Bug 474183 - pyzor selinux warnings
pyzor selinux warnings
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-02 12:38 EST by Jeff Layton
Modified: 2014-06-18 03:38 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-18 05:31:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeff Layton 2008-12-02 12:38:30 EST
Since updating to F10, I've started seeing some regular selinux warnings from pyzor. FWIW, restoring the file context didn't help. Let me know if you need other info:

-------------------------------------------------------------------------

Summary:

SELinux is preventing pyzor (spamc_t) "execute_no_trans" to /usr/bin/pyzor
(spamc_exec_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by pyzor. It is not expected that this access is
required by pyzor and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /usr/bin/pyzor,

restorecon -v '/usr/bin/pyzor'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:spamc_t
Target Context                system_u:object_r:spamc_exec_t
Target Objects                /usr/bin/pyzor [ file ]
Source                        pyzor
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          salusa.poochiereds.net
Source RPM Packages           python-2.5.2-1.fc10
Target RPM Packages           pyzor-0.4.0-11.fc7
Policy RPM                    selinux-policy-3.5.13-18.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     salusa.poochiereds.net
Platform                      Linux salusa.poochiereds.net
                              2.6.27.5-117.fc10.x86_64 #1 SMP Tue Nov 18
                              11:58:53 EST 2008 x86_64 x86_64
Alert Count                   85
First Seen                    Sun 30 Nov 2008 07:46:00 AM EST
Last Seen                     Tue 02 Dec 2008 12:32:25 PM EST
Local ID                      3f5296d3-a985-46d6-9fb7-698577377165
Line Numbers                  

Raw Audit Messages            

node=salusa.poochiereds.net type=AVC msg=audit(1228239145.627:1667): avc:  denied  { execute_no_trans } for  pid=25395 comm="spamassassin" path="/usr/bin/pyzor" dev=dm-3 ino=1476756 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file

node=salusa.poochiereds.net type=SYSCALL msg=audit(1228239145.627:1667): arch=c000003e syscall=59 success=yes exit=0 a0=7f4b683d7bb8 a1=209a198 a2=7fff7218dd90 a3=8 items=0 ppid=25390 pid=25395 auid=4294967295 uid=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4294967295 comm="pyzor" exe="/usr/bin/python" subj=system_u:system_r:spamc_t:s0 key=(null)
Comment 1 Jeff Layton 2008-12-03 09:18:42 EST
Adding Dan, any thoughts?
Comment 2 Daniel Walsh 2008-12-03 09:34:35 EST
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.5.13-30.fc10
Comment 3 Neil Squires 2009-01-24 23:09:34 EST
I have also had this bug. I disabled selinux and spamassassin has since added

[root@sensi spamass-milter]# ls -laZ
drwx------  sa-milt sa-milt system_u:object_r:spamd_var_run_t:s0 .
drwxr-xr-x  root root system_u:object_r:var_run_t:s0   ..
drwxr-xr-x  sa-milt sa-milt unconfined_u:object_r:spamd_var_run_t:s0 .pyzor
drwx------  sa-milt sa-milt system_u:object_r:spamd_var_run_t:s0 .spamassassin
srwxr-xr-x  sa-milt sa-milt system_u:object_r:spamd_var_run_t:s0 spamass-milter.sock
[root@sensi spamass-milter]# cd .pyzor
[root@sensi .pyzor]# ls -laZ
drwxr-xr-x  sa-milt sa-milt unconfined_u:object_r:spamd_var_run_t:s0 .
drwx------  sa-milt sa-milt system_u:object_r:spamd_var_run_t:s0 ..
-rw-r--r--  sa-milt sa-milt system_u:object_r:spamd_var_run_t:s0 servers

to the /var/run/spamass-milter/ directory. The above contexts have been progressively modified with the following .te files:

mail.te

module local 1.0;

require {
	type spamc_t;
	type dhcpd_t;
	type var_lib_t;
	type freshclam_t;
	type spamd_var_run_t;
	class capability { dac_read_search dac_override };
	class dir { write search };
}

#============= dhcpd_t ==============
allow dhcpd_t self:capability { dac_read_search dac_override };

#============= freshclam_t ==============
allow freshclam_t var_lib_t:dir search;

#============= spamc_t ==============
allow spamc_t spamd_var_run_t:dir write;

mail1.te

module local 1.0;

require {
	type spamc_t;
	type spamd_var_run_t;
	class dir add_name;
}

#============= spamc_t ==============
allow spamc_t spamd_var_run_t:dir add_name;

mail2.te

module local 1.0;

require {
	type spamc_t;
	type spamd_var_run_t;
	class dir write;
}

#============= spamc_t ==============
allow spamc_t spamd_var_run_t:dir write;

Currently running selinux-policy.noarch 3.5.13-38.fc10

Currently about to generate selinux module for the latest se alert


Summary:

SELinux is preventing pyzor (spamc_t) "getattr" to
/var/run/spamass-milter/.pyzor/servers (spamd_var_run_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by pyzor. It is not expected that this access is
required by pyzor and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/run/spamass-milter/.pyzor/servers,

restorecon -v '/var/run/spamass-milter/.pyzor/servers'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:spamc_t:s0
Target Context                system_u:object_r:spamd_var_run_t:s0
Target Objects                /var/run/spamass-milter/.pyzor/servers [ file ]
Source                        pyzor
Source Path                   /usr/bin/python2.5
Port                          <Unknown>
Host                          sensi.n-ksquires.id.au
Source RPM Packages           python-2.5.2-1.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-38.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     sensi.n-ksquires.id.au
Platform                      Linux sensi.n-ksquires.id.au
                              2.6.27.9-159.fc10.x86_64 #1 SMP Tue Dec 16
                              14:47:52 EST 2008 x86_64 x86_64
Alert Count                   9
First Seen                    Sun 25 Jan 2009 10:36:53 AM EST
Last Seen                     Sun 25 Jan 2009 01:57:16 PM EST
Local ID                      4c8a1a6a-d721-4a19-87ce-ed24b3f52c54
Line Numbers                  

Raw Audit Messages            

node=sensi.n-ksquires.id.au type=AVC msg=audit(1232855836.385:119): avc:  denied  { getattr } for  pid=10808 comm="pyzor" path="/var/run/spamass-milter/.pyzor/servers" dev=dm-0 ino=51094321 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=file

node=sensi.n-ksquires.id.au type=SYSCALL msg=audit(1232855836.385:119): arch=c000003e syscall=4 success=yes exit=0 a0=889f80 a1=7fff3d49e3a0 a2=7fff3d49e3a0 a3=65767265732f726f items=0 ppid=3535 pid=10808 auid=4294967295 uid=492 gid=0 euid=492 suid=492 fsuid=492 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="pyzor" exe="/usr/bin/python2.5" subj=system_u:system_r:spamc_t:s0 key=(null)

Latest version of the module file, mail3.te contains:

module local 1.0;

require {
	type spamc_t;
	type devpts_t;
	type var_lib_t;
	type sendmail_t;
	type samba_etc_t;
	type freshclam_t;
	type spamd_var_run_t;
	class dir { search add_name };
	class file { write getattr read create };
	class chr_file write;
}

#============= freshclam_t ==============
allow freshclam_t var_lib_t:dir search;

#============= sendmail_t ==============
allow sendmail_t devpts_t:chr_file write;
allow sendmail_t samba_etc_t:file { read getattr };

#============= spamc_t ==============
allow spamc_t spamd_var_run_t:dir add_name;
allow spamc_t spamd_var_run_t:file { write read create getattr };

This was generated following a system reboot.

It appears that the pyzor is using the run directory for variable and file storage and has not been set the right context. I also note that this policy I am using is after the fix policy.
Comment 4 Miroslav Grepl 2009-02-03 14:01:21 EST
Fixed in selinux-policy-3.5.13-42.fc10
Comment 5 Bug Zapper 2009-11-18 05:16:18 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.