Bug 452738 - selinux denials when using razor and spamassassin (spamd)
Summary: selinux denials when using razor and spamassassin (spamd)
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 9
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-24 18:07 UTC by Carl Roth
Modified: 2008-11-17 22:04 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-11-17 22:04:48 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
sealert output (23.42 KB, text/plain)
2008-07-10 18:21 UTC, Carl Roth 		no flags Details
View All

Description Carl Roth 2008-06-24 18:07:28 UTC 
Description of problem:

The selinux targeted policy allows the use of razor-admin and razor-report in
selinux enforcing mode (razor_per_role_template etc.) but it not sufficient to
allow spamassassin to launch razor via its Perl API.  When using spamassassin,
the razor libraries, config files, etc. are invoked from the spamd_t domain. 
Tying together razor and spamassassin (spamd_t) using the templates in razor.if
results in module compilation errors due to conflicting rules.

Version-Release number of selected component (if applicable):

perl-Razor-Agent-2.84-4.fc9.i386
spamassassin-3.2.4-4.fc9.i386
selinux-policy-targeted-3.3.1-64.fc9.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

I did some quick cut-and-paste with razor.if and I came up with a simpler
interface that can be used to interface to spamd_t:

########################################
## <summary>
##	Invoke razor libraries from the target domain
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ursus_razor_perl_client',`

  gen_require(`
    type razor_t;
    type razor_log_t;
    type razor_var_lib_t;
  ')

  # subset of rules from razor_common_domain_template

  manage_dirs_pattern($1,razor_log_t,razor_log_t)
  manage_files_pattern($1,razor_log_t,razor_log_t)
  manage_lnk_files_pattern($1,razor_log_t,razor_log_t)
  # FIXME: this may end up depositing log files with incorrect labels

  manage_dirs_pattern($1,razor_var_lib_t,razor_var_lib_t)
  manage_files_pattern($1,razor_var_lib_t,razor_var_lib_t)
  manage_lnk_files_pattern($1,razor_var_lib_t,razor_var_lib_t)
  corenet_tcp_sendrecv_razor_port($1)

  dnl allow $1 { razor_t }:process { signal };
  dnl probably only needed for scripts and such

')

razor_per_role_template(user, user_t, user_r)
ursus_razor_perl_client(spamd_t)
Comment 1 Robert Scheck 2008-06-24 18:35:43 UTC 
This is not a problem of razor/spamassassin, but of selinux-policy. Re-
assigning to selinux-policy. Daniel, can you take care of it, please?
Comment 2 Daniel Walsh 2008-06-30 17:46:15 UTC 
Could you please attach the audit.log file that you used to generate this policy.

Currently razor should be transitioning to spamd_t

If you update to the current policy (selinux-policy-3.3.1-72.fc9.noarch)
do you still need your custom policy?
Comment 3 Carl Roth 2008-07-10 18:20:26 UTC 
Yes, it transitions to spamd_t, at which point it no longer has access to
razor's data and config files.

I'm attaching the output of 'sealert -l' for the various AVCs generated when I
disable my above-posted policy changes.  These were generated on a system
running with selinux-policy-targeted-3.3.1-74.fc9.noarch.
Comment 4 Carl Roth 2008-07-10 18:21:29 UTC 
Created attachment 311501 [details]
sealert output
Comment 5 Daniel Walsh 2008-07-15 18:16:11 UTC 
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-78.fc9.noarch
Comment 6 Daniel Walsh 2008-11-17 22:04:48 UTC 
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.
Note You need to log in before you can comment on or make changes to this bug.