Bug 172088 - (selinux) problems when invoquing spamassassin from procmail
(selinux) problems when invoquing spamassassin from procmail
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: SELinux
: 176902 (view as bug list)
Depends On:
Blocks: FC5Target
  Show dependency treegraph
 
Reported: 2005-10-31 04:34 EST by Nicolas Mailhot
Modified: 2007-11-30 17:11 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-21 18:31:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
new audit.log after the jumbo gcc4.1 rawhide updates (2.09 KB, application/x-bzip2)
2006-02-16 02:21 EST, Nicolas Mailhot
no flags Details
real new audit.log (sorry about the previous mistake) (3.14 KB, application/x-bzip2)
2006-02-16 02:36 EST, Nicolas Mailhot
no flags Details
audit.log for selinux-policy-targeted-2.2.15-4 (1.89 KB, application/x-bzip2)
2006-02-16 14:53 EST, Nicolas Mailhot
no flags Details

  None (edit)
Description Nicolas Mailhot 2005-10-31 04:34:24 EST
Description of problem:

Like many people I have the following block in my .procmailrc

:0fw: .spamc.lock
* < 256000
| spamc


Unfortunately it seems the default selinux policy blocks this action


type=CWD msg=audit(1130749836.551:3779):  cwd="/home/nim/.maildir"
type=PATH msg=audit(1130749836.551:3779): item=0 name="/usr/bin/spamc"
flags=1  inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1130749839.979:3780): avc:  denied  { execute } for
pid=11852 comm="procmail" name="spamc" dev=dm-0 ino=3349141
scontext=system_u:system_r:postfix_local_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1130749839.979:3780): arch=c000003e syscall=59
success=no exit=-13 a0=51c1d1 a1=51c170 a2=51bfc0 a3=51c1d1 items=1
pid=11852 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 comm="procmail" exe="/usr/bin/procmail"
type=CWD msg=audit(1130749839.979:3780):  cwd="/home/nim/.maildir"
type=PATH msg=audit(1130749839.979:3780): item=0 name="/usr/bin/spamc"
flags=101  inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1130749839.983:3781): avc:  denied  { getattr } for
pid=11852 comm="sh" name="spamc" dev=dm-0 ino=3349141
scontext=system_u:system_r:postfix_local_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=filetype=SYSCALL
msg=audit(1130749839.983:3781): arch=c000003e syscall=4 success=no
exit=-13 a0=6bf780 a1=7fffffefb5c0 a2=7fffffefb5c0 a3=2 items=1
pid=11852 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 comm="sh" exe="/bin/bash"
type=AVC_PATH msg=audit(1130749839.983:3781):  path="/usr/bin/spamc"
type=CWD msg=audit(1130749839.983:3781):  cwd="/home/nim/.maildir"
type=PATH msg=audit(1130749839.983:3781): item=0 name="/usr/bin/spamc"
flags=1  inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00


Version-Release number of selected component (if applicable):

selinux-policy-targeted-1.27.2-10
libselinux-1.27.17-1
procmail-3.22-16
postfix-2.2.5-1
spamassassin-3.1.0-1.fc5


How reproducible:
Always


Steps to Reproduce:
1. add the block to your .procmailrc
2. configure your MTA to pipe mail through procmail
3. switch to enforcing mode
4. receive some mail


Additional info:

This was also reported on the fedora selinux ML
Comment 1 Nicolas Mailhot 2005-10-31 04:40:10 EST
postfix + procmail + spamassassin -> CCing Thomas Woerner, Peter Vrabec, Brock
Organ, Warren Togami
Comment 2 Warren Togami 2005-10-31 10:26:47 EST
It would be important to fix this, because procmail is a popular way of invoking
spamassassin during delivery.
Comment 3 Nicolas Mailhot 2005-11-01 10:21:16 EST
Seems fixed in selinux-policy-targeted-1.27.2-11

Thanks a lot Daniel!
Comment 4 Nicolas Mailhot 2005-11-05 04:44:41 EST
After 
Comment 5 Nicolas Mailhot 2005-11-05 04:45:33 EST
After a few days and selinux updates the problem seems to be back :

type=CWD msg=audit(1131183641.607:1712):  cwd="/home/nim/.maildir"
type=PATH msg=audit(1131183641.607:1712): item=0 name="/usr/bin/spamc" flags=101
 inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1131183641.611:1713): avc:  denied  { getattr } for 
pid=19310 comm="sh" name="spamc" dev=dm-0 ino=3349141
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1131183641.611:1713): arch=c000003e syscall=4 success=no
exit=-13 a0=6bf790 a1=7fffffa0cb00 a2=7fffffa0cb00 a3=2 items=1 pid=19310
auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 comm="sh" exe="/bin/bash"
type=AVC_PATH msg=audit(1131183641.611:1713):  path="/usr/bin/spamc"
type=CWD msg=audit(1131183641.611:1713):  cwd="/home/nim/.maildir"
type=PATH msg=audit(1131183641.611:1713): item=0 name="/usr/bin/spamc" flags=1 
inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1131183642.971:1714): avc:  denied  { execute } for 
pid=19313 comm="procmail" name="spamc" dev=dm-0 ino=3349141
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1131183642.971:1714): arch=c000003e syscall=59 success=no
exit=-13 a0=51c0b1 a1=51c050 a2=51bea0 a3=51c0b1 items=1 pid=19313
auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 comm="procmail" exe="/usr/bin/procmail"
Comment 6 Daniel Walsh 2005-11-07 11:30:19 EST
Fixed in selinux-policy-targeted-1.27.2-16
Comment 7 Nicolas Mailhot 2005-11-12 13:30:08 EST
Well, it's not but there is some progress

With selinux-policy-targeted-1.27.2-19 I have these bits in the logs :

type=SOCKADDR msg=audit(1131820021.653:174): saddr=0200030F7F0000010000000000000000
type=AVC msg=audit(1131820022.657:175): avc:  denied  { name_connect } for 
pid=4467 comm="spamc" dest=783 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamd_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1131820022.657:175): arch=c000003e syscall=42 success=no
exit=-13 a0=3 a1=7fffff9b58b0 a2=10 a3=8 items=0 pid=4467 auid=4294967295
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
comm="spamc" exe="/usr/bin/spamc"

So procmail manages to invoque spamc now, which tries to connect to spamd on its
standard port (783, cf
http://spamassassin.apache.org/full/3.1.x/dist/doc/spamc.html) and is then
blocked by selinux
Comment 8 Bojan Smojver 2005-11-13 17:16:32 EST
Just a "me too" with the selinux-policy-targeted-1.27.1-2.11. Here is a snip
from the audit.log file:

-------------------------
type=AVC msg=audit(1131649834.979:6): avc:  denied  { connect } for  pid=2194 co
mm="spamd" scontext=system_u:system_r:spamd_t tcontext=system_u:system_r:spamd_t
 tclass=tcp_socket
type=SYSCALL msg=audit(1131649834.979:6): arch=40000003 syscall=102 success=no e
xit=-13 a0=3 a1=bfe981d0 a2=1252cb8 a3=6 items=0 pid=2194 auid=4294967295 uid=0 
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="spamd" exe="/usr/bin/per
l"
-------------------------

I'm using this in the /etc/procmailrc:

-------------------------
# Process spam using spamassassin client for spamd
:0fw:
* < 10485760
| spamc
-------------------------
Comment 9 Nicolas Mailhot 2005-11-19 09:29:31 EST
With selinux-policy-targeted-2.0.1-2 there is a spamassassin pôlicy regression :
it can not do dns requests anymore (wasn't this fixed a few weeks ago ?)

# audit2allow < /var/log/audit/audit.log | grep spamd
allow spamd_t sbin_t:dir getattr;


type=AVC_PATH msg=audit(1132409745.363:5):  path="/sbin"
type=CWD msg=audit(1132409745.363:5):  cwd="/"
type=PATH msg=audit(1132409745.363:5): item=0 name="/sbin" flags=1 
inode=2523137 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1132409745.363:6): avc:  denied  { getattr } for  pid=2475
comm="spamd" name="sbin" dev=dm-0 ino=3342339
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:sbin_t:s0
tclass=dir
type=SYSCALL msg=audit(1132409745.363:6): arch=c000003e syscall=4 success=no
exit=-13 a0=7fffffcc9380 a1=7fffffcc92d0 a2=7fffffcc92d0 a3=51a945 items=1
pid=2475 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="spamd" exe="/usr/bin/perl"


allow spamd_t port_t:udp_socket name_bind;

type=AVC msg=audit(1132409829.360:34): avc:  denied  { name_bind } for  pid=2498
comm="spamd" src=12081 scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1132409829.360:34): arch=c000003e syscall=49 success=no
exit=-13 a0=8 a1=18bc510 a2=10 a3=679720 items=0 pid=2498 auid=4294967295 uid=0
gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd"
exe="/usr/bin/perl"
type=SOCKADDR msg=audit(1132409829.360:34): saddr=02002F31000000000000000000000000
Comment 10 Nicolas Mailhot 2005-11-19 09:36:47 EST
and spamc is still forbidden to talk to spamd

allow procmail_t spamd_port_t:tcp_socket name_connect;

Nov 19 15:36:51 rousalka spamc[3457]: connect(AF_INET) to spamd at 127.0.0.1
failed, retrying (#1 of 3): Permission denied
Nov 19 15:36:52 rousalka spamc[3457]: connect(AF_INET) to spamd at 127.0.0.1
failed, retrying (#2 of 3): Permission denied
Nov 19 15:36:53 rousalka spamc[3457]: connect(AF_INET) to spamd at 127.0.0.1
failed, retrying (#3 of 3): Permission denied
type=AVC msg=audit(1132411011.204:59): avc:  denied  { name_connect } for 
pid=3457 comm="spamc" dest=783 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamd_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1132411011.204:59): arch=c000003e syscall=42 success=no
exit=-13 a0=3 a1=7fffffece640 a2=10 a3=22 items=0 pid=3457 auid=4294967295
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
comm="spamc" exe="/usr/bin/spamc"
type=SOCKADDR msg=audit(1132411011.204:59): saddr=0200030F7F0000010000000000000000
type=AVC msg=audit(1132411012.208:60): avc:  denied  { name_connect } for 
pid=3457 comm="spamc" dest=783 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamd_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1132411012.208:60): arch=c000003e syscall=42 success=no
exit=-13 a0=3 a1=7fffffece640 a2=10 a3=8 items=0 pid=3457 auid=4294967295
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
comm="spamc" exe="/usr/bin/spamc"
type=SOCKADDR msg=audit(1132411012.208:60): saddr=0200030F7F0000010000000000000000
type=AVC msg=audit(1132411013.212:61): avc:  denied  { name_connect } for 
pid=3457 comm="spamc" dest=783 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamd_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1132411013.212:61): arch=c000003e syscall=42 success=no
exit=-13 a0=3 a1=7fffffece640 a2=10 a3=8 items=0 pid=3457 auid=4294967295
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
comm="spamc" exe="/usr/bin/spamc"
type=SOCKADDR msg=audit(1132411013.212:61): saddr=0200030F7F0000010000000000000000

Comment 11 Nicolas Mailhot 2005-12-04 11:02:19 EST
And I'm seeing a lot of spamassassin access problems in maillog, they're not in
audit.log but probably only because it's filtered

Spamassassin can not access user conf files (~/.spamassassin/*) from procmail

This with selinux-policy-targeted-2.0.8-1
Comment 12 Dave Jones 2006-01-04 23:27:50 EST
*** Bug 176902 has been marked as a duplicate of this bug. ***
Comment 13 Daniel Walsh 2006-02-14 15:59:24 EST
So you are getting avc messages that procmail_t wants to read user_home_t?
Comment 14 Nicolas Mailhot 2006-02-14 16:11:29 EST
I see a lot of
17336:type=AVC msg=audit(1139950805.203:21026): avc:  denied  { read } for 
pid=8322 comm="spamd" name="identity" dev=dm-1 ino=5931396
scontext=user_u:system_r:spamd_t:s0-s0:c0.c255
tcontext=user_u:object_r:user_home_t:s0 tclass=lnk_file

But I need to check carefully again after the jumbo rawhide gcc 4.1 rebuild  update
Comment 15 Nicolas Mailhot 2006-02-16 02:20:27 EST
New report.
For a time after the update everything seemed fine with little or no AVCs
Just to be sure I updated again today to get the last bits, rebooted in
autorelabel, init 1, rm audit.log, init 6

This new report is after the last reboot where everything should have been
clean. Well it isn't. First hint of trouble :

$ evolution
CalDAV Eplugin starting up ...

(evolution:2562): evolution-smime-WARNING **: Failed all methods for initializin
g NSS

(evolution:2562): camel-WARNING **: Failed to initialize NSS

And then the audit.log is full of AVCs (some of them procmail-related)

I really feel there is a big problem with selinux on x86_64 - policies seem sane
 but the system *always* degenerates after a few days.
Comment 16 Nicolas Mailhot 2006-02-16 02:21:57 EST
Created attachment 124742 [details]
new audit.log after the jumbo gcc4.1 rawhide updates
Comment 17 Nicolas Mailhot 2006-02-16 02:23:50 EST
I don't have time to do a rpm -Va now, since most of the FC and FE packages
where rebuilt and reinstalled recently I expect it to give a clean result
(except for bug #177976 effects)
Comment 18 Nicolas Mailhot 2006-02-16 02:36:19 EST
Created attachment 124743 [details]
real new audit.log (sorry about the previous mistake)
Comment 19 Daniel Walsh 2006-02-16 10:10:38 EST
Going through you log I generate the following allow rules
allow fetchmail_t home_root_t:dir search;
- Fixed in tonights rawhide
allow hald_t self:capability setgid;
- Already fixed in rawhide
allow spamd_t root_t:file append;
- Where is this file?  Seems like a potential labeleing problem
allow spamd_t user_home_t:lnk_file read;
- Already fixed in rawhide
allow unconfined_t self:process execstack;
- Working on fix the nss libraries to remove this requirement
Comment 20 Nicolas Mailhot 2006-02-16 11:49:08 EST
(In reply to comment #19)

> allow spamd_t root_t:file append;
> - Where is this file?  Seems like a potential labeleing problem

The only append denial I have is

4:type=AVC msg=audit(1140073978.634:5): avc:  denied  { append } for  pid=2065
comm="spamd" name="razor-agent.log" dev=dm-0 ino=1168
scontext=system_u:system_r:spamd_t:s0 tcontext=user_u:object_r:root_t:s0 tclass=file

[root@rousalka nim]# locate razor-agent.log
/razor-agent.log
/home/nim/.razor/razor-agent.log
/root/.razor/razor-agent.log
/var/spool/amavisd/.razor/razor-agent.log

it's the razor logfile
Comment 21 Nicolas Mailhot 2006-02-16 14:49:00 EST
With selinux-policy-targeted-2.2.15-4 :

1. there are still many procmail+spamd problems :

Feb 16 20:48:31 rousalka spamd[2182]: spamd: connection from
localhost.localdomain [127.0.0.1] at port 52169
Feb 16 20:48:31 rousalka spamd[2182]: spamd: setuid to nim succeeded
Feb 16 20:48:31 rousalka spamd[2182]: spamd: creating default_prefs:
/home/nim/.spamassassin/user_prefs
Feb 16 20:48:31 rousalka spamd[2182]: mkdir /home/nim: Le fichier existe. at
/usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm line 1467
Feb 16 20:48:31 rousalka spamd[2182]: config: cannot write to
/home/nim/.spamassassin/user_prefs: Permission non accordée
Feb 16 20:48:31 rousalka spamd[2182]: spamd: failed to create readable
default_prefs: /home/nim/.spamassassin/user_prefs
Feb 16 20:48:31 rousalka spamd[2182]: mkdir /home/nim: Le fichier existe. at
/usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm line 1467
Feb 16 20:48:31 rousalka spamd[2182]: spamd: processing message
<200602161935.k1GJZNfk016466@www.beta.redhat.com> for nim:500
Feb 16 20:48:35 rousalka spamd[2182]: internal error
Feb 16 20:48:35 rousalka spamd[2182]: pyzor: check failed: internal error
Feb 16 20:48:35 rousalka spamd[2182]: mkdir /home/nim: Le fichier existe. at
/usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm line 1467
Feb 16 20:48:35 rousalka spamd[2182]: locker: safe_lock: cannot create tmp
lockfile /home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2182
for /home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée
Feb 16 20:48:35 rousalka spamd[2182]: auto-whitelist: open of auto-whitelist
file failed: locker: safe_lock: cannot create tmp lockfile
/home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2182 for
/home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée
Feb 16 20:48:35 rousalka spamd[2182]: Can't call method "finish" on an undefined
value at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/AWL.pm line 397.
Feb 16 20:48:35 rousalka spamd[2182]: spamd: clean message (2.9/5.0) for nim:500
in 3.9 seconds, 5482 bytes.

2. rpm -Va is affected too

# rpm -Va > /tmp/rpm.log
prelink: /usr/bin/tiffgt: Could not parse `/usr/bin/tiffgt: error while loading
shared libraries: libGL.so.1: cannot enable executable stack as shared object
requires: Permission denied'
prelink: /usr/bin/tiffgt: at least one of file's dependencies has changed since
prelinking
prelink: /usr/bin/eu-nm: Could not parse `/usr/bin/eu-nm: error while loading
shared libraries: /usr/bin/eu-nm: cannot enable executable stack as shared
object requires: Permission denied'
prelink: /usr/bin/eu-nm: at least one of file's dependencies has changed since
prelinking
prelink: /usr/lib64/libglut.so.3.8.0: Could not parse
`/usr/lib64/libglut.so.3.8.0: error while loading shared libraries: libGL.so.1:
cannot enable executable stack as shared object requires: Permission denied'
Comment 22 Nicolas Mailhot 2006-02-16 14:53:45 EST
Created attachment 124780 [details]
audit.log for selinux-policy-targeted-2.2.15-4
Comment 23 Daniel Walsh 2006-02-21 18:31:48 EST
You should not have spamd writing files to /.  If you want this you will need to
write your own policy modules using

audit2allow -M spamd -i /var/log/audit/audit.log

Note You need to log in before you can comment on or make changes to this bug.