Bug 480129 - Error at calling service amavisd restart when SELinux is in enforce mode
Error at calling service amavisd restart when SELinux is in enforce mode
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.7
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Milos Malik
ActualBug
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-15 04:52 EST by Frank Büttner
Modified: 2013-01-07 22:30 EST (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-328.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-07 22:30:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Frank Büttner 2009-01-15 04:52:41 EST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.5.30729)

Version: amavisd-new-2.4.5-1.el5
When run service amavisd restart I get the message:
amavisd beenden:  Error: /proc must be mounted
  To mount /proc at boot you need an /etc/fstab line like:
      /proc   /proc   proc    defaults
  In the meantime, run "mount /proc /proc -t proc"
Daemon [2389] terminated by SIGTERM
                                                           [  OK  ]
amavisd stopped
amavisd starten:                                           [  OK  ]


Reproducible: Always

Steps to Reproduce:
1. run service amavisd restart

Actual Results:  
Getting the message above.

Expected Results:  
restart without the messeage
Comment 1 Erik M Jacobs 2012-03-31 12:31:22 EDT
I can confirm that I am also having this issue, except I am not experiencing it on all machines.  Using the same package as Frank:

[root@shrugged ~]$ service amavisd restart
Shutting down amavisd: Error: /proc must be mounted
  To mount /proc at boot you need an /etc/fstab line like:
      /proc   /proc   proc    defaults
  In the meantime, run "mount /proc /proc -t proc"
Daemon [28085] terminated by SIGTERM
                                                           [  OK  ]
amavisd stopped
Starting amavisd:                                          [  OK  ]

Note that there was an old thread that discussed this:
http://old.nabble.com/-etc-init.d-amavisd-stop-Error-td21979008.html

The uptime program is provided by the procps package, and I have updated to the latest version on all machines: procps.x86_64 3.2.7-18.el5

I still get the error.

My dev server is running a slightly newer kernel and is not experiencing this issue:
dev (2.6.18-274.el5) vs prod (2.6.18-238.el5)

The oddity here is that if I do exactly what the system script is doing, I don't get the error:
action $"Shutting down ${prog_base}:" ${prog} -c ${prog_config_file} stop

Updating to the latest version of initscripts doesn't fix the problem either:
initscripts-8.45.42-1.el5

I'm not sure exactly how to further troubleshoot/locate this issue. But it's rather annoying that every time amavis gets restarted this proc error gets generated.
Comment 2 Erik M Jacobs 2012-03-31 12:45:29 EDT
OK, looking at the topic of the bug, it says "only in enforcing mode."

I can confirm that the issue does not present in permissive mode:
[root@shrugged ~]$ setenforce permissive
[root@shrugged ~]$ service amavisd restart
Shutting down amavisd: Daemon [28225] terminated by SIGTERM
                                                           [  OK  ]
amavisd stopped
Starting amavisd:                                          [  OK  ]

[root@shrugged ~]$ setenforce enforcing
[root@shrugged ~]$ service amavisd restart
Shutting down amavisd: Error: /proc must be mounted
  To mount /proc at boot you need an /etc/fstab line like:
      /proc   /proc   proc    defaults
  In the meantime, run "mount /proc /proc -t proc"
Daemon [28261] terminated by SIGTERM
                                                           [  OK  ]
amavisd stopped
Starting amavisd:                                          [  OK  ]

Here is the painful irony:
In enforcing mode, there are no denials logged!!  the system needs to be in permissive mode in order to even see the AVC denials:
type=MAC_STATUS msg=audit(1333211543.148:58687): enforcing=0 old_enforcing=1 auid=501 ses=8891
type=SYSCALL msg=audit(1333211543.148:58687): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fffcc69c460 a2=1 a3=30733a745f6465 items=0 ppid=27960 pid=28239 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="setenforce" exe="/usr/sbin/setenforce" subj=user_u:system_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1333211546.444:58688): avc:  denied  { read } for  pid=28254 comm="uptime" name="utmp" dev=md1 ino=357728263 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1333211546.444:58688): arch=c000003e syscall=2 success=yes exit=4 a0=340a1220f2 a1=0 a2=2 a3=0 items=0 ppid=28253 pid=28254 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="uptime" exe="/usr/bin/uptime" subj=user_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1333211546.444:58689): avc:  denied  { lock } for  pid=28254 comm="uptime" path="/var/run/utmp" dev=md1 ino=357728263 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1333211546.444:58689): arch=c000003e syscall=72 success=yes exit=0 a0=4 a1=7 a2=7fff2445b700 a3=8 items=0 ppid=28253 pid=28254 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="uptime" exe="/usr/bin/uptime" subj=user_u:system_r:amavis_t:s0 key=(null)
type=MAC_STATUS msg=audit(1333211551.191:58690): enforcing=1 old_enforcing=0 auid=501 ses=8891
type=SYSCALL msg=audit(1333211551.191:58690): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fffa8f0fce0 a2=1 a3=30733a745f6465 items=0 ppid=27960 pid=28269 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="setenforce" exe="/usr/sbin/setenforce" subj=user_u:system_r:unconfined_t:s0 key=(null)

So, it looks like there are selinux issues with trying to access uptime:
[root@shrugged ~]$ ausearch -m avc -ts 12:00
----
time->Sat Mar 31 16:32:26 2012
type=SYSCALL msg=audit(1333211546.444:58689): arch=c000003e syscall=72 success=yes exit=0 a0=4 a1=7 a2=7fff2445b700 a3=8 items=0 ppid=28253 pid=28254 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="uptime" exe="/usr/bin/uptime" subj=user_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1333211546.444:58689): avc:  denied  { lock } for  pid=28254 comm="uptime" path="/var/run/utmp" dev=md1 ino=357728263 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
----
time->Sat Mar 31 16:32:26 2012
type=SYSCALL msg=audit(1333211546.444:58688): arch=c000003e syscall=2 success=yes exit=4 a0=340a1220f2 a1=0 a2=2 a3=0 items=0 ppid=28253 pid=28254 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="uptime" exe="/usr/bin/uptime" subj=user_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1333211546.444:58688): avc:  denied  { read } for  pid=28254 comm="uptime" name="utmp" dev=md1 ino=357728263 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

Into audit2allow:
#============= amavis_t ==============
allow amavis_t initrc_var_run_t:file { read lock };

Now, I'm not sure if this should be default SELinux policy or not, or if there should be a boolean... but this is what's causing the issue.  It's not in amavis, and I'll be updating the bug appropriately.
Comment 3 Erik M Jacobs 2012-03-31 12:45:49 EDT
[root@shrugged ~]$ rpm -qa | grep selinux
libselinux-1.33.4-5.7.el5
libselinux-python-1.33.4-5.7.el5
libselinux-utils-1.33.4-5.7.el5
selinux-policy-2.4.6-300.el5
selinux-policy-targeted-2.4.6-300.el5
libselinux-ruby-1.33.4-5.7.el5
Comment 4 Erik M Jacobs 2012-03-31 12:48:03 EDT
With the latest versions of the policy installed, this error persists:

[root@atlas /var/log]$ rpm -qa | grep selinux-policy
selinux-policy-targeted-2.4.6-327.el5
selinux-policy-2.4.6-327.el5

[root@atlas /var/log]$ service amavisd restart
Shutting down amavisd: Error: /proc must be mounted
  To mount /proc at boot you need an /etc/fstab line like:
      /proc   /proc   proc    defaults
  In the meantime, run "mount /proc /proc -t proc"
Daemon [23101] terminated by SIGTERM
                                                           [  OK  ]
amavisd stopped
Starting amavisd:                                          [  OK  ]
Comment 5 Erik M Jacobs 2012-03-31 12:49:27 EDT
Updated bug to be assigned to selinux-policy for el5.
Comment 6 Erik M Jacobs 2012-03-31 18:36:12 EDT
OK, think I spoke too soon.  Here's the latest situation:

[root@atlas /etc/puppet]$ rpm -qa | grep selinux-policy
selinux-policy-targeted-2.4.6-327.el5
selinux-policy-2.4.6-327.el5

[root@atlas /etc/puppet]$ getenforce
Permissive

[root@atlas /etc/puppet]$ service amavisd restart
Shutting down amavisd: Daemon [3230] terminated by SIGTERM 
                                                           [  OK  ]
amavisd stopped
Starting amavisd:                                          [  OK  ]

In this configuration, nothing gets logged to the audit log (yes, permissive).

If we switch to enforcing:
[root@atlas /etc/puppet]$ setenforce 1
[root@atlas /etc/puppet]$ getenforce
Enforcing
[root@atlas /etc/puppet]$ service amavisd restart
Shutting down amavisd: Error: /proc must be mounted
  To mount /proc at boot you need an /etc/fstab line like:
      /proc   /proc   proc    defaults
  In the meantime, run "mount /proc /proc -t proc"
Daemon [3286] terminated by SIGTERM
                                                           [  OK  ]
amavisd stopped
Starting amavisd:                                          [  OK  ]

SELinux is definitely doing something naughty.  Apparently there are some things that default policies set to not audit:
http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/9234

Disabling the dontaudit and going to permissive:
[root@atlas /etc/puppet]$ semodule -DB
[root@atlas /etc/puppet]$ setenforce 0
[root@atlas /etc/puppet]$ getenforce
Permissive
[root@atlas /etc/puppet]$ service amavisd restart
Shutting down amavisd: Daemon [3315] terminated by SIGTERM
                                                           [  OK  ]
amavisd stopped
Starting amavisd:                                          [  OK  ]

[root@atlas /etc/puppet]$ date
Sat Mar 31 22:33:06 GMT 2012
[root@atlas /etc/puppet]$ ausearch -m avc -ts 22:33 | audit2allow


#============= amavis_t ==============
allow amavis_t proc_t:file read;
allow amavis_t security_t:dir search;
allow amavis_t security_t:file read;
allow amavis_t selinux_config_t:dir search;
allow amavis_t selinux_config_t:file { read getattr };
allow amavis_t shadow_t:file { read getattr };
allow amavis_t user_home_dir_t:dir search;

This looks good I guess. But this module won't compile and install:
[root@atlas ~]$ ausearch -m avc -ts 22:33 | audit2allow -M amavisd
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i amavisd.pp
[root@atlas ~]$ cat amavisd.te

module amavisd 1.0;

require {
        type amavis_t;
        type security_t;
        type proc_t;
        type user_home_dir_t;
        type selinux_config_t;
        type shadow_t;
        class file { read getattr };
        class dir search;
}

#============= amavis_t ==============
allow amavis_t proc_t:file read;
allow amavis_t security_t:dir search;
allow amavis_t security_t:file read;
allow amavis_t selinux_config_t:dir search;
allow amavis_t selinux_config_t:file { read getattr };
allow amavis_t shadow_t:file { read getattr };
allow amavis_t user_home_dir_t:dir search;
[root@atlas ~]$ semodule -i amavisd.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow amavis_t shadow_t:file { read };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!

So I'm at a loss as to actually how to generate a policy here that will work.
Comment 7 Erik M Jacobs 2012-03-31 18:47:31 EDT
So the violation is because of a read shadow restraint.  Since I can't think of a good reason why amavisd should be reading shadow, I just commented it out.

[root@atlas ~]$ cat amavisd.te 

module amavisd 1.0;

require {
        type amavis_t;
        type security_t;
        type proc_t;
        type user_home_dir_t;
        type selinux_config_t;
        #type shadow_t;
        class file { read getattr };
        class dir search;
}

#============= amavis_t ==============
allow amavis_t proc_t:file read;
allow amavis_t security_t:dir search;
allow amavis_t security_t:file read;
allow amavis_t selinux_config_t:dir search;
allow amavis_t selinux_config_t:file { read getattr };
#allow amavis_t shadow_t:file { read getattr };
allow amavis_t user_home_dir_t:dir search;

Installing this module works, and when in enforcing mode, no error is generated:
[root@atlas ~]$ getenforce
Enforcing
[root@atlas ~]$ service amavisd restart
Shutting down amavisd: Daemon [3347] terminated by SIGTERM
                                                           [  OK  ]
amavisd stopped
Starting amavisd:                                          [  OK  ]

The only selinux denial that still happens is the shadow read:
[root@atlas ~]$ ausearch -m avc -ts 22:45:50 | audit2allow


#============= amavis_t ==============
allow amavis_t shadow_t:file read;

Now, this policy module can probably be clamped down to fix what's going on, because it seems to me like it opens up a fair number of holes.
Comment 8 Miroslav Grepl 2012-04-02 06:54:01 EDT
Could you test it only with this rule

allow amavis_t proc_t:file read;
Comment 9 Erik M Jacobs 2012-04-05 14:18:31 EDT
Looks like it works.

[root@atlas ~]$ cat amavisd-miro.te
module amavisd-miro 1.0;

require {
  type amavis_t;
  type proc_t;
  class file read;
}

#============= amavis_t ==============
allow amavis_t proc_t:file read;

[root@atlas ~]$ service amavisd restart
Shutting down amavisd: Daemon [28091] terminated by SIGTERM
                                                           [  OK  ]
amavisd stopped
Starting amavisd:                                          [  OK  ]

Still getting errors:
type=AVC msg=audit(1333649748.098:11411): avc:  denied  { read } for  pid=28571 comm="amavisd" name="shadow" dev=dm-0 ino=354339 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=SYSCALL msg=audit(1333649748.098:11411): arch=c000003e syscall=2 success=yes exit=5 a0=2ba41721d2da a1=0 a2=1b6 a3=0 items=0 ppid=28567 pid=28571 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl" subj=user_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1333649748.098:11412): avc:  denied  { getattr } for  pid=28571 comm="amavisd" path="/etc/shadow" dev=dm-0 ino=354339 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=SYSCALL msg=audit(1333649748.098:11412): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7fff158c5960 a2=7fff158c5960 a3=0 items=0 ppid=28567 pid=28571 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl" subj=user_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1333649748.099:11413): avc:  denied  { search } for  pid=28571 comm="amavisd" name="root" dev=dm-0 ino=545089 scontext=user_u:system_r:amavis_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1333649748.099:11413): arch=c000003e syscall=4 success=no exit=-2 a0=c93c730 a1=c806140 a2=c806140 a3=7 items=0 ppid=28567 pid=28571 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl" subj=user_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1333649749.867:11414): avc:  denied  { search } for  pid=28578 comm="amavisd" name="selinux" dev=dm-0 ino=353080 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=AVC msg=audit(1333649749.867:11414): avc:  denied  { read } for  pid=28578 comm="amavisd" name="config" dev=dm-0 ino=353317 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=SYSCALL msg=audit(1333649749.867:11414): arch=c000003e syscall=2 success=yes exit=4 a0=3b91e12a64 a1=0 a2=1b6 a3=0 items=0 ppid=28574 pid=28578 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl" subj=user_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1333649749.867:11415): avc:  denied  { getattr } for  pid=28578 comm="amavisd" path="/etc/selinux/config" dev=dm-0 ino=353317 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=SYSCALL msg=audit(1333649749.867:11415): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7fffd9c7dfd0 a2=7fffd9c7dfd0 a3=0 items=0 ppid=28574 pid=28578 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl" subj=user_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1333649749.867:11416): avc:  denied  { search } for  pid=28578 comm="amavisd" name="/" dev=selinuxfs ino=392 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir
type=AVC msg=audit(1333649749.867:11416): avc:  denied  { read } for  pid=28578 comm="amavisd" name="mls" dev=selinuxfs ino=12 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1333649749.867:11416): arch=c000003e syscall=2 success=yes exit=4 a0=7fffd9c7d0e0 a1=0 a2=0 a3=0 items=0 ppid=28574 pid=28578 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl" subj=user_u:system_r:amavis_t:s0 key=(null)

(audit2allow)
#============= amavis_t ==============
allow amavis_t security_t:dir search;
allow amavis_t security_t:file read;
allow amavis_t selinux_config_t:dir search;
allow amavis_t selinux_config_t:file { read getattr };
allow amavis_t shadow_t:file { read getattr };
allow amavis_t user_home_dir_t:dir search;

But they don't cause any issue with the proc errors or anything like that.
Comment 10 Daniel Walsh 2012-04-09 16:27:25 EDT
We seem to dontaudit all of these in Fedora.
Comment 11 RHEL Product and Program Management 2012-06-13 08:09:05 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 16 errata-xmlrpc 2013-01-07 22:30:49 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0060.html

Note You need to log in before you can comment on or make changes to this bug.