Bug 431797 - selinux prevents procmail from running spamc
selinux prevents procmail from running spamc
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.1
All Linux
low Severity low
: rc
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-06 19:01 EST by Orion Poplawski
Modified: 2008-05-21 12:07 EDT (History)
0 users

See Also:
Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 12:07:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2008-02-06 19:01:40 EST
Description of problem:

selinux prevents procmail from running spamc.

Running in permissive mode to get all denials:

type=AVC msg=audit(1202342416.006:25876): avc:  denied  { execute } for 
pid=1948 comm="procmail" name="spamc" dev=dm-4 ino=161168
scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
type=AVC msg=audit(1202342416.006:25876): avc:  denied  { execute_no_trans } for
 pid=1948 comm="procmail" path="/usr/bin/spamc" dev=dm-4 ino=161168
scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
type=AVC msg=audit(1202342416.006:25876): avc:  denied  { read } for  pid=1948
comm="procmail" path="/usr/bin/spamc" dev=dm-4 ino=161168
scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-119.el5
Comment 1 Orion Poplawski 2008-02-06 19:03:52 EST
This is new with -119.
Comment 2 Daniel Walsh 2008-02-07 10:37:53 EST
procmail has never been able to run spamc?  It is not able to in Rawhide either?

It can run

/usr/bin/spamassassin

But not

/usr/bin/spamc

If it needs to I can add the policy.
Comment 3 Orion Poplawski 2008-02-07 11:06:43 EST
I just started seeing these messages when I applied 2.4.6-119.el5.  Before that
it ran fine.  Procmail definitely needs to be able to run spamc - that's how you
run spamassassin in client/server mode.
Comment 4 Daniel Walsh 2008-02-07 12:00:09 EST
optional_policy(`
	corenet_udp_bind_generic_port(procmail_t)
	corenet_dontaudit_udp_bind_all_ports(procmail_t)

	spamassassin_manage_user_home_files(procmail_t)
	spamassassin_exec(procmail_t)
	spamassassin_exec_client(procmail_t)
	spamassassin_read_lib_files(procmail_t)
')
THis is still in policy.
Comment 5 Orion Poplawski 2008-02-07 12:18:06 EST
Somehow it's not making it in though.  I did a:

chcon -t spamassassin_exec_t /usr/bin/spamc

to make it look like /usr/bin/spamassassin and I still get denials.

Any way to decompile the current policy to see what's in place?
Comment 6 Daniel Walsh 2008-02-07 12:22:58 EST
sesearch --allow | grep procmail_t | grep spamc_exec_t
Comment 7 Orion Poplawski 2008-02-07 12:33:53 EST
[root@coop00 ~]# rpm -q selinux-policy
selinux-policy-2.4.6-30.el5
[root@coop00 ~]# sesearch --allow | grep procmail_t | grep spamc_exec_t
   allow procmail_t spamc_exec_t : file { ioctl read getattr lock execute
execute_no_trans };

Install -120.

[root@coop00 ~]# rpm -q selinux-policy
selinux-policy-2.4.6-120.el5
[root@coop00 ~]# sesearch --allow | grep procmail_t | grep spamc_exec_t
[root@coop00 ~]#
Comment 8 Daniel Walsh 2008-02-07 12:56:38 EST
Could you get this info

seinfo -t | grep spam
seinfo -t | grep razor

Comment 9 Orion Poplawski 2008-02-07 13:08:17 EST
[root@earth files]# seinfo -t | grep spam
Rule loading disabled
   spamd_var_lib_t
   spamd_var_run_t
   spamd_spool_t
   spamd_server_packet_t
   spamassassin_exec_t
   spamc_exec_t
   spamd_exec_t
   spamd_client_packet_t
   spamd_t
   spamd_tmp_t
   spamd_port_t
[root@earth files]# seinfo -t | grep razor
Rule loading disabled
   razor_var_lib_t
   razor_client_packet_t
   razor_exec_t
   razor_etc_t
   razor_log_t
   razor_port_t
   razor_server_packet_t
   razor_t
Comment 10 Daniel Walsh 2008-02-07 14:58:11 EST
Try 121, on people.
Comment 11 Orion Poplawski 2008-02-07 16:10:29 EST
Looks good:

# sesearch --allow | grep procmail_t | grep spamc_exec_t
   allow procmail_t spamc_exec_t : file { ioctl read getattr lock execute
execute_no_trans };

and procmail runs spamc without trouble now.

What was up?
Comment 12 Daniel Walsh 2008-02-08 10:14:28 EST
optional_policy(`') block was added that tried to check if a the allow spamd to
write to homedir boolean was set. I back ported some code from rawhide, that was
causing this block to not add the rules.  optional_policy says that if a type in
a gen_requires block does not exist, don't add any of the rules.  So the back
ported section contained user_razor_home_t which was causing the entire block to
be removed.

fixed in selinux-policy-2.4.6-121.el5
Comment 13 RHEL Product and Program Management 2008-02-08 10:17:09 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 18 errata-xmlrpc 2008-05-21 12:07:02 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html

Note You need to log in before you can comment on or make changes to this bug.