Bug 1414366 - avc: denied { search } for pid=3096 comm="spamassassin" name=".maildir" dev="dm-13" ino=13107213 scontext=system_u:system_r:spamc_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=dir permissive=0
Summary: avc: denied { search } for pid=3096 comm="spamassassin" name=".maildir" de...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 26
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-18 10:47 UTC by Dan Callaghan
Modified: 2017-12-19 21:33 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.13.1-260.17.fc26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-19 21:33:09 UTC
Type: Bug


Attachments (Terms of Use)

Description Dan Callaghan 2017-01-18 10:47:08 UTC
Description of problem:
spamassassin crashes due to SELinux denials when it's invoked through procmail.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-225.6.fc25.noarch
spamassassin-3.4.1-9.fc25.x86_64
procmail-3.22-39.fc24.x86_64
postfix-2:3.1.4-1.fc25.x86_64

How reproducible:
maybe not that easily...

Steps to Reproduce:
1. In /etc/postfix/main.cfg set: mailbox_command = /usr/bin/procmail
2. In ~/.procmailrc add a rule to filter through spamassassin:
:0 f
| /usr/bin/spamassassin
3. Receive a mail
(Note that there might be simpler ways to get spamassassin inside spamc_t than doing steps 1 and 2 above, not sure. Obviously the denial does not reproduce when spamassassin is invoked directly from unconfined_t.)

Actual results:
spamassassin crashes with many "Permission denied" errors, and then the mail is lost (written as 0 bytes).

Jan 18 20:09:30.450 [3096] warn: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/SpamCop.pm: lib/Mail/SpamAssassin/Plugin/SpamCop.pm: Permission denied at (eval 43) line 1.
Jan 18 20:09:30.451 [3096] warn: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/AWL.pm: lib/Mail/SpamAssassin/Plugin/AWL.pm: Permission denied at (eval 44) line 1.
[...]
Can't locate Mail/SpamAssassin/Bayes.pm:   lib/Mail/SpamAssassin/Bayes.pm: Permission denied at /usr/share/perl5/vendor_perl/Mail/SpamAssassin.pm line 1772. at /usr/bin/spamassassin line 410.

Expected results:
spamassassin should run successfully.

Additional info:
If I do semodule -DB to turn off dontaudit rules, audit.log shows many identical denials like this, which I assume are the cause:

type=AVC msg=audit(1484734170.395:476): avc:  denied  { search } for  pid=3096 comm="spamassassin" name=".maildir" dev="dm-13" ino=13107213 scontext=system_u:system_r:spamc_t:s0 tcontext=unconfined_u:object_r:mail_home_rw_t:s0 tclass=dir permissive=0

Note that this seems to be a regression from F23->F25. The identical configuration worked on F23, specifically with the following packages:
selinux-policy-3.13.1-158.24.fc23.noarch
procmail-3.22-38.fc23.x86_64
postfix-2:3.0.7-1.fc23.x86_64
spamassassin-3.4.1-6.fc23.x86_64

Comment 1 Fedora End Of Life 2017-11-16 18:35:43 UTC
This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 2 Dan Callaghan 2017-11-20 05:57:57 UTC
Still happens with selinux-policy-targeted-3.13.1-260.13.fc26.noarch.

Comment 3 Fedora Update System 2017-11-21 16:21:37 UTC
selinux-policy-3.13.1-260.17.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-39e6a2f7e7

Comment 4 Fedora Update System 2017-11-21 16:23:39 UTC
selinux-policy-3.13.1-260.17.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-39e6a2f7e7

Comment 5 Fedora Update System 2017-11-22 11:08:13 UTC
selinux-policy-3.13.1-260.17.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-39e6a2f7e7

Comment 6 Fedora Update System 2017-12-19 21:33:09 UTC
selinux-policy-3.13.1-260.17.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.