Red Hat Bugzilla – Bug 191613
policy update makes amavisd-new stop working
Last modified: 2007-11-30 17:11:32 EST
Description of problem: On my working server, amavisd-new (from extras) suddenly, after a reboot stopped working. I discoverede that selinux kept it from doing much of anything - Couldn't access it's temp dir, database dir, sockets etc... The fact that this was after a reboot have to be related to my selinux policy was very recently updated. Let me know what you need so we can get this thing fixed... Version-Release number of selected component (if applicable): selinux-policy-targeted-2.2.36-2.fc5 How reproducible: always Steps to Reproduce: 1. service amavisd start 2. service amavisd status 3. it's dead, check /var/log/maillog and avc denied messages Actual results: amavisd is denied access to a lot of resources Expected results: amavisd should be fully functional Additional info: I've built an semodule with the following rules, that may not be complete but seems to do the trick for now at least. I still feel it should be fixed, though. --- module amaviscustom 1.0; require { class chr_file { ioctl read write }; class dir { add_name create getattr read remove_name rmdir search write }; class file { create getattr ioctl link read rename unlink write }; class lnk_file { create read unlink }; class sock_file write; class udp_socket name_bind; class unix_stream_socket connectto; class capability kill; type amavis_t; type devpts_t; type initrc_t; type port_t; type proc_t; type sysctl_kernel_t; type var_spool_t; }; allow amavis_t devpts_t:chr_file { ioctl read write }; allow amavis_t initrc_t:unix_stream_socket connectto; allow amavis_t port_t:udp_socket name_bind; allow amavis_t proc_t:file { getattr read }; allow amavis_t proc_t:lnk_file read; allow amavis_t sysctl_kernel_t:dir search; allow amavis_t sysctl_kernel_t:file read; allow amavis_t var_spool_t:dir { add_name create getattr read remove_name rmdir search write }; allow amavis_t var_spool_t:file { create getattr ioctl link read rename unlink write }; allow amavis_t var_spool_t:lnk_file { create read unlink }; allow amavis_t var_spool_t:sock_file write; allow amavis_t self:capability kill; ---
Please attach the message log that you used to generate this policy.
Created attachment 129102 [details] audit log from a few amavisd operations Had to recreate the log for you so although they should be the same, they could be different - especially since the targeted policy got updated in the meantime... These are the operations i went through to get the log setenforce 0 load_policy service amavisd restart send a mail or two through the system service amavisd stop extract log since last load_policy
What spool directory is it creating? Is amavis going to try to run clamscan?
Trying to update databases and temp folders in /var/spool/amavisd/{db,tmp}/* communicating with a socket in /var/spool/amavisd/clamd.sock and probably more. I guess there's a good chance that it will launch clamscan, if it can't use it's more optimal preferred way which i think is using clamd via a perl api in some way.
amavisd tries to connect through the socket, and if that fails, it falls back to running /usr/bin/clamscan. amavisd also can run a *bunch* of other programs. I'll attach a startup log for reference.
*** Bug 191584 has been marked as a duplicate of this bug. ***
Created attachment 129658 [details] syslog from amavisd startup
Fixed in selinux-policy-2.2.42-2.fc5
I still need to add a custom semodule with the following, to make it work... module amaviscustom 1.0; require { class file getattr; class lnk_file read; class udp_socket name_bind; type amavis_t; type clamscan_exec_t; type port_t; type proc_t; }; allow amavis_t clamscan_exec_t:file getattr; allow amavis_t port_t:udp_socket name_bind; allow amavis_t proc_t:lnk_file read;
"work" meaning that it will be allowed to function even though clamd is not running for whatever reason.
That is strange because selinux-policy-2.2.42-2.fc5 should have those rules. Dan
Created attachment 143252 [details] The error messages from auditd I some problems when SELinux is enabled, than the PID file will not created, when /etc/init.d/clamd.amavisd starts. I have append the log(error.txt) In the maillog file I found this: Dec 10 21:58:17 homer clamd[4692]: Unix socket file /var/spool/amavisd/clamd.sock Dec 10 21:58:17 homer clamd[4692]: Setting connection queue length to 15 Dec 10 21:58:17 homer clamd[4692]: Can't save PID in file /var/run/amavisd/clamd.pid
Closing bugs