Description of problem: Like many people I have the following block in my .procmailrc :0fw: .spamc.lock * < 256000 | spamc Unfortunately it seems the default selinux policy blocks this action type=CWD msg=audit(1130749836.551:3779): cwd="/home/nim/.maildir" type=PATH msg=audit(1130749836.551:3779): item=0 name="/usr/bin/spamc" flags=1 inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1130749839.979:3780): avc: denied { execute } for pid=11852 comm="procmail" name="spamc" dev=dm-0 ino=3349141 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1130749839.979:3780): arch=c000003e syscall=59 success=no exit=-13 a0=51c1d1 a1=51c170 a2=51bfc0 a3=51c1d1 items=1 pid=11852 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="procmail" exe="/usr/bin/procmail" type=CWD msg=audit(1130749839.979:3780): cwd="/home/nim/.maildir" type=PATH msg=audit(1130749839.979:3780): item=0 name="/usr/bin/spamc" flags=101 inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1130749839.983:3781): avc: denied { getattr } for pid=11852 comm="sh" name="spamc" dev=dm-0 ino=3349141 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=filetype=SYSCALL msg=audit(1130749839.983:3781): arch=c000003e syscall=4 success=no exit=-13 a0=6bf780 a1=7fffffefb5c0 a2=7fffffefb5c0 a3=2 items=1 pid=11852 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="sh" exe="/bin/bash" type=AVC_PATH msg=audit(1130749839.983:3781): path="/usr/bin/spamc" type=CWD msg=audit(1130749839.983:3781): cwd="/home/nim/.maildir" type=PATH msg=audit(1130749839.983:3781): item=0 name="/usr/bin/spamc" flags=1 inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 Version-Release number of selected component (if applicable): selinux-policy-targeted-1.27.2-10 libselinux-1.27.17-1 procmail-3.22-16 postfix-2.2.5-1 spamassassin-3.1.0-1.fc5 How reproducible: Always Steps to Reproduce: 1. add the block to your .procmailrc 2. configure your MTA to pipe mail through procmail 3. switch to enforcing mode 4. receive some mail Additional info: This was also reported on the fedora selinux ML
postfix + procmail + spamassassin -> CCing Thomas Woerner, Peter Vrabec, Brock Organ, Warren Togami
It would be important to fix this, because procmail is a popular way of invoking spamassassin during delivery.
Seems fixed in selinux-policy-targeted-1.27.2-11 Thanks a lot Daniel!
After
After a few days and selinux updates the problem seems to be back : type=CWD msg=audit(1131183641.607:1712): cwd="/home/nim/.maildir" type=PATH msg=audit(1131183641.607:1712): item=0 name="/usr/bin/spamc" flags=101 inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1131183641.611:1713): avc: denied { getattr } for pid=19310 comm="sh" name="spamc" dev=dm-0 ino=3349141 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1131183641.611:1713): arch=c000003e syscall=4 success=no exit=-13 a0=6bf790 a1=7fffffa0cb00 a2=7fffffa0cb00 a3=2 items=1 pid=19310 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="sh" exe="/bin/bash" type=AVC_PATH msg=audit(1131183641.611:1713): path="/usr/bin/spamc" type=CWD msg=audit(1131183641.611:1713): cwd="/home/nim/.maildir" type=PATH msg=audit(1131183641.611:1713): item=0 name="/usr/bin/spamc" flags=1 inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1131183642.971:1714): avc: denied { execute } for pid=19313 comm="procmail" name="spamc" dev=dm-0 ino=3349141 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1131183642.971:1714): arch=c000003e syscall=59 success=no exit=-13 a0=51c0b1 a1=51c050 a2=51bea0 a3=51c0b1 items=1 pid=19313 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="procmail" exe="/usr/bin/procmail"
Fixed in selinux-policy-targeted-1.27.2-16
Well, it's not but there is some progress With selinux-policy-targeted-1.27.2-19 I have these bits in the logs : type=SOCKADDR msg=audit(1131820021.653:174): saddr=0200030F7F0000010000000000000000 type=AVC msg=audit(1131820022.657:175): avc: denied { name_connect } for pid=4467 comm="spamc" dest=783 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamd_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1131820022.657:175): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fffff9b58b0 a2=10 a3=8 items=0 pid=4467 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="spamc" exe="/usr/bin/spamc" So procmail manages to invoque spamc now, which tries to connect to spamd on its standard port (783, cf http://spamassassin.apache.org/full/3.1.x/dist/doc/spamc.html) and is then blocked by selinux
Just a "me too" with the selinux-policy-targeted-1.27.1-2.11. Here is a snip from the audit.log file: ------------------------- type=AVC msg=audit(1131649834.979:6): avc: denied { connect } for pid=2194 co mm="spamd" scontext=system_u:system_r:spamd_t tcontext=system_u:system_r:spamd_t tclass=tcp_socket type=SYSCALL msg=audit(1131649834.979:6): arch=40000003 syscall=102 success=no e xit=-13 a0=3 a1=bfe981d0 a2=1252cb8 a3=6 items=0 pid=2194 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="spamd" exe="/usr/bin/per l" ------------------------- I'm using this in the /etc/procmailrc: ------------------------- # Process spam using spamassassin client for spamd :0fw: * < 10485760 | spamc -------------------------
With selinux-policy-targeted-2.0.1-2 there is a spamassassin pôlicy regression : it can not do dns requests anymore (wasn't this fixed a few weeks ago ?) # audit2allow < /var/log/audit/audit.log | grep spamd allow spamd_t sbin_t:dir getattr; type=AVC_PATH msg=audit(1132409745.363:5): path="/sbin" type=CWD msg=audit(1132409745.363:5): cwd="/" type=PATH msg=audit(1132409745.363:5): item=0 name="/sbin" flags=1 inode=2523137 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1132409745.363:6): avc: denied { getattr } for pid=2475 comm="spamd" name="sbin" dev=dm-0 ino=3342339 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir type=SYSCALL msg=audit(1132409745.363:6): arch=c000003e syscall=4 success=no exit=-13 a0=7fffffcc9380 a1=7fffffcc92d0 a2=7fffffcc92d0 a3=51a945 items=1 pid=2475 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="spamd" exe="/usr/bin/perl" allow spamd_t port_t:udp_socket name_bind; type=AVC msg=audit(1132409829.360:34): avc: denied { name_bind } for pid=2498 comm="spamd" src=12081 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1132409829.360:34): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=18bc510 a2=10 a3=679720 items=0 pid=2498 auid=4294967295 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd" exe="/usr/bin/perl" type=SOCKADDR msg=audit(1132409829.360:34): saddr=02002F31000000000000000000000000
and spamc is still forbidden to talk to spamd allow procmail_t spamd_port_t:tcp_socket name_connect; Nov 19 15:36:51 rousalka spamc[3457]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Permission denied Nov 19 15:36:52 rousalka spamc[3457]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#2 of 3): Permission denied Nov 19 15:36:53 rousalka spamc[3457]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#3 of 3): Permission denied type=AVC msg=audit(1132411011.204:59): avc: denied { name_connect } for pid=3457 comm="spamc" dest=783 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamd_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1132411011.204:59): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fffffece640 a2=10 a3=22 items=0 pid=3457 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="spamc" exe="/usr/bin/spamc" type=SOCKADDR msg=audit(1132411011.204:59): saddr=0200030F7F0000010000000000000000 type=AVC msg=audit(1132411012.208:60): avc: denied { name_connect } for pid=3457 comm="spamc" dest=783 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamd_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1132411012.208:60): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fffffece640 a2=10 a3=8 items=0 pid=3457 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="spamc" exe="/usr/bin/spamc" type=SOCKADDR msg=audit(1132411012.208:60): saddr=0200030F7F0000010000000000000000 type=AVC msg=audit(1132411013.212:61): avc: denied { name_connect } for pid=3457 comm="spamc" dest=783 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamd_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1132411013.212:61): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fffffece640 a2=10 a3=8 items=0 pid=3457 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="spamc" exe="/usr/bin/spamc" type=SOCKADDR msg=audit(1132411013.212:61): saddr=0200030F7F0000010000000000000000
And I'm seeing a lot of spamassassin access problems in maillog, they're not in audit.log but probably only because it's filtered Spamassassin can not access user conf files (~/.spamassassin/*) from procmail This with selinux-policy-targeted-2.0.8-1
*** Bug 176902 has been marked as a duplicate of this bug. ***
So you are getting avc messages that procmail_t wants to read user_home_t?
I see a lot of 17336:type=AVC msg=audit(1139950805.203:21026): avc: denied { read } for pid=8322 comm="spamd" name="identity" dev=dm-1 ino=5931396 scontext=user_u:system_r:spamd_t:s0-s0:c0.c255 tcontext=user_u:object_r:user_home_t:s0 tclass=lnk_file But I need to check carefully again after the jumbo rawhide gcc 4.1 rebuild update
New report. For a time after the update everything seemed fine with little or no AVCs Just to be sure I updated again today to get the last bits, rebooted in autorelabel, init 1, rm audit.log, init 6 This new report is after the last reboot where everything should have been clean. Well it isn't. First hint of trouble : $ evolution CalDAV Eplugin starting up ... (evolution:2562): evolution-smime-WARNING **: Failed all methods for initializin g NSS (evolution:2562): camel-WARNING **: Failed to initialize NSS And then the audit.log is full of AVCs (some of them procmail-related) I really feel there is a big problem with selinux on x86_64 - policies seem sane but the system *always* degenerates after a few days.
Created attachment 124742 [details] new audit.log after the jumbo gcc4.1 rawhide updates
I don't have time to do a rpm -Va now, since most of the FC and FE packages where rebuilt and reinstalled recently I expect it to give a clean result (except for bug #177976 effects)
Created attachment 124743 [details] real new audit.log (sorry about the previous mistake)
Going through you log I generate the following allow rules allow fetchmail_t home_root_t:dir search; - Fixed in tonights rawhide allow hald_t self:capability setgid; - Already fixed in rawhide allow spamd_t root_t:file append; - Where is this file? Seems like a potential labeleing problem allow spamd_t user_home_t:lnk_file read; - Already fixed in rawhide allow unconfined_t self:process execstack; - Working on fix the nss libraries to remove this requirement
(In reply to comment #19) > allow spamd_t root_t:file append; > - Where is this file? Seems like a potential labeleing problem The only append denial I have is 4:type=AVC msg=audit(1140073978.634:5): avc: denied { append } for pid=2065 comm="spamd" name="razor-agent.log" dev=dm-0 ino=1168 scontext=system_u:system_r:spamd_t:s0 tcontext=user_u:object_r:root_t:s0 tclass=file [root@rousalka nim]# locate razor-agent.log /razor-agent.log /home/nim/.razor/razor-agent.log /root/.razor/razor-agent.log /var/spool/amavisd/.razor/razor-agent.log it's the razor logfile
With selinux-policy-targeted-2.2.15-4 : 1. there are still many procmail+spamd problems : Feb 16 20:48:31 rousalka spamd[2182]: spamd: connection from localhost.localdomain [127.0.0.1] at port 52169 Feb 16 20:48:31 rousalka spamd[2182]: spamd: setuid to nim succeeded Feb 16 20:48:31 rousalka spamd[2182]: spamd: creating default_prefs: /home/nim/.spamassassin/user_prefs Feb 16 20:48:31 rousalka spamd[2182]: mkdir /home/nim: Le fichier existe. at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm line 1467 Feb 16 20:48:31 rousalka spamd[2182]: config: cannot write to /home/nim/.spamassassin/user_prefs: Permission non accordée Feb 16 20:48:31 rousalka spamd[2182]: spamd: failed to create readable default_prefs: /home/nim/.spamassassin/user_prefs Feb 16 20:48:31 rousalka spamd[2182]: mkdir /home/nim: Le fichier existe. at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm line 1467 Feb 16 20:48:31 rousalka spamd[2182]: spamd: processing message <200602161935.k1GJZNfk016466.redhat.com> for nim:500 Feb 16 20:48:35 rousalka spamd[2182]: internal error Feb 16 20:48:35 rousalka spamd[2182]: pyzor: check failed: internal error Feb 16 20:48:35 rousalka spamd[2182]: mkdir /home/nim: Le fichier existe. at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm line 1467 Feb 16 20:48:35 rousalka spamd[2182]: locker: safe_lock: cannot create tmp lockfile /home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2182 for /home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée Feb 16 20:48:35 rousalka spamd[2182]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2182 for /home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée Feb 16 20:48:35 rousalka spamd[2182]: Can't call method "finish" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/AWL.pm line 397. Feb 16 20:48:35 rousalka spamd[2182]: spamd: clean message (2.9/5.0) for nim:500 in 3.9 seconds, 5482 bytes. 2. rpm -Va is affected too # rpm -Va > /tmp/rpm.log prelink: /usr/bin/tiffgt: Could not parse `/usr/bin/tiffgt: error while loading shared libraries: libGL.so.1: cannot enable executable stack as shared object requires: Permission denied' prelink: /usr/bin/tiffgt: at least one of file's dependencies has changed since prelinking prelink: /usr/bin/eu-nm: Could not parse `/usr/bin/eu-nm: error while loading shared libraries: /usr/bin/eu-nm: cannot enable executable stack as shared object requires: Permission denied' prelink: /usr/bin/eu-nm: at least one of file's dependencies has changed since prelinking prelink: /usr/lib64/libglut.so.3.8.0: Could not parse `/usr/lib64/libglut.so.3.8.0: error while loading shared libraries: libGL.so.1: cannot enable executable stack as shared object requires: Permission denied'
Created attachment 124780 [details] audit.log for selinux-policy-targeted-2.2.15-4
You should not have spamd writing files to /. If you want this you will need to write your own policy modules using audit2allow -M spamd -i /var/log/audit/audit.log