Bug 856536

Summary: AVCs when running spamassassin test with disabled unconfined and unlabelednet
Product: Red Hat Enterprise Linux 6 Reporter: Michal Trunecka <mtruneck>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED NEXTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.4CC: dwalsh, mgrepl, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-25 10:45:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Trunecka 2012-09-12 09:19:38 UTC 
Description of problem:
AVC was reported during spamassassin automation test with unconfined and unlabelednet selinux modules disabled. The test passes when both modules are enabled. 

AVC reported in permissive mode:
----
time->Wed Sep 12 11:12:32 2012
type=PATH msg=audit(1347441152.567:6485): item=1 name="razor-agent.log" inode=162576 dev=08:03 mode=0100600 ouid=504 ogid=505 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0
type=PATH msg=audit(1347441152.567:6485): item=0 name="/home/user32413/mail" inode=159905 dev=08:03 mode=040775 ouid=504 ogid=505 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0
type=CWD msg=audit(1347441152.567:6485):  cwd="/home/user32413/mail"
type=SYSCALL msg=audit(1347441152.567:6485): arch=c000003e syscall=2 success=yes exit=4 a0=4c2dee0 a1=441 a2=1b6 a3=33ab31dbe0 items=2 ppid=851 pid=852 auid=0 uid=504 gid=505 euid=504 suid=504 fsuid=504 egid=505 sgid=505 fsgid=505 tty=(none) ses=3 comm="spamassassin" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1347441152.567:6485): avc:  denied  { create } for  pid=852 comm="spamassassin" name="razor-agent.log" scontext=unconfined_u:system_r:spamc_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1347441152.567:6485): avc:  denied  { add_name } for  pid=852 comm="spamassassin" name="razor-agent.log" scontext=unconfined_u:system_r:spamc_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1347441152.567:6485): avc:  denied  { write } for  pid=852 comm="spamassassin" name="mail" dev=sda3 ino=159905 scontext=unconfined_u:system_r:spamc_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir


Version-Release number of selected component (if applicable):
spamassassin-3.3.1-2.el6.x86_64
selinux-policy-3.7.19-161.el6.noarch
selinux-policy-minimum-3.7.19-161.el6.noarch
selinux-policy-targeted-3.7.19-161.el6.noarch
selinux-policy-mls-3.7.19-161.el6.noarch
selinux-policy-doc-3.7.19-161.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. semodule -d unconfined; semodule -d unlabelednet
2. Run automation test:
/CoreOS/selinux-policy/Regression/bz481387-cannot-execute-spamassassin

  
Actual results:
AVC is reported

Expected results:
No AVC
Comment 2 Daniel Walsh 2012-09-12 11:03:26 UTC 
These AVC's have nothing to do with unconfined being disabled.  What directories does spamassassin need to write in the homedir?  

/root/\.pyzor(/.*)?	system_u:object_r:spamc_home_t:s0
/root/\.spamd(/.*)?	system_u:object_r:spamc_home_t:s0
/root/\.razor(/.*)?	system_u:object_r:spamc_home_t:s0
/root/\.spamassassin(/.*)?	system_u:object_r:spamc_home_t:s0


We have labels for these.  But this test looks like spamc is spewing into ~/
Comment 3 Michal Trunecka 2012-11-05 17:42:14 UTC 
After the test finishes, there is correct razor-agent.log file in .razor directory. But when running in permissive mode, there is also razor-agent.log file in the ~/mail directory, which causes the avc.

It may be related with the comment in /usr/share/perl5/Razor2/Client/Agent.pm before assigning 'razor-agent.log' string into logfile variable:

    # Note: we start logging before we process '-create' ,
    # so logfile will not go into a newly created razorhome

But I don't understand what it exactly means. Following code is in 
/usr/share/perl5/Razor2/Logger.pm and in the $name variable is the mentioned filename:

        open (LOGF, ">>$name") or do {
            if ($self->{DontDie}) {
                open LOGF, ">>/dev/null" or do {
                    print STDERR "Failed to open /dev/null, $!\n";
                };
            } else {
                die $!;
            }
        };

It would explain that nothing happens when the access is denied.
Comment 4 Miroslav Grepl 2012-11-06 08:53:47 UTC 
So the question is why there needs to be also ~/mail dir with the razor-agent.log file.
Comment 5 RHEL Program Management 2012-12-14 08:17:36 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 10 Miroslav Grepl 2015-02-25 10:45:55 UTC 
We have fixes in RHEL7 where we are able to fix it using filename transitions. It needs to be fixed by either restorecond or restorecon in RHEL6.