Bug 191613 - policy update makes amavisd-new stop working
Summary: policy update makes amavisd-new stop working
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 5
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
: 191584 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-05-13 20:42 UTC by Thomas M Steenholdt
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version: Current
Clone Of:
Environment:
Last Closed: 2007-03-28 20:06:09 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
audit log from a few amavisd operations (8.38 KB, text/plain)
2006-05-15 18:27 UTC, Thomas M Steenholdt
no flags Details
syslog from amavisd startup (5.55 KB, text/plain)
2006-05-19 23:24 UTC, Steven Pritchard
no flags Details
The error messages from auditd (3.72 KB, text/plain)
2006-12-10 21:00 UTC, Frank Büttner
no flags Details

Description Thomas M Steenholdt 2006-05-13 20:42:50 UTC
Description of problem:
On my working server, amavisd-new (from extras) suddenly, after a reboot stopped
working. I discoverede that selinux kept it from doing much of anything -
Couldn't access it's temp dir, database dir, sockets etc... The fact that this
was after a reboot have to be related to my selinux policy was very recently
updated.

Let me know what you need so we can get this thing fixed...

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.2.36-2.fc5

How reproducible:
always

Steps to Reproduce:
1. service amavisd start
2. service amavisd status
3. it's dead, check /var/log/maillog and avc denied messages
  
Actual results:
amavisd is denied access to a lot of resources

Expected results:
amavisd should be fully functional

Additional info:
I've built an semodule with the following rules, that may not be complete but
seems to do the trick for now at least. I still feel it should be fixed, though.

---
module amaviscustom 1.0;

require {
        class chr_file { ioctl read write };
        class dir { add_name create getattr read remove_name rmdir search write };
        class file { create getattr ioctl link read rename unlink write };
        class lnk_file { create read unlink };
        class sock_file write;
        class udp_socket name_bind;
        class unix_stream_socket connectto;
        class capability kill;

        type amavis_t;
        type devpts_t;
        type initrc_t;
        type port_t;
        type proc_t;
        type sysctl_kernel_t;
        type var_spool_t;
};

allow amavis_t devpts_t:chr_file { ioctl read write };
allow amavis_t initrc_t:unix_stream_socket connectto;
allow amavis_t port_t:udp_socket name_bind;
allow amavis_t proc_t:file { getattr read };
allow amavis_t proc_t:lnk_file read;
allow amavis_t sysctl_kernel_t:dir search;
allow amavis_t sysctl_kernel_t:file read;
allow amavis_t var_spool_t:dir { add_name create getattr read remove_name rmdir
search write };
allow amavis_t var_spool_t:file { create getattr ioctl link read rename unlink
write };
allow amavis_t var_spool_t:lnk_file { create read unlink };
allow amavis_t var_spool_t:sock_file write;
allow amavis_t self:capability kill;
---

Comment 1 Daniel Walsh 2006-05-15 16:36:15 UTC
Please attach the message log that you used to generate this policy.


Comment 2 Thomas M Steenholdt 2006-05-15 18:27:48 UTC
Created attachment 129102 [details]
audit log from a few amavisd operations

Had to recreate the log for you so although they should be the same, they could
be different - especially since the targeted policy got updated in the
meantime...

These are the operations i went through to get the log

setenforce 0
load_policy

service amavisd restart
send a mail or two through the system
service amavisd stop

extract log since last load_policy

Comment 3 Daniel Walsh 2006-05-15 20:38:00 UTC
What spool directory is it creating?

Is amavis going to try to run clamscan?



Comment 4 Thomas M Steenholdt 2006-05-15 20:46:17 UTC
Trying to update databases and temp folders in /var/spool/amavisd/{db,tmp}/*
communicating with a socket in /var/spool/amavisd/clamd.sock and probably more.
I guess there's a good chance that it will launch clamscan, if it can't use it's
more optimal preferred way which i think is using clamd via a perl api in some way.

Comment 5 Steven Pritchard 2006-05-19 23:22:16 UTC
amavisd tries to connect through the socket, and if that fails, it falls back to
running /usr/bin/clamscan.

amavisd also can run a *bunch* of other programs.  I'll attach a startup log for
reference.

Comment 6 Steven Pritchard 2006-05-19 23:23:07 UTC
*** Bug 191584 has been marked as a duplicate of this bug. ***

Comment 7 Steven Pritchard 2006-05-19 23:24:58 UTC
Created attachment 129658 [details]
syslog from amavisd startup

Comment 8 Daniel Walsh 2006-05-23 20:10:56 UTC
Fixed in selinux-policy-2.2.42-2.fc5

Comment 9 Thomas M Steenholdt 2006-05-24 04:07:26 UTC
I still need to add a custom semodule with the following, to make it work...

module amaviscustom 1.0;

require {
        class file getattr;
        class lnk_file read;
        class udp_socket name_bind;

        type amavis_t;
        type clamscan_exec_t;
        type port_t;
        type proc_t;
};

allow amavis_t clamscan_exec_t:file getattr;
allow amavis_t port_t:udp_socket name_bind;
allow amavis_t proc_t:lnk_file read;



Comment 10 Thomas M Steenholdt 2006-05-24 04:08:59 UTC
"work" meaning that it will be allowed to function even though clamd is not
running for whatever reason.

Comment 11 Daniel Walsh 2006-05-24 17:27:44 UTC
That is strange because selinux-policy-2.2.42-2.fc5 should have those rules.  

Dan

Comment 12 Frank Büttner 2006-12-10 21:00:16 UTC
Created attachment 143252 [details]
The error messages from auditd

I some problems when SELinux is enabled, than the PID file will not created,
when
/etc/init.d/clamd.amavisd starts.
I have append the log(error.txt)
In the maillog file I found this:
Dec 10 21:58:17 homer clamd[4692]: Unix socket file
/var/spool/amavisd/clamd.sock
Dec 10 21:58:17 homer clamd[4692]: Setting connection queue length to 15
Dec 10 21:58:17 homer clamd[4692]: Can't save PID in file
/var/run/amavisd/clamd.pid

Comment 13 Daniel Walsh 2007-03-28 20:06:09 UTC
Closing bugs



Note You need to log in before you can comment on or make changes to this bug.