Bug 1476911 - Dovecot pigeonhole sieve scripts can't run sa-learn
Dovecot pigeonhole sieve scripts can't run sa-learn
Status: NEW
Product: Fedora
Classification: Fedora
Component: dovecot (Show other bugs)
26
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Michal Hlavinka
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-31 15:19 EDT by Ed Marshall
Modified: 2017-07-31 15:19 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ed Marshall 2017-07-31 15:19:11 EDT
Following along with Dovecot upstream's description of how to integrate SpamAssassin and Dovecot for automatic training when moving messages in and out of a spam folder:

https://wiki.dovecot.org/HowTo/AntispamWithSieve

I created a sieve script that pipes messages to a shell script which, after determining the dbpath to use, tries to invoke /usr/bin/sa-learn. Which fails with an AVC when selinux is enforcing:

Jul 31 19:05:24 mx.sfo2.do.logic.net audit[15931]: AVC avc:  denied  { getattr } for  pid=15931 comm="sa-learn.sh" path="/usr/bin/sa-learn" dev="vda1" ino=7175 scontext=system_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file permissive=0

The problem is, sieve can execute bin_t scripts just fine (in fact, that's all it can run), but SpamAssassin is special in that it has it's own exec_t types.

I'm not sure what the right fix here is (probably a one-off exception to the dovecot policy for spamc_exec_t? are there any other magic exec types that should be included as well?), or if there even should be a fix, but this seems like a reasonable enough use-case that I figured it was worth opening a ticket for.

Note You need to log in before you can comment on or make changes to this bug.