128780 – Spamassassin does not work when SELinux is enforcing strict policy

Bug 128780 - Spamassassin does not work when SELinux is enforcing strict policy

Summary: Spamassassin does not work when SELinux is enforcing strict policy

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-strict
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	FC3Target 133471 FC4Target
TreeView+	depends on / blocked

Reported:	2004-07-29 15:08 UTC by W. Michael Petullo
Modified:	2007-11-30 22:10 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2005-05-20 09:33:26 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
A more complete log (5.97 KB, text/plain) 2004-08-28 15:25 UTC, W. Michael Petullo	no flags	Details
View All

Description W. Michael Petullo 2004-07-29 15:08:38 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7)
Gecko/20040625 Epiphany/1.2.6

Description of problem:
Procmail causes the following errors to be logged when it tries to
process email through spamassassin:

Jul 29 09:51:39 imp kernel: audit(1091112699.349:0): avc:  denied  {
setrlimit } for  pid=2739 exe=/usr/bin/fetchmail
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=process
Jul 29 09:51:43 imp kernel: audit(1091112703.800:0): avc:  denied  {
execute } for  pid=2748 exe=/usr/bin/procmail name=spamassassin
dev=dm-0 ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Jul 29 09:51:43 imp kernel: audit(1091112703.865:0): avc:  denied  {
execute } for  pid=2752 exe=/usr/bin/procmail name=spamassassin
dev=dm-0 ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Jul 29 09:51:43 imp kernel: audit(1091112703.877:0): avc:  denied  {
read } for  pid=2748 exe=/bin/bash name=spamassassin dev=dm-0
ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Jul 29 09:51:43 imp kernel: audit(1091112703.950:0): avc:  denied  {
read } for  pid=2752 exe=/bin/bash name=spamassassin dev=dm-0
ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Jul 29 09:51:44 imp kernel: audit(1091112704.227:0): avc:  denied  {
execute } for  pid=2755 exe=/usr/bin/procmail name=spamassassin
dev=dm-0 ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Jul 29 09:51:44 imp kernel: audit(1091112704.259:0): avc:  denied  {
read } for  pid=2755 exe=/bin/bash name=spamassassin dev=dm-0
ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file

I have configured procmail to use spamassassin by adding the following
to /etc/procmailrc:

INCLUDERC=/etc/mail/spamassassin/spamassassin-default.rc

Version-Release number of selected component (if applicable):
spamassassin-3.0-2.pre1

How reproducible:
Always

Steps to Reproduce:
Configure procmail to filter mail through spamassassin.
    

Actual Results:  The SELinux policy causes the execution of
spamassassin by procmail to fail.

Additional info:

Comment 1 W. Michael Petullo 2004-08-28 15:25:01 UTC

Created attachment 103205 [details]
A more complete log

This log was captured while running spamassassin and
selinux-policy-strict-1.17.4-2.

Comment 2 Justin Mason 2004-08-31 19:47:36 UTC

this looks like a bug in the SELinux policy that is blocking
reads/writes/etc., rather than a bug in Spamassassin.

Comment 3 W. Michael Petullo 2004-10-03 22:13:26 UTC

Spamassassin still does not like selinux-policy-strict as of 1.17.26-1.

Comment 4 W. Michael Petullo 2004-10-21 02:28:26 UTC

When using selinux-policy-strict-1.17.30-2, I get:

Oct 20 21:26:12 imp kernel: audit(1098325572.691:0): avc:  denied  {
execute } for  pid=26825 exe=/usr/bin/procmail name=spamassassin
dev=dm-0 ino=636466 scontext=root:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Oct 20 21:26:12 imp kernel: audit(1098325572.695:0): avc:  denied  {
read } for  pid=26825 exe=/bin/bash name=spamassassin dev=dm-0
ino=636466 scontext=root:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file

Comment 5 Daniel Walsh 2005-05-12 19:59:20 UTC

Fixed in selinux-policy-strict-1.23.15-5

Note You need to log in before you can comment on or make changes to this bug.