1059727 – spamassassin service triggers AVCs when pyzor package is installed

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1059727 - spamassassin service triggers AVCs when pyzor package is installed

Summary: spamassassin service triggers AVCs when pyzor package is installed

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-01-30 13:37 UTC by Milos Malik
Modified:	2015-03-05 10:37 UTC (History)
CC List:	0 users
Fixed In Version:	setroubleshoot-3.2.17-3.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:37:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:0458	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2015-03-05 15:17:00 UTC

Description Milos Malik 2014-01-30 13:37:43 UTC

Description of problem:
 * if you install pyzor package then AVCs will be triggered by each "service spamassassin restart"
 * if you remove pyzor package then "service spamassassin restart" will not trigger any AVC

Version-Release number of selected component (if applicable):
pyzor-0.5.0-8.fc19.noarch
selinux-policy-3.12.1-122.el7.noarch
selinux-policy-devel-3.12.1-122.el7.noarch
selinux-policy-doc-3.12.1-122.el7.noarch
selinux-policy-minimum-3.12.1-122.el7.noarch
selinux-policy-mls-3.12.1-122.el7.noarch
selinux-policy-sandbox-3.12.1-122.el7.noarch
selinux-policy-targeted-3.12.1-122.el7.noarch
spamassassin-3.3.2-17.el7.x86_64

How reproducible:
always

Steps to Reproduce:
# yum install pyzor (from a Fedora repo or using a koji URL)
# service spamassassin status
Redirecting to /bin/systemctl status  spamassassin.service
spamassassin.service - Spamassassin daemon
   Loaded: loaded (/usr/lib/systemd/system/spamassassin.service; disabled)
   Active: inactive (dead)

Jan 30 14:22:40 rhel70.localdomain spamd[27441]: spamd: server started on po...)
Jan 30 14:22:40 rhel70.localdomain spamd[27441]: spamd: server pid: 27441
Jan 30 14:22:40 rhel70.localdomain spamd[27441]: spamd: server successfully ...5
Jan 30 14:22:40 rhel70.localdomain systemd[1]: Started Spamassassin daemon.
Jan 30 14:22:40 rhel70.localdomain spamd[27441]: spamd: server successfully ...6
Jan 30 14:22:41 rhel70.localdomain spamd[27441]: prefork: child states: IS
Jan 30 14:22:41 rhel70.localdomain spamd[27441]: prefork: child states: II
Jan 30 14:29:19 rhel70.localdomain systemd[1]: Stopping Spamassassin daemon...
Jan 30 14:29:19 rhel70.localdomain spamd[27441]: spamd: server killed by SIG...n
Jan 30 14:29:19 rhel70.localdomain systemd[1]: Stopped Spamassassin daemon.
Hint: Some lines were ellipsized, use -l to show in full.
# service spamassassin start
Redirecting to /bin/systemctl start  spamassassin.service
# service spamassassin status
Redirecting to /bin/systemctl status  spamassassin.service
spamassassin.service - Spamassassin daemon
   Loaded: loaded (/usr/lib/systemd/system/spamassassin.service; disabled)
   Active: active (running) since Thu 2014-01-30 14:29:27 CET; 1s ago
  Process: 28515 ExecStart=/usr/bin/spamd --pidfile /var/run/spamd.pid $SPAMDOPTIONS (code=exited, status=0/SUCCESS)
  Process: 28514 ExecStartPre=/sbin/portrelease spamd (code=exited, status=0/SUCCESS)
 Main PID: 28519 (/usr/bin/spamd )
   CGroup: /system.slice/spamassassin.service
           ├─28519 /usr/bin/spamd --pidfile /var/run/spamd.pid -d -c -m5 -H
           ├─28543 spamd child
           └─28544 spamd child

Jan 30 14:29:26 rhel70.localdomain spamd[28515]: logger: removing stderr method
Jan 30 14:29:27 rhel70.localdomain spamd[28519]: spamd: server started on po...)
Jan 30 14:29:27 rhel70.localdomain spamd[28519]: spamd: server pid: 28519
Jan 30 14:29:27 rhel70.localdomain spamd[28519]: spamd: server successfully ...3
Jan 30 14:29:27 rhel70.localdomain systemd[1]: Started Spamassassin daemon.
Jan 30 14:29:27 rhel70.localdomain spamd[28519]: spamd: server successfully ...4
Jan 30 14:29:27 rhel70.localdomain spamd[28519]: prefork: child states: IS
Jan 30 14:29:27 rhel70.localdomain spamd[28519]: prefork: child states: II
Hint: Some lines were ellipsized, use -l to show in full.
#

Actual results (enforcing mode):
----
type=PATH msg=audit(01/30/2014 14:22:40.357:1142) : item=0 name=/sbin/ldconfig inode=17614809 dev=fd:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ldconfig_exec_t:s0 objtype=NORMAL 
type=CWD msg=audit(01/30/2014 14:22:40.357:1142) :  cwd=/ 
type=SYSCALL msg=audit(01/30/2014 14:22:40.357:1142) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=0x1ae9b60 a1=0x1ae9c60 a2=0x1ae8c20 a3=0x0 items=1 ppid=27443 pid=27444 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/usr/bin/bash subj=system_u:system_r:spamc_t:s0 key=(null) 
type=AVC msg=audit(01/30/2014 14:22:40.357:1142) : avc:  denied  { execute } for  pid=27444 comm=sh name=ldconfig dev="vda3" ino=17614809 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file 
----
type=PATH msg=audit(01/30/2014 14:22:40.362:1143) : item=0 name=/sbin/ldconfig inode=17614809 dev=fd:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ldconfig_exec_t:s0 objtype=NORMAL 
type=CWD msg=audit(01/30/2014 14:22:40.362:1143) :  cwd=/ 
type=SYSCALL msg=audit(01/30/2014 14:22:40.362:1143) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x1ae9b60 a1=0x7fff4670c060 a2=0x7fff4670c060 a3=0x0 items=1 ppid=27443 pid=27444 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/usr/bin/bash subj=system_u:system_r:spamc_t:s0 key=(null) 
type=AVC msg=audit(01/30/2014 14:22:40.362:1143) : avc:  denied  { getattr } for  pid=27444 comm=sh path=/usr/sbin/ldconfig dev="vda3" ino=17614809 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file 
----
type=PATH msg=audit(01/30/2014 14:22:40.839:1148) : item=0 name=/usr/bin/rpm inode=8729134 dev=fd:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:rpm_exec_t:s0 objtype=NORMAL 
type=CWD msg=audit(01/30/2014 14:22:40.839:1148) :  cwd=/ 
type=SYSCALL msg=audit(01/30/2014 14:22:40.839:1148) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x11a4830 a1=0x7fff6618aed0 a2=0x7fff6618aed0 a3=0x10 items=1 ppid=27441 pid=27442 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pyzor exe=/usr/bin/python2.7 subj=system_u:system_r:spamc_t:s0 key=(null) 
type=AVC msg=audit(01/30/2014 14:22:40.839:1148) : avc:  denied  { getattr } for  pid=27442 comm=pyzor path=/usr/bin/rpm dev="vda3" ino=8729134 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file 
----

Expected results:
 * no AVCs

Comment 4 Miroslav Grepl 2014-09-18 13:55:32 UTC

commit 5f9f56979218039a792b56178d96a67fe22aa1c4
Author: Miroslav Grepl <mgrepl>
Date:   Thu Sep 18 15:55:04 2014 +0200

    Allow spamc_t to exec ldconfig if pyzor pkg is installed and service spamassassin restart executed.

Comment 8 errata-xmlrpc 2015-03-05 10:37:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html

Note You need to log in before you can comment on or make changes to this bug.