Bug 448344 - SELinux is preventing spamc "write" to pipe
SELinux is preventing spamc "write" to pipe
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2008-05-26 01:38 EDT by Allen Kistler
Modified: 2009-01-15 10:42 EST (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.3.1-117.fc9.noarch
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-15 10:41:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
selinux denials (829 bytes, text/plain)
2008-09-10 10:21 EDT, Richard Fearn
no flags Details

  None (edit)
Description Allen Kistler 2008-05-26 01:38:18 EDT
Description of problem:
Excerpting from the troubleshooter,
SELinux is preventing spamc (spamc_t) "write" to pipe (sendmail_t).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Run spamd
2. Run spamc from .procmailrc
3. Receive mail

Actual results:
host=ack601 type=AVC msg=audit(1211776125.647:26): avc:  denied  { write } for  
pid=2257 comm="spamc" path="pipe:[10747]" dev=pipefs ino=10747 scontext=system_u
:system_r:spamc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=fifo_file

host=ack601 type=AVC msg=audit(1211776125.647:26): avc:  denied  { read } for  p
id=2257 comm="spamc" path="/var/spool/mqueue/dfm4Q4SjVs002253" dev=md0 ino=46154
1 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:mqueue_spool_
t:s0 tclass=file

host=ack601 type=SYSCALL msg=audit(1211776125.647:26): arch=40000003 syscall=11 
success=yes exit=0 a0=bfcc0bb3 a1=9ab1938 a2=9ab16e8 a3=9ab1826 items=0 ppid=225
6 pid=2257 auid=4294967295 uid=500 gid=10 euid=500 suid=500 fsuid=500 egid=10 sg
id=10 fsgid=10 tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" subj=
system_u:system_r:spamc_t:s0 key=(null)

Expected results:
No logs.  No denials.

Additional info:
I'm running in permissive mode to get these logs.  I'm not sure if this bug is
spamassassin's tags or SELinux's targeted policy.

The following local policy makes the log entries go away.  In any case, this bug
appears to be different from the other SELinux/spamassassin bugs in Bugzilla.

require {
        type spamc_t;
        type sendmail_t;
        type mqueue_spool_t;
        class file read;
        class fifo_file write;

#============= spamc_t ==============
allow spamc_t mqueue_spool_t:file read;
allow spamc_t sendmail_t:fifo_file write;
Comment 1 Allen Kistler 2008-05-30 04:11:31 EDT
Updated to

No help yet, despite the changelog entries (in selinux-...)
* Tue May 20 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-55
- More fixes for spamassassin

* Tue May 20 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-54
- Allow spamassassin_t to be run by system_r

[SETroubleshooter says to create a bug report under the software package, but I
begin/continue to suspect that SETroubleshooter is a bit misleading.  I'm
updating the component to selinux-policy.]
Comment 2 Alex Chernyakhovsky 2008-06-21 14:36:15 EDT
I can confirm that this also occurs with the following selinux packages:

I see the same issue in permissive and enforcing modes.
Comment 3 Allen Kistler 2008-06-28 22:07:51 EDT
Still there.
Comment 4 Daniel Walsh 2008-07-02 14:15:19 EDT
Fixed in selinux-policy-3.3.1-75.fc9.noarch
Comment 5 Allen Kistler 2008-07-19 02:19:02 EDT

The bug is lesser, but still there.

Actual Results:
type=AVC msg=audit(1216446867.539:1612): avc:  denied  { write } for  pid=13711 
comm="spamc" path="pipe:[77712]" dev=pipefs ino=77712 scontext=system_u:system_r
:spamc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=fifo_file

Additional info:
The following is my new local policy to fix it.

require {
        type spamc_t;
        type sendmail_t;
        class fifo_file write;

#============= spamc_t ==============
allow spamc_t sendmail_t:fifo_file write;
Comment 6 Daniel Walsh 2008-08-01 11:55:13 EDT
Fixed in selinux-policy-3.3.1-81.fc9.noarch
Comment 7 Allen Kistler 2008-08-04 18:26:40 EDT
Grabbed selinux-policy-*-82.fc9 from rawhide.

I still get the following AVC denial.

type=AVC msg=audit(1217888347.396:884): avc:  denied  { write } for  pid=5857 comm="spamc" path="pipe:[49956]" dev=pipefs ino=49956 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=fifo_file
Comment 8 Richard Fearn 2008-09-10 10:16:01 EDT
I'm getting a very similar message on a new Fedora 9 server built this morning whenever a mail is received. Unlike the reporter I have Postfix installed, not Sendmail.

Relevant packages:

I'll attach the log entries.
Comment 9 Richard Fearn 2008-09-10 10:21:40 EDT
Created attachment 316317 [details]
selinux denials

I get these 3 entries every time a mail is received.

Using audit2allow on the first line only gives a local policy very similar to that in comment 5 - with postfix_local_t instead of sendmail_t.

Passing all 3 lines through audit2allow gives this local policy which gets rid of the denials for me:

require {
	type spamc_t;
	type anon_inodefs_t;
	type postfix_local_t;
	class fifo_file write;
	class file { read write };

#============= spamc_t ==============
allow spamc_t anon_inodefs_t:file { read write };
allow spamc_t postfix_local_t:fifo_file write;
Comment 10 Daniel Walsh 2008-11-17 17:04:10 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.
Comment 11 Allen Kistler 2008-11-18 00:29:03 EST
Reopening because it's not fixed.
If you need to know why I waited until it was closed, see Bug 471774.
Comment 12 Miroslav Grepl 2008-12-15 08:44:11 EST
Fixed in selinux-policy-3.3.1-116.fc9.noarch
Comment 13 Allen Kistler 2008-12-24 16:46:59 EST
*NOT* fixed in selinux-policy-3.3.1-116.fc9.noarch

The current state of the bug is still as reported in Comment #5.  Is there a reason that the bug keeps getting reported as fixed (Comment #4, Comment #6, and Comment #12) when it's not fixed?  What communication are we missing?

As for the Postfix-specific features of the bug, it might be better to open a separate bug report.

I'll set this bug back to ASSIGNED (through CLOSED, of course, since that's the only way to do it).
Comment 14 Miroslav Grepl 2008-12-29 17:19:22 EST

you are right. Unfortunately, I fixed only the bug reported in Comment #9. I will fix it in next release of selinux-policy.
Comment 15 Miroslav Grepl 2009-01-05 07:45:02 EST
Fixed in selinux-policy-3.3.1-117.fc9.noarch
Comment 16 Allen Kistler 2009-01-08 19:32:30 EST
Fix verified.  I'll close the bug when 117 (or later) goes to updates for F9.
Comment 17 Allen Kistler 2009-01-15 10:41:45 EST
selinux-policy-3.3.1-117.fc9.noarch is in updates.  Closing.

Note You need to log in before you can comment on or make changes to this bug.