Bug 128780 - Spamassassin does not work when SELinux is enforcing strict policy
Spamassassin does not work when SELinux is enforcing strict policy
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks: FC3Target 133471 FC4Target
  Show dependency treegraph
 
Reported: 2004-07-29 11:08 EDT by W. Michael Petullo
Modified: 2007-11-30 17:10 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-20 05:33:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
A more complete log (5.97 KB, text/plain)
2004-08-28 11:25 EDT, W. Michael Petullo
no flags Details

  None (edit)
Description W. Michael Petullo 2004-07-29 11:08:38 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7)
Gecko/20040625 Epiphany/1.2.6

Description of problem:
Procmail causes the following errors to be logged when it tries to
process email through spamassassin:

Jul 29 09:51:39 imp kernel: audit(1091112699.349:0): avc:  denied  {
setrlimit } for  pid=2739 exe=/usr/bin/fetchmail
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=process
Jul 29 09:51:43 imp kernel: audit(1091112703.800:0): avc:  denied  {
execute } for  pid=2748 exe=/usr/bin/procmail name=spamassassin
dev=dm-0 ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Jul 29 09:51:43 imp kernel: audit(1091112703.865:0): avc:  denied  {
execute } for  pid=2752 exe=/usr/bin/procmail name=spamassassin
dev=dm-0 ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Jul 29 09:51:43 imp kernel: audit(1091112703.877:0): avc:  denied  {
read } for  pid=2748 exe=/bin/bash name=spamassassin dev=dm-0
ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Jul 29 09:51:43 imp kernel: audit(1091112703.950:0): avc:  denied  {
read } for  pid=2752 exe=/bin/bash name=spamassassin dev=dm-0
ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Jul 29 09:51:44 imp kernel: audit(1091112704.227:0): avc:  denied  {
execute } for  pid=2755 exe=/usr/bin/procmail name=spamassassin
dev=dm-0 ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Jul 29 09:51:44 imp kernel: audit(1091112704.259:0): avc:  denied  {
read } for  pid=2755 exe=/bin/bash name=spamassassin dev=dm-0
ino=636589 scontext=system_u:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file

I have configured procmail to use spamassassin by adding the following
to /etc/procmailrc:

INCLUDERC=/etc/mail/spamassassin/spamassassin-default.rc

Version-Release number of selected component (if applicable):
spamassassin-3.0-2.pre1

How reproducible:
Always

Steps to Reproduce:
Configure procmail to filter mail through spamassassin.
    

Actual Results:  The SELinux policy causes the execution of
spamassassin by procmail to fail.

Additional info:
Comment 1 W. Michael Petullo 2004-08-28 11:25:01 EDT
Created attachment 103205 [details]
A more complete log

This log was captured while running spamassassin and
selinux-policy-strict-1.17.4-2.
Comment 2 Justin Mason 2004-08-31 15:47:36 EDT
this looks like a bug in the SELinux policy that is blocking
reads/writes/etc., rather than a bug in Spamassassin.
Comment 3 W. Michael Petullo 2004-10-03 18:13:26 EDT
Spamassassin still does not like selinux-policy-strict as of 1.17.26-1.  
Comment 4 W. Michael Petullo 2004-10-20 22:28:26 EDT
When using selinux-policy-strict-1.17.30-2, I get:

Oct 20 21:26:12 imp kernel: audit(1098325572.691:0): avc:  denied  {
execute } for  pid=26825 exe=/usr/bin/procmail name=spamassassin
dev=dm-0 ino=636466 scontext=root:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Oct 20 21:26:12 imp kernel: audit(1098325572.695:0): avc:  denied  {
read } for  pid=26825 exe=/bin/bash name=spamassassin dev=dm-0
ino=636466 scontext=root:system_r:procmail_t
tcontext=system_u:object_r:spamassassin_exec_t tclass=file
Comment 5 Daniel Walsh 2005-05-12 15:59:20 EDT
Fixed in selinux-policy-strict-1.23.15-5

Note You need to log in before you can comment on or make changes to this bug.