Bug 244646 - SELInux preventing SPAMAssassin from creating needed files
SELInux preventing SPAMAssassin from creating needed files
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
i386 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-18 07:18 EDT by Paul Thompson
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:09:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paul Thompson 2007-06-18 07:18:18 EDT
Description of problem:
SELinux policy preventing spamassassin from creating new files

Version-Release number of selected component (if applicable):
spamass-milter.i386                      0.3.1-4.fc6            installed       
spamassassin.i386                        3.2.1-1.fc7            installed 
selinux-policy.noarch                    2.6.4-14.fc7           installed       
selinux-policy-targeted.noarch           2.6.4-14.fc7           installed 

How reproducible:
Have recently installed spamass-milter and spamassassin and configured sendmail
to use both as per spamass-milter's readme.
When an email is received sendmail calls spamassassin to check for spam. During
its processing, spamassassasin wishes to create a number of files in
/var/run/spam* (see below) but cannot due to policy. 

Steps to Reproduce:
1. Send an email to sendmail

Actual results:
This is /var/log/maillog when an email has been received:
Jun 18 11:09:09 sally sendmail[7327]: l5IA98pq007327: from=<...>, size=3401,
class=0, nrcpts=1, msgid=<...>, proto=ESMTP, daemon=MTA, relay=...
Jun 18 11:09:10 sally spamd[30491]: spamd: connection from ... [127.0.0.1] at
port 55496 
Jun 18 11:09:10 sally spamd[30491]: spamd: setuid to sa-milt succeeded 
Jun 18 11:09:10 sally spamd[30491]: spamd: creating default_prefs:
/var/run/spamass-milter/.spamassassin/user_prefs 
Jun 18 11:09:10 sally spamd[30491]: config: cannot write to
/var/run/spamass-milter/.spamassassin/user_prefs: No such file or directory 
Jun 18 11:09:10 sally spamd[30491]: spamd: failed to create readable
default_prefs: /var/run/spamass-milter/.spamassassin/user_prefs 
Jun 18 11:09:10 sally spamd[30491]: spamd: processing message <...> for sa-milt:117 
Jun 18 11:09:21 sally spamd[30491]: pyzor: check failed: internal error 
Jun 18 11:09:21 sally spamd[30491]: auto-whitelist: open of auto-whitelist file
failed: locker: safe_lock: cannot create tmp lockfile
/var/run/spamass-milter/.spamassassin/auto-whitelist.lock.sally.thompson.30491
for /var/run/spamass-milter/.spamassassin/auto-whitelist.lock: No such file or
directory 
Jun 18 11:09:21 sally spamd[30491]: spamd: clean message (-0.0/5.0) for
sa-milt:117 in 11.5 seconds, 3829 bytes. 
Jun 18 11:09:21 sally spamd[30491]: spamd: result: . 0 -
HTML_MESSAGE,SPF_HELO_PASS,SPF_PASS
scantime=11.5,size=3829,user=sa-milt,uid=117,required_score=5.0,rhost=sally.thompson,raddr=127.0.0.1,rport=55496,mid=<!&!AAAAAAAAAAAYAAAAAAAAAOY8J/3rqT5EmjIViIpUaYHCgAAAEAAAAF3YkUWbGGpNoi6KPyT3/bgBAAAAAA==@tiscali.co.uk>,autolearn=failed

Jun 18 11:09:21 sally sendmail[7327]: l5IA98pq007327: Milter add: header:
X-Spam-Status: No, score=-0.0 required=5.0
tests=HTML_MESSAGE,SPF_HELO_PASS,\n\tSPF_PASS autolearn=failed version=3.2.1
Jun 18 11:09:21 sally sendmail[7327]: l5IA98pq007327: Milter add: header:
X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on sally.thompson
Jun 18 11:09:22 sally spamd[30488]: prefork: child states: II 

Here are the 3 relevant SELinux reports from setroubleshoot browser:
avc: denied { create } for comm="spamd" egid=120 euid=117 exe="/usr/bin/perl"
exit=-13 fsgid=120 fsuid=117 gid=0 items=0 name=".spamassassin" pid=30491
scontext=system_u:system_r:spamd_t:s0 sgid=0 subj=system_u:system_r:spamd_t:s0
suid=0 tclass=dir tcontext=system_u:object_r:var_run_t:s0 tty=(none) uid=0

avc: denied { write } for comm="pyzor" dev=dm-0 egid=120 euid=117
exe="/usr/bin/python" exit=-13 fsgid=120 fsuid=117 gid=0 items=0 name="spamass-
milter" pid=7330 scontext=system_u:system_r:pyzor_t:s0 sgid=120
subj=system_u:system_r:pyzor_t:s0 suid=117 tclass=dir
tcontext=system_u:object_r:var_run_t:s0 tty=(none) uid=117

avc: denied { create } for comm="spamd" egid=120 euid=117 exe="/usr/bin/perl"
exit=-13 fsgid=120 fsuid=117 gid=0 items=0 name=".razor" pid=30491
scontext=system_u:system_r:spamd_t:s0 sgid=0 subj=system_u:system_r:spamd_t:s0
suid=0 tclass=dir tcontext=system_u:object_r:var_run_t:s0 tty=(none) uid=0




Expected results:


Additional info:

Executing chcon -R -t spamd_var_run_t /var/run/spam* seems to fix the pyzor
error, but the other two remain
Comment 1 Daniel Walsh 2007-06-18 10:51:50 EDT
Fixed in selinux-policy-2.6.4-17
Comment 2 Daniel Walsh 2007-08-22 10:09:42 EDT
Closing as fixes are in the current release

Note You need to log in before you can comment on or make changes to this bug.