Bug 500397 - spamc denials
spamc denials
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: nss_ldap (Show other bugs)
5.3
All Linux
low Severity medium
: rc
: ---
Assigned To: Nalin Dahyabhai
Ondrej Moriš
:
Depends On: 637843
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-12 10:59 EDT by Orion Poplawski
Modified: 2011-01-13 18:32 EST (History)
4 users (show)

See Also:
Fixed In Version: nss_ldap-253-28.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 637843 (view as bug list)
Environment:
Last Closed: 2011-01-13 18:32:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
test package (413.58 KB, application/octet-stream)
2010-09-24 13:24 EDT, Nalin Dahyabhai
no flags Details

  None (edit)
Description Orion Poplawski 2009-05-12 10:59:41 EDT
Description of problem:

I'm seeing the following denials running spamc via .procmailrc:

type=AVC msg=audit(1242140267.499:464): avc:  denied  { read write } for  pid=7236 comm="spamc" path="socket:[69191]" dev=sockfs ino=69191 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1242140267.499:464): avc:  denied  { read write } for  pid=7236 comm="spamc" path="socket:[69193]" dev=sockfs ino=69193 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1242140267.499:464): avc:  denied  { read write } for  pid=7236 comm="spamc" path="socket:[69195]" dev=sockfs ino=69195 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=tcp_socket

probably leaked file descriptors?  Doesn't appear to cause any problems.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-229.el5
sendmail-8.13.8-2.el5
spamassassin-3.2.5-1.el5
Comment 1 Daniel Walsh 2009-08-21 17:11:02 EDT
THese are a leaked file descriptor caused I believe by nss_ldap.
Comment 2 Nalin Dahyabhai 2010-06-30 20:20:56 EDT
I think there's a decent chance that this is the same bug as #512856.
Comment 6 Orion Poplawski 2010-09-24 13:02:00 EDT
Is there an updated nss_ldap for EL5 I can test with?
Comment 7 Nalin Dahyabhai 2010-09-24 13:24:58 EDT
Created attachment 449470 [details]
test package
Comment 8 Orion Poplawski 2010-09-24 15:33:33 EDT
I've built and installed it, but still seeing these messsages.  Restarted sendmail, nscd, and sshd for grins but still seeing:

type=AVC msg=audit(1285356600.905:4285): avc:  denied  { write } for  pid=32535 comm="spamc" path="pipe:[624117]" dev=pipefs ino=624117 scontext=root:system_r:spamc_t:s0 tcontext=root:system_r:sendmail_t:s0 tclass=fifo_file
type=AVC msg=audit(1285356600.905:4285): avc:  denied  { read write } for  pid=32535 comm="spamc" path="socket:[624068]" dev=sockfs ino=624068 scontext=root:system_r:spamc_t:s0 tcontext=root:system_r:sendmail_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1285356600.905:4285): avc:  denied  { read write } for  pid=32535 comm="spamc" path="socket:[624070]" dev=sockfs ino=624070 scontext=root:system_r:spamc_t:s0 tcontext=root:system_r:sendmail_t:s0 tclass=unix_stream_socket
Comment 9 Nalin Dahyabhai 2010-09-24 15:48:15 EDT
It's the tcp_socket leak (the connection to the directory server) we're fixing here; I'm not sure these others are under nss_ldap's control -- they look like a problem with letting sendmail run procmail run spamc.  CCing dwalsh.
Comment 10 Daniel Walsh 2010-09-25 06:06:23 EDT
Yes these are either leaks or normal fifo_file passing of stdin,stdout,stderr between multiple entities.

In F14/RHEL6 policy we have these rules.

audit2allow -i /tmp/t


#============= spamc_t ==============
#!!!! This avc is allowed in the current policy

allow spamc_t sendmail_t:fifo_file write;
#!!!! This avc has a dontaudit rule in the current policy

allow spamc_t sendmail_t:unix_stream_socket { read write };

Open a bug on RHEL5 for this policy to be backported.
Comment 11 Nalin Dahyabhai 2010-09-27 11:18:00 EDT
(In reply to comment #10)
> Open a bug on RHEL5 for this policy to be backported.

Opened bug #637843.
Comment 14 errata-xmlrpc 2011-01-13 18:32:00 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0097.html

Note You need to log in before you can comment on or make changes to this bug.