Description of problem: Excerpting from the troubleshooter, SELinux is preventing spamc (spamc_t) "write" to pipe (sendmail_t). Version-Release number of selected component (if applicable): spamassassin-3.2.4-4.fc9.i386 selinux-policy-targeted-3.3.1-51.fc9.noarch How reproducible: Always Steps to Reproduce: 1. Run spamd 2. Run spamc from .procmailrc 3. Receive mail Actual results: host=ack601 type=AVC msg=audit(1211776125.647:26): avc: denied { write } for pid=2257 comm="spamc" path="pipe:[10747]" dev=pipefs ino=10747 scontext=system_u :system_r:spamc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=fifo_file host=ack601 type=AVC msg=audit(1211776125.647:26): avc: denied { read } for p id=2257 comm="spamc" path="/var/spool/mqueue/dfm4Q4SjVs002253" dev=md0 ino=46154 1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:mqueue_spool_ t:s0 tclass=file host=ack601 type=SYSCALL msg=audit(1211776125.647:26): arch=40000003 syscall=11 success=yes exit=0 a0=bfcc0bb3 a1=9ab1938 a2=9ab16e8 a3=9ab1826 items=0 ppid=225 6 pid=2257 auid=4294967295 uid=500 gid=10 euid=500 suid=500 fsuid=500 egid=10 sg id=10 fsgid=10 tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" subj= system_u:system_r:spamc_t:s0 key=(null) Expected results: No logs. No denials. Additional info: I'm running in permissive mode to get these logs. I'm not sure if this bug is spamassassin's tags or SELinux's targeted policy. The following local policy makes the log entries go away. In any case, this bug appears to be different from the other SELinux/spamassassin bugs in Bugzilla. require { type spamc_t; type sendmail_t; type mqueue_spool_t; class file read; class fifo_file write; } #============= spamc_t ============== allow spamc_t mqueue_spool_t:file read; allow spamc_t sendmail_t:fifo_file write;
Updated to selinux-policy-3.3.1-55.fc9.noarch selinux-policy-targeted-3.3.1-55.fc9.noarch No help yet, despite the changelog entries (in selinux-...) * Tue May 20 2008 Dan Walsh <dwalsh> 3.3.1-55 - More fixes for spamassassin * Tue May 20 2008 Dan Walsh <dwalsh> 3.3.1-54 - Allow spamassassin_t to be run by system_r [SETroubleshooter says to create a bug report under the software package, but I begin/continue to suspect that SETroubleshooter is a bit misleading. I'm updating the component to selinux-policy.]
I can confirm that this also occurs with the following selinux packages: selinux-policy-targeted-3.3.1-64.fc9.noarch selinux-policy-3.3.1-64.fc9.noarch I see the same issue in permissive and enforcing modes.
Still there. selinux-policy-targeted-3.3.1-69.fc9.noarch spamassassin-3.2.5-1.fc9.i386
Fixed in selinux-policy-3.3.1-75.fc9.noarch
selinux-policy-3.3.1-78.fc9.noarch The bug is lesser, but still there. Actual Results: type=AVC msg=audit(1216446867.539:1612): avc: denied { write } for pid=13711 comm="spamc" path="pipe:[77712]" dev=pipefs ino=77712 scontext=system_u:system_r :spamc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=fifo_file Additional info: The following is my new local policy to fix it. require { type spamc_t; type sendmail_t; class fifo_file write; } #============= spamc_t ============== allow spamc_t sendmail_t:fifo_file write;
Fixed in selinux-policy-3.3.1-81.fc9.noarch
Grabbed selinux-policy-*-82.fc9 from rawhide. I still get the following AVC denial. type=AVC msg=audit(1217888347.396:884): avc: denied { write } for pid=5857 comm="spamc" path="pipe:[49956]" dev=pipefs ino=49956 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=fifo_file
I'm getting a very similar message on a new Fedora 9 server built this morning whenever a mail is received. Unlike the reporter I have Postfix installed, not Sendmail. Relevant packages: postfix-2.5.1-2.fc9.i386 spamassassin-3.2.5-1.fc9.i386 selinux-policy-3.3.1-84.fc9.noarch selinux-policy-targeted-3.3.1-84.fc9.noarch I'll attach the log entries.
Created attachment 316317 [details] selinux denials I get these 3 entries every time a mail is received. Using audit2allow on the first line only gives a local policy very similar to that in comment 5 - with postfix_local_t instead of sendmail_t. Passing all 3 lines through audit2allow gives this local policy which gets rid of the denials for me: require { type spamc_t; type anon_inodefs_t; type postfix_local_t; class fifo_file write; class file { read write }; } #============= spamc_t ============== allow spamc_t anon_inodefs_t:file { read write }; allow spamc_t postfix_local_t:fifo_file write;
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.
Reopening because it's not fixed. If you need to know why I waited until it was closed, see Bug 471774.
Fixed in selinux-policy-3.3.1-116.fc9.noarch
*NOT* fixed in selinux-policy-3.3.1-116.fc9.noarch The current state of the bug is still as reported in Comment #5. Is there a reason that the bug keeps getting reported as fixed (Comment #4, Comment #6, and Comment #12) when it's not fixed? What communication are we missing? As for the Postfix-specific features of the bug, it might be better to open a separate bug report. I'll set this bug back to ASSIGNED (through CLOSED, of course, since that's the only way to do it).
Allen, you are right. Unfortunately, I fixed only the bug reported in Comment #9. I will fix it in next release of selinux-policy.
Fixed in selinux-policy-3.3.1-117.fc9.noarch
Fix verified. I'll close the bug when 117 (or later) goes to updates for F9.
selinux-policy-3.3.1-117.fc9.noarch is in updates. Closing.