Bug 525375 - selinux blocking sa-compile rule loading
Summary: selinux blocking sa-compile rule loading
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2009-09-24 05:43 UTC by Warren Togami
Modified: 2009-10-20 21:22 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-10-20 21:22:53 UTC

Attachments (Terms of Use)

Description Warren Togami 2009-09-24 05:43:08 UTC
spamassassin has an optional tool sa-compile which uses re2c to compile regular expressions into C source, which is then compiled into loadable .so libraries.  These .so libraries are placed into standard locations.  spamd reads these standard directories and uses them for pattern matching if they exist.

SELinux is currently blocking execution of these .so files from spamd.

Error in /var/log/maillog:
Sep 24 01:33:08 master3 spamd[21288]: Can't load '/var/lib/spamassassin/compiled/5.008/3.003000/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so' for module Mail::SpamAssassin::CompiledRegexps::body_0: /var/lib/spamassassin/compiled/5.008/3.003000/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so: failed to map segment from shared object: Permission denied at /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/XSLoader.pm line 70. 

Expected in /var/log/maillog:
Sep 24 01:35:19 master3 spamd[21378]: zoom: able to use 1445/1447 'body_0' compiled rules (99.861%) 

type=AVC msg=audit(1253770388.148:95518): avc:  denied  { execute } for  pid=21288 comm="spamd" path="/var/lib/spamassassin/compiled/5.008/3.003000/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so" dev=dm-0 ino=878717 scontext=root:system_r:spamd_t:s0 tcontext=root:object_r:spamd_var_lib_t:s0 tclass=file

audit2allow on this AVC allows it work.

Please include this in both Fedora and RHEL-5 selinux-policy.

Comment 1 Daniel Walsh 2009-09-24 17:13:32 UTC
If you run restoreocn on this directory it will be labeled correctly, and the spam would be logged

Note You need to log in before you can comment on or make changes to this bug.