Bug 203290 - SELinux prevents spamd creating ~/.spamassassin preferences directory
SELinux prevents spamd creating ~/.spamassassin preferences directory
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-08-20 13:22 EDT by Richard Fearn
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-20 14:58:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Entries in /var/log/messages when SELinux is in enforcing mode (464 bytes, text/plain)
2006-08-20 13:26 EDT, Richard Fearn
no flags Details
Entries in /var/log/messages when SELinux is in permissive mode (2.29 KB, text/plain)
2006-08-20 13:27 EDT, Richard Fearn
no flags Details
Entries in /var/log/messages when SELinux is in enforcing mode (2.3.7-2) (446 bytes, text/plain)
2006-08-29 10:12 EDT, Richard Fearn
no flags Details
Entries in /var/log/messages when SELinux is in permissive mode (2.3.7-2) (1.37 KB, text/plain)
2006-08-29 10:13 EDT, Richard Fearn
no flags Details

  None (edit)
Description Richard Fearn 2006-08-20 13:22:23 EDT
Description of problem:
SELinux is preventing spamd creating the ~/.spamassassin preferences directory,
even when the spamd_enable_home_dirs boolean is on.

Version-Release number of selected component (if applicable):
Fedora Core 5, with all updates as of 2006-08-20. Relevant packages:
spamassassin-3.1.3-1.fc5
selinux-policy-2.3.3-8.fc5
selinux-policy-targeted-2.3.3-8.fc5
kernel-2.6.17-1.2174_FC5

How reproducible:
Always occurs

Steps to Reproduce:
1. install FC5, do yum update, and reboot
2. yum install spamassassin
3. service spamassassin start
4. getsebool spamd_enable_home_dirs (check this is on)
5. pass a message to spamd using spamc
  
Actual results:
1. Message appears to be processed by SpamAssassin correctly (i.e. the X-Spam-*
headers are present in the spamc output)
2. ~/.spamassassin directory is not created with default user preferences
3. errors in /var/log/messages:

Aug 20 18:18:41 gwtest kernel: audit(1156094321.483:8): avc:  denied  { write }
for  pid=1729 comm="spamd" name="rich" dev=dm-0 ino=548898
scontext=system_u:system_r:spamd_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Aug 20 18:18:41 gwtest kernel: audit(1156094321.495:9): avc:  denied  { write }
for  pid=1729 comm="spamd" name="rich" dev=dm-0 ino=548898
scontext=system_u:system_r:spamd_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir

Expected results:
~/.spamassassin directory should have been created, containing user_prefs file

Additional info:
~/.spamassassin and user_prefs file are created if either
* SELinux is in permissive mode; or
* spamassassin is used instead of spamc (since spamassassin runs unconfined).
Comment 1 Richard Fearn 2006-08-20 13:26:13 EDT
Created attachment 134530 [details]
Entries in /var/log/messages when SELinux is in enforcing mode
Comment 2 Richard Fearn 2006-08-20 13:27:02 EDT
Created attachment 134531 [details]
Entries in /var/log/messages when SELinux is in permissive mode
Comment 3 Daniel Walsh 2006-08-21 09:14:46 EDT
Do you have the boolean spamd_enable_home_dirs set on?

getsebool spamd_enable_home_dirs

You can turn it on with 

setsebool -P spamd_enable_home_dirs=1
Comment 4 Richard Fearn 2006-08-21 09:44:44 EDT
As I said in the description:

> SELinux is preventing spamd creating the ~/.spamassassin preferences
> directory, even when the spamd_enable_home_dirs boolean is on.

Also in step 4 of the "Steps to Reproduce", I checked that
spamd_enable_home_dirs *is* on.

Also, to emphasise: this was on a fresh FC5 install (only "Base" selected during
the install), which was then fully updated, resulting in the package version
numbers given above.
Comment 5 Daniel Walsh 2006-08-21 14:13:51 EDT
Ok I will add to next policy update.  For the time being you can use 
audit2allow -M local -i /var/log/messages 
to create a loadable policy module and add these rules.
Comment 6 Daniel Walsh 2006-08-22 09:42:27 EDT
Fixed in selinux-policy-2.3.7-2.fc5
Comment 7 Daniel Walsh 2006-08-22 10:19:16 EDT
Change to modified
Comment 8 Richard Fearn 2006-08-29 09:50:38 EDT
Bad news I'm afraid... it still doesn't work even with 2.3.7-2.

Packages installed:
spamassassin-3.1.3-1.fc5
selinux-policy-2.3.7-2.fc5
selinux-policy-targeted-2.3.7-2.fc5
kernel-2.6.17-1.2174_FC5

[root@fc5test ~]# getsebool spamd_enable_home_dirs
spamd_enable_home_dirs --> on

When running spamc, I still get this message:

Aug 29 14:48:19 fc5test kernel: audit(1156859299.498:6): avc:  denied  { create
} for  pid=1890 comm="spamd" name=".spamassassin"
scontext=user_u:system_r:spamd_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0
tclass=dir
Aug 29 14:48:19 fc5test kernel: audit(1156859299.506:7): avc:  denied  { create
} for  pid=1890 comm="spamd" name=".spamassassin"
scontext=user_u:system_r:spamd_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0
tclass=dir

and no ~/.spamassassin folder is created.
Comment 9 Richard Fearn 2006-08-29 10:12:24 EDT
Created attachment 135134 [details]
Entries in /var/log/messages when SELinux is in enforcing mode (2.3.7-2)
Comment 10 Richard Fearn 2006-08-29 10:13:59 EDT
Created attachment 135135 [details]
Entries in /var/log/messages when SELinux is in permissive mode (2.3.7-2)
Comment 11 Richard Fearn 2006-08-29 13:01:15 EDT
The new AVC messages are different from the old ones. Comparing the permissive
mode AVC messages before and after the 2.3.7-2 update, it looks as though you've
allowed spamd the "write" and "add_name" permissions for user_home_dir_t:dir (as
lines 1/2/4/5 from the old log have gone) - please correct me if I'm wrong :-)

However SpamAssassin is still unable to create the .spamassassin directory as it
needs the "create" permission for user_home_dir_t:dir as well.

Having had a look at the Tresys reference policy (on which I believe 2.3.7-2 is
based?) I'm thinking there may be a problem with the context given to
~/.spamassassin when it is created *by spamd itself*. If spamd is able to create
~/.spamassassin, then it ends up with the user_home_dir_t context (which I
thought was meant only for home directories themselves). If I create it manually
it has context user_home_t (as I would expect).

The consequence of all this is that by creating ~/.spamassassin myself (which
gives it the user_home_t context), spamd is able to read/write its contents
without any errors (by virtue of the 27 or so permissions that spamd gets for
user_home_t due to spamd_enable_home_dirs being enabled).
Comment 12 Daniel Walsh 2006-08-29 18:57:57 EDT
Yes this line needs to be added

userdom_home_filetrans_generic_user_home_dir(spamd_t)

Added in

selinux-policy-2.3.7-3.fc5
Comment 13 Richard Fearn 2007-01-05 19:15:13 EST
Sorry Dan, before you closed this bug I was planning to add the following
information.

This bug is still present in FC6 with the 2.4.6-17 policy that's just been made
available.

Packages:
selinux-policy-2.4.6-17.fc6
selinux-policy-targeted-2.4.6-17.fc6
spamassassin-3.1.7-1.fc6

Booleans:
spamd_disable_trans --> off
spamd_enable_home_dirs --> on

If there is no ~/.spamassassin directory:
Jan  5 23:45:20 localhost kernel: audit(1168040720.765:12): avc:  denied  {
write } for  pid=2241 comm="spamd" name="rich" dev=dm-0 ino=292322
scontext=user_u:system_r:spamd_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Jan  5 23:45:20 localhost kernel: audit(1168040720.825:13): avc:  denied  {
write } for  pid=2241 comm="spamd" name="rich" dev=dm-0 ino=292322
scontext=user_u:system_r:spamd_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
Jan  5 23:45:20 localhost kernel: audit(1168040720.969:14): avc:  denied  {
write } for  pid=2241 comm="spamd" name="rich" dev=dm-0 ino=292322
scontext=user_u:system_r:spamd_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir

If ~/.spamassassin has already been created:
no errors

I posted a message the other day on fedora-selinux-list asking how the
selinux-policy packages are created from the reference policy.

I see that the userdom... line was added to the reference policy in revision
1974. I can also see it being added to one of the patches in the 2.3.7-3.fc5
package, but I never tested that as 2.3.7-3 wasn't pushed to the repositories.

I can't however find the userdom... line in the FC6 package.
Comment 14 Daniel Walsh 2007-01-08 14:15:33 EST
Fixed in selinux-policy-targeted-2.4.6-24
Comment 15 Daniel de Kok 2007-05-14 10:38:22 EDT
Could you consider pulling up the (filetrans) correction introduced in 2.5.1-1
to EL5 as well? The directory still gets the user_home_dir_t context EL5,
resulting in rejects when spamd tries to create files in the ~/.spamassassin
directory.
Comment 16 Daniel Walsh 2007-05-14 13:45:30 EDT
selinux-policy-2.4.6-69 should have the fix.
Comment 17 Richard Fearn 2007-08-17 15:09:34 EDT
This can be closed as I've upgraded to Fedora 7.

Note You need to log in before you can comment on or make changes to this bug.