Bug 500397 - spamc denials
Summary: spamc denials
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: nss_ldap
Version: 5.3
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: Ondrej Moriš
URL:
Whiteboard:
Keywords:
Depends On: 637843
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-05-12 14:59 UTC by Orion Poplawski
Modified: 2018-05-16 12:40 UTC (History)
4 users (show)

(edit)
Clone Of:
: 637843 (view as bug list)
(edit)
Last Closed: 2011-01-13 23:32:00 UTC


Attachments (Terms of Use)
test package (413.58 KB, application/octet-stream)
2010-09-24 17:24 UTC, Nalin Dahyabhai
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0097 normal SHIPPED_LIVE nss_ldap bug fix update 2011-01-12 17:29:13 UTC

Description Orion Poplawski 2009-05-12 14:59:41 UTC
Description of problem:

I'm seeing the following denials running spamc via .procmailrc:

type=AVC msg=audit(1242140267.499:464): avc:  denied  { read write } for  pid=7236 comm="spamc" path="socket:[69191]" dev=sockfs ino=69191 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1242140267.499:464): avc:  denied  { read write } for  pid=7236 comm="spamc" path="socket:[69193]" dev=sockfs ino=69193 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1242140267.499:464): avc:  denied  { read write } for  pid=7236 comm="spamc" path="socket:[69195]" dev=sockfs ino=69195 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=tcp_socket

probably leaked file descriptors?  Doesn't appear to cause any problems.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-229.el5
sendmail-8.13.8-2.el5
spamassassin-3.2.5-1.el5

Comment 1 Daniel Walsh 2009-08-21 21:11:02 UTC
THese are a leaked file descriptor caused I believe by nss_ldap.

Comment 2 Nalin Dahyabhai 2010-07-01 00:20:56 UTC
I think there's a decent chance that this is the same bug as #512856.

Comment 6 Orion Poplawski 2010-09-24 17:02:00 UTC
Is there an updated nss_ldap for EL5 I can test with?

Comment 7 Nalin Dahyabhai 2010-09-24 17:24:58 UTC
Created attachment 449470 [details]
test package

Comment 8 Orion Poplawski 2010-09-24 19:33:33 UTC
I've built and installed it, but still seeing these messsages.  Restarted sendmail, nscd, and sshd for grins but still seeing:

type=AVC msg=audit(1285356600.905:4285): avc:  denied  { write } for  pid=32535 comm="spamc" path="pipe:[624117]" dev=pipefs ino=624117 scontext=root:system_r:spamc_t:s0 tcontext=root:system_r:sendmail_t:s0 tclass=fifo_file
type=AVC msg=audit(1285356600.905:4285): avc:  denied  { read write } for  pid=32535 comm="spamc" path="socket:[624068]" dev=sockfs ino=624068 scontext=root:system_r:spamc_t:s0 tcontext=root:system_r:sendmail_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1285356600.905:4285): avc:  denied  { read write } for  pid=32535 comm="spamc" path="socket:[624070]" dev=sockfs ino=624070 scontext=root:system_r:spamc_t:s0 tcontext=root:system_r:sendmail_t:s0 tclass=unix_stream_socket

Comment 9 Nalin Dahyabhai 2010-09-24 19:48:15 UTC
It's the tcp_socket leak (the connection to the directory server) we're fixing here; I'm not sure these others are under nss_ldap's control -- they look like a problem with letting sendmail run procmail run spamc.  CCing dwalsh.

Comment 10 Daniel Walsh 2010-09-25 10:06:23 UTC
Yes these are either leaks or normal fifo_file passing of stdin,stdout,stderr between multiple entities.

In F14/RHEL6 policy we have these rules.

audit2allow -i /tmp/t


#============= spamc_t ==============
#!!!! This avc is allowed in the current policy

allow spamc_t sendmail_t:fifo_file write;
#!!!! This avc has a dontaudit rule in the current policy

allow spamc_t sendmail_t:unix_stream_socket { read write };

Open a bug on RHEL5 for this policy to be backported.

Comment 11 Nalin Dahyabhai 2010-09-27 15:18:00 UTC
(In reply to comment #10)
> Open a bug on RHEL5 for this policy to be backported.

Opened bug #637843.

Comment 14 errata-xmlrpc 2011-01-13 23:32:00 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0097.html


Note You need to log in before you can comment on or make changes to this bug.