Bug 128780 - Spamassassin does not work when SELinux is enforcing strict policy
Summary: Spamassassin does not work when SELinux is enforcing strict policy
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: FC3Target 133471 FC4Target
TreeView+ depends on / blocked
 
Reported: 2004-07-29 15:08 UTC by W. Michael Petullo
Modified: 2007-11-30 22:10 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2005-05-20 09:33:26 UTC


Attachments (Terms of Use)
A more complete log (5.97 KB, text/plain)
2004-08-28 15:25 UTC, W. Michael Petullo
no flags Details

Description W. Michael Petullo 2004-07-29 15:08:38 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7)
Gecko/20040625 Epiphany/1.2.6

Description of problem:
Procmail causes the following errors to be logged when it tries to
process email through spamassassin:

Jul 29 09:51:39 imp kernel: audit(1091112699.349:0): avc:  denied  {
setrlimit } for  pid=2739 exe=/usr/bin/fetchmail
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=process
Jul 29 09:51:43 imp kernel: audit(1091112703.800:0): avc:  denied  {
execute } for  pid=2748 exe=/usr/bin/procmail name=spamassassin
dev=dm-0 ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Jul 29 09:51:43 imp kernel: audit(1091112703.865:0): avc:  denied  {
execute } for  pid=2752 exe=/usr/bin/procmail name=spamassassin
dev=dm-0 ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Jul 29 09:51:43 imp kernel: audit(1091112703.877:0): avc:  denied  {
read } for  pid=2748 exe=/bin/bash name=spamassassin dev=dm-0
ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Jul 29 09:51:43 imp kernel: audit(1091112703.950:0): avc:  denied  {
read } for  pid=2752 exe=/bin/bash name=spamassassin dev=dm-0
ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Jul 29 09:51:44 imp kernel: audit(1091112704.227:0): avc:  denied  {
execute } for  pid=2755 exe=/usr/bin/procmail name=spamassassin
dev=dm-0 ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Jul 29 09:51:44 imp kernel: audit(1091112704.259:0): avc:  denied  {
read } for  pid=2755 exe=/bin/bash name=spamassassin dev=dm-0
ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file

I have configured procmail to use spamassassin by adding the following
to /etc/procmailrc:

INCLUDERC=/etc/mail/spamassassin/spamassassin-default.rc

Version-Release number of selected component (if applicable):
spamassassin-3.0-2.pre1

How reproducible:
Always

Steps to Reproduce:
Configure procmail to filter mail through spamassassin.
    

Actual Results:  The SELinux policy causes the execution of
spamassassin by procmail to fail.

Additional info:

Comment 1 W. Michael Petullo 2004-08-28 15:25:01 UTC
Created attachment 103205 [details]
A more complete log

This log was captured while running spamassassin and
selinux-policy-strict-1.17.4-2.

Comment 2 Justin Mason 2004-08-31 19:47:36 UTC
this looks like a bug in the SELinux policy that is blocking
reads/writes/etc., rather than a bug in Spamassassin.

Comment 3 W. Michael Petullo 2004-10-03 22:13:26 UTC
Spamassassin still does not like selinux-policy-strict as of 1.17.26-1.  

Comment 4 W. Michael Petullo 2004-10-21 02:28:26 UTC
When using selinux-policy-strict-1.17.30-2, I get:

Oct 20 21:26:12 imp kernel: audit(1098325572.691:0): avc:  denied  {
execute } for  pid=26825 exe=/usr/bin/procmail name=spamassassin
dev=dm-0 ino=636466 scontext=root:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Oct 20 21:26:12 imp kernel: audit(1098325572.695:0): avc:  denied  {
read } for  pid=26825 exe=/bin/bash name=spamassassin dev=dm-0
ino=636466 scontext=root:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file

Comment 5 Daniel Walsh 2005-05-12 19:59:20 UTC
Fixed in selinux-policy-strict-1.23.15-5


Note You need to log in before you can comment on or make changes to this bug.