Bug 452738 - selinux denials when using razor and spamassassin (spamd)
selinux denials when using razor and spamassassin (spamd)
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-24 14:07 EDT by Carl Roth
Modified: 2008-11-17 17:04 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:04:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
sealert output (23.42 KB, text/plain)
2008-07-10 14:21 EDT, Carl Roth
no flags Details

  None (edit)
Description Carl Roth 2008-06-24 14:07:28 EDT
Description of problem:

The selinux targeted policy allows the use of razor-admin and razor-report in
selinux enforcing mode (razor_per_role_template etc.) but it not sufficient to
allow spamassassin to launch razor via its Perl API.  When using spamassassin,
the razor libraries, config files, etc. are invoked from the spamd_t domain. 
Tying together razor and spamassassin (spamd_t) using the templates in razor.if
results in module compilation errors due to conflicting rules.

Version-Release number of selected component (if applicable):

perl-Razor-Agent-2.84-4.fc9.i386
spamassassin-3.2.4-4.fc9.i386
selinux-policy-targeted-3.3.1-64.fc9.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

I did some quick cut-and-paste with razor.if and I came up with a simpler
interface that can be used to interface to spamd_t:

########################################
## <summary>
##	Invoke razor libraries from the target domain
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ursus_razor_perl_client',`

  gen_require(`
    type razor_t;
    type razor_log_t;
    type razor_var_lib_t;
  ')

  # subset of rules from razor_common_domain_template

  manage_dirs_pattern($1,razor_log_t,razor_log_t)
  manage_files_pattern($1,razor_log_t,razor_log_t)
  manage_lnk_files_pattern($1,razor_log_t,razor_log_t)
  # FIXME: this may end up depositing log files with incorrect labels

  manage_dirs_pattern($1,razor_var_lib_t,razor_var_lib_t)
  manage_files_pattern($1,razor_var_lib_t,razor_var_lib_t)
  manage_lnk_files_pattern($1,razor_var_lib_t,razor_var_lib_t)
  corenet_tcp_sendrecv_razor_port($1)

  dnl allow $1 { razor_t }:process { signal };
  dnl probably only needed for scripts and such

')

razor_per_role_template(user, user_t, user_r)
ursus_razor_perl_client(spamd_t)
Comment 1 Robert Scheck 2008-06-24 14:35:43 EDT
This is not a problem of razor/spamassassin, but of selinux-policy. Re-
assigning to selinux-policy. Daniel, can you take care of it, please?
Comment 2 Daniel Walsh 2008-06-30 13:46:15 EDT
Could you please attach the audit.log file that you used to generate this policy.

Currently razor should be transitioning to spamd_t

If you update to the current policy (selinux-policy-3.3.1-72.fc9.noarch)
do you still need your custom policy?
Comment 3 Carl Roth 2008-07-10 14:20:26 EDT
Yes, it transitions to spamd_t, at which point it no longer has access to
razor's data and config files.

I'm attaching the output of 'sealert -l' for the various AVCs generated when I
disable my above-posted policy changes.  These were generated on a system
running with selinux-policy-targeted-3.3.1-74.fc9.noarch.
Comment 4 Carl Roth 2008-07-10 14:21:29 EDT
Created attachment 311501 [details]
sealert output
Comment 5 Daniel Walsh 2008-07-15 14:16:11 EDT
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-78.fc9.noarch
Comment 6 Daniel Walsh 2008-11-17 17:04:48 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.