Bug 1823061 - pyzor wants to access /proc/net/unix
Summary: pyzor wants to access /proc/net/unix
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 31
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-11 09:55 UTC by Laurent Jacquot
Modified: 2020-06-05 02:40 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-06-05 02:40:03 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Laurent Jacquot 2020-04-11 09:55:46 UTC
This is f31 fully updated

The package pyzor, used for checking mails to avoid spam, wants to access /proc/net when used from procmail:

# grep spamc /etc/procmailrc 
| /usr/bin/spamc -u $USER -d 127.0.0.1 -p 783

spamassassin is configured to uses pyzor:
# grep pyzor /etc/mail/spamassassin/local.cf 
use_pyzor 1
pyzor_timeout 20

# grep Pyzor /etc/mail/spamassassin/v310.pre 
loadplugin Mail::SpamAssassin::Plugin::Pyzor

but then each time a mail is checked there is this avc:
# ausearch -m avc -su spamc_t -ts 07/04/2020 |tail -1
type=AVC msg=audit(1586353691.120:6538): avc:  denied  { read } for  pid=343477 comm="pyzor" name="unix" dev="proc" ino=4026532056 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0

# ll -i /proc/net/unix 
4026532056 -r--r--r--. 1 root root 0 11 avril 11:52 /proc/net/unix

this custom module stops those avc, but maybe a don't audit rules is better?

# cat selinux/localSpam.te

require {
	type proc_net_t;
	type spamc_t;
	class file read;
}

#============= spamc_t ==============
allow spamc_t proc_net_t:file read;

regards
Laurent Jacquot

Comment 1 Zdenek Pytela 2020-04-16 10:32:00 UTC
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/235

Comment 2 Lukas Vrabec 2020-04-16 10:41:55 UTC
commit 14d69bd0bab57b057a1cb94fcf150fdeee0c98c4 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date:   Thu Apr 16 12:27:10 2020 +0200

    Allow spamc_t domain to read network state
    
    Resolves: rhbz#1823061


Backported to F32 and F31.

Comment 3 Fedora Update System 2020-05-20 13:47:40 UTC
FEDORA-2020-6d33cc238c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-6d33cc238c

Comment 4 Fedora Update System 2020-05-21 04:16:18 UTC
FEDORA-2020-6d33cc238c has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-6d33cc238c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-6d33cc238c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2020-06-05 02:40:03 UTC
FEDORA-2020-6d33cc238c has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.