1058772 – /razor-agent.log is in / once system is in enforcing mode

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1058772 - /razor-agent.log is in / once system is in enforcing mode

Summary: /razor-agent.log is in / once system is in enforcing mode

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.5
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-01-28 14:01 UTC by Michal Bruncko
Modified:	2015-02-26 10:49 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-02-25 11:25:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Michal Bruncko 2014-01-28 14:01:50 UTC

I am observing the following issue on RHEL 6.5:

Once I have installed spamassassin on SELinux-enabled server, the razor component is writing its own logs in /razor-agent.log instead of home-directory of the user which executed spamd (spamd "-H" parameter without value - root by default).

The behavior is following:

1. "/etc/sysconfig/spamassassin": SPAMDOPTIONS="-d -c -m5 -H" (i.e. without defining specific home-directory) and with _enforcing_ selinux mode, razor is using /razor-agent.log as the log file.

2. "/etc/sysconfig/spamassassin": SPAMDOPTIONS="-d -c -m5 -H" (i.e. without defining specific home-directory) and with _permissive_ selinux mode, razor is using /root/.razor/razor-agent.log as the log file.

3. "/etc/sysconfig/spamassassin": SPAMDOPTIONS="-d -c -m5 -H /etc/mail/spamassassin/home-dir/" and with _enforcing_ selinux mode, razor is using /etc/mail/spamassassin/home-dir/.razor/razor-agent.log as the log file.
I have to use "spamd_spool_t" context for "/etc/mail/spamassassin/home-dir(/.*)".

3. "/etc/sysconfig/spamassassin": SPAMDOPTIONS="-d -c -m5 -H " and with _enforcing_ selinux mode, razor is using /razor-agent.log as the log file, even if I have used "spamd_spool_t" context for "/root/.razor(/.*)". Maybe the whole "home" directory have to be writable by spamd in order to be used for other component like razor and so on. But because it is not writable (as SELinux disallows to write to /root/ for spamd, it decides to not provide homedir for components - but this is only my explanation).

Currently the most acceptable choice is to have its own spamd explicit home directory where the razor log will be included as well on selinux enforcing system. Having razor-agent.log in the "/" directory is really not desirable state.

this case is follow of existing (closed) case BZ#514979

thank you

Comment 2 Kurt Seifried 2014-10-12 15:50:31 UTC

Bumping severity as this allows for DoS of root partition which may be small (e.g. cloud system).

Comment 3 Kurt Seifried 2014-10-12 15:52:48 UTC

Also this should probably be CLOSED DUPLICATE of Bz1058772

Comment 4 Kurt Seifried 2014-10-12 16:17:49 UTC

(In reply to Kurt Seifried from comment #3)
> Also this should probably be CLOSED DUPLICATE of Bz1058772

Whoops I take that back, I meant the other way around. Bz1058772 should be closed as a duplicate of this.

Comment 6 Michal Bruncko 2015-02-25 18:23:07 UTC

Why? Issue is still in place. The only problem what I see is that I am missing AVC record in audit.log for this issue. 

1. I have removed specific home-directory from /etc/sysconfig/spamassassin (it is not defined by default neither)
2. have enforcement mode enabled on system (setenforce 1)
3. restart spamd: /etc/init.d/spamassassin restart

immediatelly after restart /razor-agent.log file was created with contents:
Feb 25 19:16:37.939288 check[30902]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log

for me, selinux is preventing to use/create "razor-agent.log" in /root/.razor/ directory (as effective user for spamd is "root" by default).

this issue needs to be resolved either with:
1. adjusting existing selinux rules for /root/.razor/ directory  (hope including /root directory)
or
2. changing/set explicit home directory for spamd daemon for using different directory with correct selinux permissions

this issue is pretty reproducible as well.

Comment 7 Milos Malik 2015-02-26 09:40:55 UTC

The razor-agent.log file is created in / even if I run the reproducer in permissive mode. But following AVCs appear (they did not appear in enforcing mode):
----
type=PATH msg=audit(02/26/2015 10:35:20.307:458) : item=1 name=/root/.razor inode=344223 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=CREATE 
type=PATH msg=audit(02/26/2015 10:35:20.307:458) : item=0 name=/root/ inode=131077 dev=fc:03 mode=dir,550 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=PARENT 
type=CWD msg=audit(02/26/2015 10:35:20.307:458) :  cwd=/ 
type=SYSCALL msg=audit(02/26/2015 10:35:20.307:458) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x4511f00 a1=0755 a2=0x39f9742088 a3=0x10 items=2 ppid=26038 pid=26040 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7 comm=spamd exe=/usr/bin/perl subj=unconfined_u:system_r:spamd_t:s0 key=(null) 
type=AVC msg=audit(02/26/2015 10:35:20.307:458) : avc:  denied  { create } for  pid=26040 comm=spamd name=.razor scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir 
type=AVC msg=audit(02/26/2015 10:35:20.307:458) : avc:  denied  { add_name } for  pid=26040 comm=spamd name=.razor scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir 
type=AVC msg=audit(02/26/2015 10:35:20.307:458) : avc:  denied  { write } for  pid=26040 comm=spamd name=root dev=vda3 ino=131077 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir 
----
type=PATH msg=audit(02/26/2015 10:35:20.722:459) : item=1 name=/root/.razor/servers.discovery.lst.lock inode=341920 dev=fc:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=CREATE 
type=PATH msg=audit(02/26/2015 10:35:20.722:459) : item=0 name=/root/.razor/ inode=344223 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=PARENT 
type=CWD msg=audit(02/26/2015 10:35:20.722:459) :  cwd=/ 
type=SYSCALL msg=audit(02/26/2015 10:35:20.722:459) : arch=x86_64 syscall=open success=yes exit=9 a0=0x451deb0 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0666 a3=0x39f971dd50 items=2 ppid=26038 pid=26040 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7 comm=spamd exe=/usr/bin/perl subj=unconfined_u:system_r:spamd_t:s0 key=(null) 
type=AVC msg=audit(02/26/2015 10:35:20.722:459) : avc:  denied  { write open } for  pid=26040 comm=spamd name=servers.discovery.lst.lock dev=vda3 ino=341920 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file 
type=AVC msg=audit(02/26/2015 10:35:20.722:459) : avc:  denied  { create } for  pid=26040 comm=spamd name=servers.discovery.lst.lock scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file 
type=AVC msg=audit(02/26/2015 10:35:20.722:459) : avc:  denied  { add_name } for  pid=26040 comm=spamd name=servers.discovery.lst.lock scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir 
type=AVC msg=audit(02/26/2015 10:35:20.722:459) : avc:  denied  { write } for  pid=26040 comm=spamd name=.razor dev=vda3 ino=344223 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(02/26/2015 10:35:20.723:460) : arch=x86_64 syscall=ioctl success=no exit=-25(Inappropriate ioctl for device) a0=0x9 a1=0x5401 a2=0x7fffb152f350 a3=0x48 items=0 ppid=26038 pid=26040 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7 comm=spamd exe=/usr/bin/perl subj=unconfined_u:system_r:spamd_t:s0 key=(null) 
type=AVC msg=audit(02/26/2015 10:35:20.723:460) : avc:  denied  { ioctl } for  pid=26040 comm=spamd path=/root/.razor/servers.discovery.lst.lock dev=vda3 ino=341920 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file 
----
type=SYSCALL msg=audit(02/26/2015 10:35:20.723:461) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x9 a1=0x13890a0 a2=0x13890a0 a3=0x0 items=0 ppid=26038 pid=26040 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7 comm=spamd exe=/usr/bin/perl subj=unconfined_u:system_r:spamd_t:s0 key=(null) 
type=AVC msg=audit(02/26/2015 10:35:20.723:461) : avc:  denied  { getattr } for  pid=26040 comm=spamd path=/root/.razor/servers.discovery.lst.lock dev=vda3 ino=341920 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file 
----
type=PATH msg=audit(02/26/2015 10:35:20.723:462) : item=1 name=/root/.razor/servers.discovery.lst.lock inode=341920 dev=fc:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=DELETE 
type=PATH msg=audit(02/26/2015 10:35:20.723:462) : item=0 name=/root/.razor/ inode=344223 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=PARENT 
type=CWD msg=audit(02/26/2015 10:35:20.723:462) :  cwd=/ 
type=SYSCALL msg=audit(02/26/2015 10:35:20.723:462) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x451df40 a1=0x13890a0 a2=0x13890a0 a3=0x28 items=2 ppid=26038 pid=26040 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7 comm=spamd exe=/usr/bin/perl subj=unconfined_u:system_r:spamd_t:s0 key=(null) 
type=AVC msg=audit(02/26/2015 10:35:20.723:462) : avc:  denied  { unlink } for  pid=26040 comm=spamd name=servers.discovery.lst.lock dev=vda3 ino=341920 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file 
type=AVC msg=audit(02/26/2015 10:35:20.723:462) : avc:  denied  { remove_name } for  pid=26040 comm=spamd name=servers.discovery.lst.lock dev=vda3 ino=341920 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir 
----

Comment 8 Michal Bruncko 2015-02-26 10:42:49 UTC

Yes, you're right. If /root/.razor/ directory does not exist, razor-agent.log will be created in root directory even in permissive mode. 
But once that directory exists it will be selected for storing razor-agent.log file.

Now if you remove /razor-agent.log and restart spamd daemon, file will be created in /root/.razor/ directory instead of root directory.

Comment 9 Michal Bruncko 2015-02-26 10:49:00 UTC

I see there two issues:
1. /root/.razor/ is created in permissive mode, but not used for storing razor-agent.log file after its creation (but every next restart of spamd daemon new directory /root/.razor/ will be used for storing razor-agent.log file in permissive mode). 
2. In enforcing selinux mode, /root/.razor/ directory will not be created and thus file razor-agent.log will be always stored in root directory instead.

Summary:
First issue is caused by razor part of spamassasin package (perl-Razor-Agent-2.85-6.el6.x86_64 package?)
Second issue is caused by selinux restrictions.

Note You need to log in before you can comment on or make changes to this bug.