425983 – procmail/spamassassin generating avc errors

Bug 425983 - procmail/spamassassin generating avc errors

Summary: procmail/spamassassin generating avc errors

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	8
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-12-17 16:03 UTC by Need Real Name
Modified:	2008-03-05 22:17 UTC (History)
CC List:	0 users
Fixed In Version:	Current
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-03-05 22:17:24 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Need Real Name 2007-12-17 16:03:44 UTC

Description of problem:

I use a very standard /etc/procmailrc file to get procmail to run spamassassin
on incoming email (against the corresponding users local .spamassassin
configuration).

Specifically, I use the following standard simple /etc/procmailrc file (with
privileges appropriately dropped down to user level):
    # Drop suid/guid privileges
    DROPPRIVS=yes

    # Filter all mail through spamassassin
    INCLUDERC=/etc/mail/spamassassin/spamassassin-default.rc

However, each time that mail is so filtered, it generates the following list of
avc errors:

type=AVC msg=audit(1197906186.907:1527): avc:  denied  { read } for  pid=13475
comm="spamassassin" name="3.002003" dev=sda7 ino=1734858
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamd_var_lib_t:s0 tclass=dir

type=AVC msg=audit(1197906186.910:1528): avc:  denied  { read } for  pid=13475
comm="spamassassin" name="3.002003" dev=sda7 ino=1734858
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamd_var_lib_t:s0 tclass=dir

type=AVC msg=audit(1197906186.911:1529): avc:  denied  { getattr } for 
pid=13475 comm="spamassassin" path="/home/kosowsky/.spamassassin" dev=sda7
ino=2256863 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906186.913:1530): avc:  denied  { getattr } for 
pid=13475 comm="spamassassin" path="/home/kosowsky/.spamassassin" dev=sda7
ino=2256863 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906186.914:1531): avc:  denied  { getattr } for 
pid=13475 comm="spamassassin" path="/home/kosowsky/.spamassassin" dev=sda7
ino=2256863 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906186.915:1532): avc:  denied  { getattr } for 
pid=13475 comm="spamassassin" path="/home/kosowsky/.spamassassin" dev=sda7
ino=2256863 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906186.935:1533): avc:  denied  { search } for  pid=13475
comm="spamassassin" name=".spamassassin" dev=sda7 ino=2256863
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906186.936:1534): avc:  denied  { search } for  pid=13475
comm="spamassassin" name=".spamassassin" dev=sda7 ino=2256863
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906186.937:1535): avc:  denied  { search } for  pid=13475
comm="spamassassin" name=".spamassassin" dev=sda7 ino=2256863
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906186.939:1536): avc:  denied  { getattr } for 
pid=13475 comm="spamassassin" path="/home/kosowsky/.spamassassin" dev=sda7
ino=2256863 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906186.940:1537): avc:  denied  { getattr } for 
pid=13475 comm="spamassassin" path="/home/kosowsky/.spamassassin" dev=sda7
ino=2256863 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906186.941:1538): avc:  denied  { getattr } for 
pid=13475 comm="spamassassin" path="/home/kosowsky/.spamassassin" dev=sda7
ino=2256863 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906186.942:1539): avc:  denied  { getattr } for 
pid=13475 comm="spamassassin" path="/home/kosowsky/.spamassassin" dev=sda7
ino=2256863 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906186.946:1540): avc:  denied  { search } for  pid=13475
comm="spamassassin" name=".spamassassin" dev=sda7 ino=2256863
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906186.947:1541): avc:  denied  { search } for  pid=13475
comm="spamassassin" name=".spamassassin" dev=sda7 ino=2256863
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906186.949:1542): avc:  denied  { search } for  pid=13475
comm="spamassassin" name=".spamassassin" dev=sda7 ino=2256863
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906187.220:1543): avc:  denied  { getattr } for 
pid=13475 comm="spamassassin" path="/home/kosowsky/.spamassassin" dev=sda7
ino=2256863 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906187.258:1544): avc:  denied  { getattr } for 
pid=13475 comm="spamassassin" path="/home/kosowsky/.spamassassin" dev=sda7
ino=2256863 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906187.258:1545): avc:  denied  { getattr } for 
pid=13475 comm="spamassassin" path="/home/kosowsky/.spamassassin" dev=sda7
ino=2256863 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906187.259:1546): avc:  denied  { getattr } for 
pid=13475 comm="spamassassin" path="/home/kosowsky/.spamassassin" dev=sda7
ino=2256863 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906187.259:1547): avc:  denied  { search } for  pid=13475
comm="spamassassin" name=".spamassassin" dev=sda7 ino=2256863
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906187.261:1548): avc:  denied  { search } for  pid=13475
comm="spamassassin" name=".spamassassin" dev=sda7 ino=2256863
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906187.303:1549): avc:  denied  { search } for  pid=13475
comm="spamassassin" name=".spamassassin" dev=sda7 ino=2256863
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906187.303:1550): avc:  denied  { search } for  pid=13475
comm="spamassassin" name=".spamassassin" dev=sda7 ino=2256863
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906187.420:1551): avc:  denied  { search } for  pid=13475
comm="spamassassin" name=".spamassassin" dev=sda7 ino=2256863
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906187.421:1552): avc:  denied  { search } for  pid=13475
comm="spamassassin" name=".spamassassin" dev=sda7 ino=2256863
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906187.421:1553): avc:  denied  { getattr } for 
pid=13475 comm="spamassassin" path="/home/kosowsky/.spamassassin" dev=sda7
ino=2256863 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906187.422:1554): avc:  denied  { getattr } for 
pid=13475 comm="spamassassin" path="/home/kosowsky/.spamassassin" dev=sda7
ino=2256863 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906187.422:1555): avc:  denied  { getattr } for 
pid=13475 comm="spamassassin" path="/home/kosowsky/.spamassassin" dev=sda7
ino=2256863 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

type=AVC msg=audit(1197906187.423:1556): avc:  denied  { search } for  pid=13475
comm="spamassassin" name=".spamassassin" dev=sda7 ino=2256863
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:user_spamassassin_home_t:s0 tclass=dir

Comment 1 Need Real Name 2007-12-24 23:22:29 UTC

As a side effect, the following 4 additional avc errors are also generated by
Pyzor (which I suppose is called by Spamassassin)

type=AVC msg=audit(1198537310.367:4103): avc:  denied  { read } for  pid=13328
comm="pyzor" path="/var/spool/mqueue/dflBON1iQh013281" dev=sda7 ino=1738929
scontext=system_u:system_r:pyzor_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=file

type=AVC msg=audit(1198537310.467:4104): avc:  denied  { search } for  pid=13328
comm="pyzor" name="kosowsky" dev=sda7 ino=2240758
scontext=system_u:system_r:pyzor_t:s0
tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir

type=AVC msg=audit(1198537310.469:4105): avc:  denied  { getattr } for 
pid=13328 comm="pyzor" path="/tmp/.spamassassin13291ehBagBtmp" dev=sda7
ino=114493 scontext=system_u:system_r:pyzor_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file

type=AVC msg=audit(1198537310.470:4106): avc:  denied  { read } for  pid=13328
comm="pyzor" path="/tmp/.spamassassin13291ehBagBtmp" dev=sda7 ino=114493
scontext=system_u:system_r:pyzor_t:s0
tcontext=system_u:object_r:procmail_tmp_t:s0 tclass=file

Comment 2 Daniel Walsh 2007-12-31 13:38:21 UTC

Most of the above are fixed in selinux-policy-3.0.8-72.fc8

But I am not sure if pyzor actually reads procmail_tmp_t or if this is a leaked
file descriptor.  Do you know if pyzor is supposed to read 
/tmp/.spamassassin13291ehBagBtmp

Comment 3 Need Real Name 2007-12-31 18:53:09 UTC

I literally know nothing about pyzor -- it just came along for the ride on my
Fedora 8 installation :)

Comment 4 Daniel Walsh 2007-12-31 20:19:56 UTC

fixed in selinux-policy-3.0.8-73.fc8

Comment 5 Need Real Name 2008-01-15 18:32:14 UTC

Yes -- seems to be mostly fixed. However, I did get one pyzor related procmail
error since upgrading:

denied  { signal } for  pid=18790 comm="spamassassin"
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:pyzor_t:s0
tclass=process

This is a different pyzor error from the ones I reported previously. I'm not
sure what triggers it but it occurs much less frequently than the original pyzor
selinux error that I reported.

Comment 6 Daniel Walsh 2008-01-16 20:46:45 UTC

fixed in selinux-policy-3.0.8-78.fc8

Comment 7 Daniel Walsh 2008-03-05 22:17:24 UTC

Bugs have been in modified for over one month.  Closing as fixed in current
release please reopen if the problem still persists.

Note You need to log in before you can comment on or make changes to this bug.