:7743): avc:  denied  { open } for  pid=15148 comm="clamd" name="msg-15115-1.txt" dev=sda2 ino=1105434 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1322078626.730:7743): arch=c000003e syscall=2 success=yes exit=11 a0=7f7564000900 a1=0 a2=7f756de1bcf0 a3=0 items=0 ppid=1 pid=15148 auid=4294967295 uid=491 gid=478 euid=491 suid=491 fsuid=491 egid=478 sgid=478 fsgid=478 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null)

I'll try the koji build shortly.

Comment 13 Philip Prindeville 2011-11-23 20:18:03 UTC

And after doing "yum --enablerepo=updates-testing update selinux-policy\*" :

type=MAC_POLICY_LOAD msg=audit(1322078923.274:7744): policy loaded auid=0 ses=1
type=SYSCALL msg=audit(1322078923.274:7744): arch=c000003e syscall=1 success=yes exit=4196488 a0=4 a1=7f7d03e58000 a2=400888 a3=7fffb293f4d0 items=0 ppid=15208 pid=15210 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="load_policy" exe="/sbin/load_policy" subj=unconfined_u:system_r:load_policy_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1322079000.277:7750): avc:  denied  { getattr } for  pid=15910 comm="clamd" path="/var/spool/MIMEDefang/mdefang-pANK9sYT015908/Work/msg-15886-1.txt" dev=sda2 ino=1105448 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1322079000.277:7750): arch=c000003e syscall=6 success=yes exit=0 a0=1072140 a1=7f63aa706b40 a2=7f63aa706b40 a3=31bdb35ba0 items=0 ppid=1 pid=15910 auid=4294967295 uid=491 gid=478 euid=491 suid=491 fsuid=491 egid=478 sgid=478 fsgid=478 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1322079000.277:7751): avc:  denied  { read } for  pid=15910 comm="clamd" name="msg-15886-1.txt" dev=sda2 ino=1105448 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1322079000.277:7751): arch=c000003e syscall=21 success=yes exit=0 a0=7f639c000900 a1=4 a2=625d80 a3=0 items=0 ppid=1 pid=15910 auid=4294967295 uid=491 gid=478 euid=491 suid=491 fsuid=491 egid=478 sgid=478 fsgid=478 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1322079000.277:7752): avc:  denied  { open } for  pid=15910 comm="clamd" name="msg-15886-1.txt" dev=sda2 ino=1105448 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1322079000.277:7752): arch=c000003e syscall=2 success=yes exit=11 a0=7f639c000900 a1=0 a2=7f63aa706cf0 a3=0 items=0 ppid=1 pid=15910 auid=4294967295 uid=491 gid=478 euid=491 suid=491 fsuid=491 egid=478 sgid=478 fsgid=478 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null)

Comment 14 Philip Prindeville 2011-11-26 00:00:25 UTC

I'm running .60 and still seeing this on FC16.

Comment 15 Philip Prindeville 2011-11-26 21:51:10 UTC

Now I'm running .61 and still seeing this on FC16.

Comment 16 Miroslav Grepl 2011-11-28 11:12:17 UTC

Fixed in -62 release.

Comment 17 Philip Prindeville 2011-11-28 23:59:54 UTC

(In reply to comment #16)
> Fixed in -62 release.

Updated to -62.  No longer seeing the following:

----
time->Mon Nov 28 14:26:35 2011
type=SYSCALL msg=audit(1322515595.236:9146): arch=c000003e syscall=6 success=yes exit=0 a0=10b3990 a1=7f63a9f05b40 a2=7f63a9f05b40 a3=31bdb35ba0 items=0 ppid=1 pid=16665 auid=4294967295 uid=491 gid=478 euid=491 suid=491 fsuid=491 egid=478 sgid=478 fsgid=478 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1322515595.236:9146): avc:  denied  { getattr } for  pid=16665 comm="clamd" path="/var/spool/MIMEDefang/mdefang-pASLQTid016652/Work/msg-15859-26.txt" dev=sda2 ino=1108278 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=file
----
time->Mon Nov 28 14:26:35 2011
type=SYSCALL msg=audit(1322515595.236:9147): arch=c000003e syscall=21 success=yes exit=0 a0=7f63a0011520 a1=4 a2=625d80 a3=0 items=0 ppid=1 pid=16665 auid=4294967295 uid=491 gid=478 euid=491 suid=491 fsuid=491 egid=478 sgid=478 fsgid=478 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1322515595.236:9147): avc:  denied  { read } for  pid=16665 comm="clamd" name="msg-15859-26.txt" dev=sda2 ino=1108278 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=file
----
time->Mon Nov 28 14:26:35 2011
type=SYSCALL msg=audit(1322515595.236:9148): arch=c000003e syscall=2 success=yes exit=11 a0=7f63a0011520 a1=0 a2=7f63a9f05cf0 a3=0 items=0 ppid=1 pid=16665 auid=4294967295 uid=491 gid=478 euid=491 suid=491 fsuid=491 egid=478 sgid=478 fsgid=478 tty=(none) ses=4294967295 comm="clamd" exe="/usr/sbin/clamd" subj=system_u:system_r:clamd_t:s0 key=(null)
type=AVC msg=audit(1322515595.236:9148): avc:  denied  { open } for  pid=16665 comm="clamd" name="msg-15859-26.txt" dev=sda2 ino=1108278 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=file
[root@mail mail]#

Comment 18 Philip Prindeville 2011-11-30 23:12:00 UTC

Looks good to go. Please push to updates-testing.

Comment 19 Philip Prindeville 2011-12-08 22:36:16 UTC

I'm guessing that this is addressed here:

* Mon Nov 28 2011 Miroslav Grepl <mgrepl> 3.10.0-62
- Add fs_read_fusefs_dirs interface
- Allow mailman to read /dev/urandom
- Allow clamd to read spamd pid file
- Allow mount to read /dev/urandom
- Add use_fusefs_home_dirs also for system_dbus_t

on the "clamd" line. We can close out this bug then?