Bug 1199339 - pyzor called by spamassassin can't access /etc/pyzor
Summary: pyzor called by spamassassin can't access /etc/pyzor
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-06 01:29 UTC by Jason Tibbitts
Modified: 2015-03-31 21:46 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.13.1-105.9.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-31 21:46:41 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Jason Tibbitts 2015-03-06 01:29:59 UTC
I recently started doing some maintenance on the pyzor package, which is (most often) called by spamassassin as part of its usual spam checks.  The existing policy has a directory set aside for pyzor:

/etc/pyzor(/.*)?      all files        system_u:object_r:spamd_etc_t:s0

but pyzor when called by spamassassin can't access that directory:

type=AVC msg=audit(1425604453.271:35249): avc:  denied  { getattr } for  pid=7696 comm="pyzor" path="/etc/pyzor" dev="dm-0" ino=145303 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:spamd_etc_t:s0 tclass=dir permissive=0

Took me ages to figure out why pyzor wasn't finding its directory because that denial appears to be dontaudit'ed and I'm not quite sure why.

Am I misunderstanding the function of spamd_etc_t?  I can see that spamd_t is allowed to look there, and spamassassin does run as spamd_t, but I guess it transitions to spamc_t before it calls pyzor.

Also, if this is indeed a policy issue, is there a simple workaround?

Thanks.

Comment 1 Jason Tibbitts 2015-03-06 01:35:41 UTC
Or, after more searching, maybe /etc/pyzor needs to be spamc_home_t instead of spamd_etc_t.  A quick chcon -R -t spamc_home_t /etc/pyzor appears to fix my issues, at least temporarily.

Comment 2 Daniel Walsh 2015-03-06 15:19:43 UTC
We should just allow it to read the contents.

Comment 3 Lukas Vrabec 2015-03-09 09:43:47 UTC
commit 5e10eee2f0c09a63eb5e85f148edfec28d068621
Author: Lukas Vrabec <lvrabec>
Date:   Mon Mar 9 10:43:08 2015 +0100

    Allow spamc read spamd_etc_t files. BZ(1199339).

Comment 4 Fedora Update System 2015-03-23 16:48:02 UTC
selinux-policy-3.13.1-105.9.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.9.fc21

Comment 5 Fedora Update System 2015-03-26 21:28:21 UTC
Package selinux-policy-3.13.1-105.9.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.9.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-4492/selinux-policy-3.13.1-105.9.fc21
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2015-03-31 21:46:41 UTC
selinux-policy-3.13.1-105.9.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.