Description of problem: Multiple selinux denial messages appear in /var/log/messages relating to spamassassin Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-277.el5 selinux-policy-2.4.6-277.el5 libselinux-1.33.4-5.5.el5 libselinux-utils-1.33.4-5.5.el5 spamassassin-3.2.5-1.el5 How reproducible: 100% Steps to Reproduce: 1. Send mail to spamassassin by editing /etc/sysconfig/spamassassin: SPAMDOPTIONS="-d -c -m5 -H -u mail" and restarting the spamassassin service 2. watch /var/log/messages 3. observe avc denials 4. run 'restorecon -v mail' Actual results: avc denials continue to appear Expected results: no avc denails should be observed Additional info: Mar 8 15:07:05 atmayogi setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./user_prefs (mail_spool_t). For complete SELinux messages. run sealert -l 62198810-eede-4bd7-bfb7-0d40c977dd59 Mar 8 15:07:05 atmayogi setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/spool/mail/.spamassassin/user_prefs (mail_spool_t). For complete SELinux messages. run sealert -l 5a8870e3-0521-46ba-becc-dd7663473be9 Mar 8 15:07:05 atmayogi setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to ./user_prefs (mail_spool_t). For complete SELinux messages. run sealert -l 4b11da28-7c1b-4e3a-a4a8-3b53aa42a024 Mar 8 15:07:05 atmayogi setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/spool/mail/.spamassassin/bayes_toks (mail_spool_t). For complete SELinux messages. run sealert -l 801c3d02-0893-4339-9d79-dbc749eef6cc Mar 8 15:07:05 atmayogi setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/spool/mail/.spamassassin/bayes_toks (mail_spool_t). For complete SELinux messages. run sealert -l 801c3d02-0893-4339-9d79-dbc749eef6cc Mar 8 15:07:19 atmayogi setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./.spamassassin (mail_spool_t). For complete SELinux messages. run sealert -l cd2e8187-879f-4de8-9483-b15340dd64c6
Miroslav, Add mta_manage_spool(spamd_t) This is what RHEL6 has.
Miroslav, if other bugs in beta come in please add this. Or add it to 5.6.
Is there anything that I can install to test this?
You can build a policy module to allow this. # cat > myspamd.te << _EOF policy_module(myspamd, 1.0) gen_require(` type spamd_t; ') mta_manage_spool(spamd_t) _EOF # make -f /usr/share/selinux/devel/Makefile # semodule -i myspamd.pp This will add the rules and then you can test if this solves your problems.
I got a syntax error for the ` not being closed by another `, or something like that, so I did: policy_module(myspamd, 1.0) gen_require( type spamd_t; ) mta_manage_spool(spamd_t) This seemed to work, and I loaded the resultant SELinux module. Now I get the following: Source Context system_u:system_r:spamc_t Target Context system_u:system_r:sendmail_t Target Objects pipe [ fifo_file ] Source spamc Source Path /usr/bin/spamc Port <Unknown> Host atmayogi.com Source RPM Packages spamassassin-3.2.5-1.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-279.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name atmayogi.com Platform Linux atmayogi.com 2.6.18-194.el5 #1 SMP Tue Mar 16 21:52:43 EDT 2010 i686 i686 Alert Count 18696 First Seen Mon Sep 7 09:21:12 2009 Last Seen Tue Apr 27 09:04:46 2010 Local ID dfe5db79-9ffe-4b82-bd80-da23ce8d6674 Line Numbers Raw Audit Messages host=atmayogi.com type=AVC msg=audit(1272323086.489:69590): avc: denied { write } for pid=17442 comm="spamc" path="pipe:[2864779]" dev=pipefs ino=2864779 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=fifo_file host=atmayogi.com type=SYSCALL msg=audit(1272323086.489:69590): arch=40000003 syscall=11 success=yes exit=0 a0=8f30d98 a1=8f33498 a2=8f333d8 a3=3 items=0 ppid=17441 pid=17442 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0 key=(null)
Miroslav, F13 has sendmail_rw_pipes(spamc_t) This needs to be back ported.
This has fixed it. The messages no longer appear in syslog.
What is this fixed in? With selinux-policy-2.4.6-279.el5 I still get: type=AVC msg=audit(1274205757.808:10460): avc: denied { write } for pid=3779 comm="spamc" path="pipe:[2731252]" dev=pipefs ino=2731252 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=fifo_file type=AVC msg=audit(1274205757.808:10460): avc: denied { read write } for pid=3779 comm="spamc" path="socket:[2731050]" dev=sockfs ino=2731050 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket although spam assassin appears to work. # semodule -l | grep spam spamassassin 1.9.0
Fixed in selinux-policy-2.4.6-281.el5.noarch
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: When running SELinux in the enforcing mode, various SpamAssassin operations may have been denied, and multiple denial messages could be written to the /var/log/messages log file. This error has been fixed, and selinux-policy packages now contain updated SELinux rules, which permit appropriate operations.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html