Bug 191613 - policy update makes amavisd-new stop working
policy update makes amavisd-new stop working
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
: 191584 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-13 16:42 EDT by Thomas M Steenholdt
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-28 16:06:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit log from a few amavisd operations (8.38 KB, text/plain)
2006-05-15 14:27 EDT, Thomas M Steenholdt
no flags Details
syslog from amavisd startup (5.55 KB, text/plain)
2006-05-19 19:24 EDT, Steven Pritchard
no flags Details
The error messages from auditd (3.72 KB, text/plain)
2006-12-10 16:00 EST, Frank Büttner
no flags Details

  None (edit)
Description Thomas M Steenholdt 2006-05-13 16:42:50 EDT
Description of problem:
On my working server, amavisd-new (from extras) suddenly, after a reboot stopped
working. I discoverede that selinux kept it from doing much of anything -
Couldn't access it's temp dir, database dir, sockets etc... The fact that this
was after a reboot have to be related to my selinux policy was very recently
updated.

Let me know what you need so we can get this thing fixed...

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.2.36-2.fc5

How reproducible:
always

Steps to Reproduce:
1. service amavisd start
2. service amavisd status
3. it's dead, check /var/log/maillog and avc denied messages
  
Actual results:
amavisd is denied access to a lot of resources

Expected results:
amavisd should be fully functional

Additional info:
I've built an semodule with the following rules, that may not be complete but
seems to do the trick for now at least. I still feel it should be fixed, though.

---
module amaviscustom 1.0;

require {
        class chr_file { ioctl read write };
        class dir { add_name create getattr read remove_name rmdir search write };
        class file { create getattr ioctl link read rename unlink write };
        class lnk_file { create read unlink };
        class sock_file write;
        class udp_socket name_bind;
        class unix_stream_socket connectto;
        class capability kill;

        type amavis_t;
        type devpts_t;
        type initrc_t;
        type port_t;
        type proc_t;
        type sysctl_kernel_t;
        type var_spool_t;
};

allow amavis_t devpts_t:chr_file { ioctl read write };
allow amavis_t initrc_t:unix_stream_socket connectto;
allow amavis_t port_t:udp_socket name_bind;
allow amavis_t proc_t:file { getattr read };
allow amavis_t proc_t:lnk_file read;
allow amavis_t sysctl_kernel_t:dir search;
allow amavis_t sysctl_kernel_t:file read;
allow amavis_t var_spool_t:dir { add_name create getattr read remove_name rmdir
search write };
allow amavis_t var_spool_t:file { create getattr ioctl link read rename unlink
write };
allow amavis_t var_spool_t:lnk_file { create read unlink };
allow amavis_t var_spool_t:sock_file write;
allow amavis_t self:capability kill;
---
Comment 1 Daniel Walsh 2006-05-15 12:36:15 EDT
Please attach the message log that you used to generate this policy.
Comment 2 Thomas M Steenholdt 2006-05-15 14:27:48 EDT
Created attachment 129102 [details]
audit log from a few amavisd operations

Had to recreate the log for you so although they should be the same, they could
be different - especially since the targeted policy got updated in the
meantime...

These are the operations i went through to get the log

setenforce 0
load_policy

service amavisd restart
send a mail or two through the system
service amavisd stop

extract log since last load_policy
Comment 3 Daniel Walsh 2006-05-15 16:38:00 EDT
What spool directory is it creating?

Is amavis going to try to run clamscan?

Comment 4 Thomas M Steenholdt 2006-05-15 16:46:17 EDT
Trying to update databases and temp folders in /var/spool/amavisd/{db,tmp}/*
communicating with a socket in /var/spool/amavisd/clamd.sock and probably more.
I guess there's a good chance that it will launch clamscan, if it can't use it's
more optimal preferred way which i think is using clamd via a perl api in some way.
Comment 5 Steven Pritchard 2006-05-19 19:22:16 EDT
amavisd tries to connect through the socket, and if that fails, it falls back to
running /usr/bin/clamscan.

amavisd also can run a *bunch* of other programs.  I'll attach a startup log for
reference.
Comment 6 Steven Pritchard 2006-05-19 19:23:07 EDT
*** Bug 191584 has been marked as a duplicate of this bug. ***
Comment 7 Steven Pritchard 2006-05-19 19:24:58 EDT
Created attachment 129658 [details]
syslog from amavisd startup
Comment 8 Daniel Walsh 2006-05-23 16:10:56 EDT
Fixed in selinux-policy-2.2.42-2.fc5
Comment 9 Thomas M Steenholdt 2006-05-24 00:07:26 EDT
I still need to add a custom semodule with the following, to make it work...

module amaviscustom 1.0;

require {
        class file getattr;
        class lnk_file read;
        class udp_socket name_bind;

        type amavis_t;
        type clamscan_exec_t;
        type port_t;
        type proc_t;
};

allow amavis_t clamscan_exec_t:file getattr;
allow amavis_t port_t:udp_socket name_bind;
allow amavis_t proc_t:lnk_file read;

Comment 10 Thomas M Steenholdt 2006-05-24 00:08:59 EDT
"work" meaning that it will be allowed to function even though clamd is not
running for whatever reason.
Comment 11 Daniel Walsh 2006-05-24 13:27:44 EDT
That is strange because selinux-policy-2.2.42-2.fc5 should have those rules.  

Dan
Comment 12 Frank Büttner 2006-12-10 16:00:16 EST
Created attachment 143252 [details]
The error messages from auditd

I some problems when SELinux is enabled, than the PID file will not created,
when
/etc/init.d/clamd.amavisd starts.
I have append the log(error.txt)
In the maillog file I found this:
Dec 10 21:58:17 homer clamd[4692]: Unix socket file
/var/spool/amavisd/clamd.sock
Dec 10 21:58:17 homer clamd[4692]: Setting connection queue length to 15
Dec 10 21:58:17 homer clamd[4692]: Can't save PID in file
/var/run/amavisd/clamd.pid
Comment 13 Daniel Walsh 2007-03-28 16:06:09 EDT
Closing bugs

Note You need to log in before you can comment on or make changes to this bug.