Bug 410781 - Selinux-policy preventing spamassassin from accessing home directory
Selinux-policy preventing spamassassin from accessing home directory
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.1
i686 Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-04 13:06 EST by Todd Taft
Modified: 2008-05-21 12:06 EDT (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 12:06:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Todd Taft 2007-12-04 13:06:10 EST
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Todd Taft 2007-12-04 13:20:35 EST
Didn't mean to hit submit yet.  Let's try again:

Relevant package versions:
selinux-policy-2.4.6-106.el5_1.3
spamassassin-3.1.8-2.el5

Detailed description:
user home directory is local to mail server.
user does not have a ~/.spamassassin directory

spamd is running

spamassassin is called from /etc/procmailrc by:
INCLUDERC=/etc/mail/spamassassin/spamassassin-spamc.rc

# getsebool spamd_enable_home_dirs
spamd_enable_home_dirs --> on

~/.spamassassin (and files below it) are not created
Selinux alert is created (see below)


Expected results:
~/.spamassassin created
No selinux alert

Error message from setroubleshoot:
Summary
    SELinux is preventing the spamd daemon from reading users home directories.

Detailed Description
    SELinux has denied the spamd daemon access to users home directories.
    Someone is attempting to access your home directories via your spamd daemon.
    If you only setup spamd to share non home directories, this probably signals
    a intrusion attempt.

Allowing Access
    If you want spamd to share home directories you need to turn on the
    spamd_enable_home_dirs boolean: "setsebool -P spamd_enable_home_dirs=1"

    The following command will allow this access:
    setsebool -P spamd_enable_home_dirs=1

Additional Information        

Source Context                system_u:system_r:spamd_t
Target Context                system_u:object_r:user_home_dir_t
Target Objects                user_prefs [ file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-2.4.6-106.el5_1.3
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.spamd_enable_home_dirs
Host Name                     host.example.com
Platform                      Linux host.example.com 2.6.18-53.1.4.el5 #1 SMP
                              Fri Nov 30 00:45:16 EST 2007 i686 i686
Alert Count                   22780
Line Numbers                  

Raw Audit Messages            

avc: denied { create } for comm="spamd" egid=0 euid=0 exe="/usr/bin/perl"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="user_prefs" pid=2809
scontext=system_u:system_r:spamd_t:s0 sgid=0 subj=system_u:system_r:spamd_t:s0
suid=0 tclass=file tcontext=system_u:object_r:user_home_dir_t:s0 tty=(none)
uid=0

Comment 2 Daniel Walsh 2007-12-05 08:50:36 EST
This avc looks like spamd is trying to create the file user_prefs in a directory
labeled user_home_dir_t?  user_prefs is usually created in the .spamassassin
directroy which should be labeled user_spamassassin_home_t.  Are you sure this
directory was not there?  Can you remove rm -rf ~/.spamassasin  And try it again
to see if the labeling gets done correctly
Comment 3 Todd Taft 2007-12-06 16:22:34 EST
I don't have a ~/.spamassassin directory.  My home directory itself is labeled
user_home_dir_t.

[~]$ ls -ldZ ~
drwx------  taft taft system_u:object_r:user_home_dir_t /home/taft
[~]$ ls -ldZ ~/.spamassasin
ls: /home/taft/.spamassasin: No such file or directory
Comment 4 Daniel Walsh 2008-02-26 17:40:51 EST
Fixed in selinux-policy-2.4.6-121.el5
Comment 5 RHEL Product and Program Management 2008-03-05 17:07:25 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 9 Todd Taft 2008-03-31 20:54:36 EDT
I've upgraded, and I'm still having the same issue.  Am I missing something?

From setroubleshoot:

Summary
    SELinux is preventing the spamd daemon from reading users home directories.

Detailed Description
    SELinux has denied the spamd daemon access to users home directories.
    Someone is attempting to access your home directories via your spamd daemon.
    If you only setup spamd to share non home directories, this probably signals
    a intrusion attempt.

Allowing Access
    If you want spamd to share home directories you need to turn on the
    spamd_enable_home_dirs boolean: "setsebool -P spamd_enable_home_dirs=1"

    The following command will allow this access:
    setsebool -P spamd_enable_home_dirs=1

Additional Information        

Source Context                system_u:system_r:spamd_t
Target Context                system_u:object_r:user_home_dir_t
Target Objects                user_prefs [ file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-2.4.6-121.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.spamd_enable_home_dirs
Host Name                     host.example.com
Platform                      Linux host.example.com 2.6.18-53.1.14.el5 #1
                              SMP Wed Mar 5 11:36:49 EST 2008 i686 i686
Alert Count                   77990
Line Numbers                  

Raw Audit Messages            
avc: denied { create } for comm="spamd" egid=0 euid=0 exe="/usr/bin/perl"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="user_prefs" pid=2812
scontext=system_u:system_r:spamd_t:s0 sgid=0 subj=system_u:system_r:spamd_t:s0
suid=0 tclass=file tcontext=system_u:object_r:user_home_dir_t:s0 tty=(none)
uid=0



[~]$ rpm -qa |grep selinux
libselinux-python-1.33.4-5.el5
selinux-policy-strict-2.4.6-121.el5
libselinux-1.33.4-5.el5
selinux-policy-mls-2.4.6-121.el5
selinux-policy-2.4.6-121.el5
selinux-policy-devel-2.4.6-121.el5
selinux-policy-targeted-2.4.6-121.el5
libselinux-devel-1.33.4-5.el5

[~]$ rpm -qa |grep spam
spamass-milter-0.3.1-1.el5.rf
spamassassin-3.2.4-1.el5

[~]$ ls -ldZ ~taft
drwx------  taft taft system_u:object_r:user_home_dir_t /home/taft
[~]$ ls -ldZ ~taft/.spam*
ls: /home/taft/.spam*: No such file or directory

[~]# getsebool spamd_enable_home_dirs
spamd_enable_home_dirs --> on
Comment 10 Daniel Walsh 2008-04-01 01:41:30 EDT
It looks like it is trying to create the file user_prefs in a directory labeled
user_home_dir_t.  Spamassissin  should have created a directory call
.spamassassin which would be labeled user_home_t and the user_prefs could be
created in that directory as user_home_t?

Do you have some kind of configuration change to create user_prefs directly in
/home/taft?
Comment 11 Todd Taft 2008-04-05 00:22:30 EDT
I didn't think I had changed any configurations that would affect the location
of files:
[root@platypus ~]# rpm -V spamassassin
S.5....T c /etc/cron.d/sa-update
Comment 12 Daniel Walsh 2008-04-06 05:43:16 EDT
If you run in permissive mode, where does the file get created?
Comment 14 Todd Taft 2008-04-16 17:54:15 EDT
In /root/.spamassassin/user_prefs

I'm not sure why it got created there, but it did make the /root/.spamassassin
directory.

Mail to root is forwarded to taft in /etc/aliases, but I'm still not sure why
the file would be created in root's homedir rather than mine.

I suppose I have an issue with both selinux and spamassassin...

Comment 15 Daniel Walsh 2008-04-17 10:39:15 EDT
I think this is a configuration problem, or some strange behavior, andyways.  I
do not believe this is standard.
Comment 18 errata-xmlrpc 2008-05-21 12:06:14 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html

Note You need to log in before you can comment on or make changes to this bug.