Bug 571319 - Spamassassin is denied operations
Summary: Spamassassin is denied operations
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.5
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-08 05:49 UTC by Joshua Wulf
Modified: 2014-10-19 22:58 UTC (History)
4 users (show)

(edit)
When running SELinux in the enforcing mode, various SpamAssassin operations may have been denied, and multiple denial messages could be written to the /var/log/messages log file. This error has been fixed, and selinux-policy packages now contain updated SELinux rules, which permit appropriate operations.
Clone Of:
(edit)
Last Closed: 2011-01-13 21:48:33 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0026 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-01-12 16:11:15 UTC

Description Joshua Wulf 2010-03-08 05:49:50 UTC
Description of problem: Multiple selinux denial messages appear in /var/log/messages relating to spamassassin


Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-277.el5
selinux-policy-2.4.6-277.el5
libselinux-1.33.4-5.5.el5
libselinux-utils-1.33.4-5.5.el5
spamassassin-3.2.5-1.el5

How reproducible: 100%


Steps to Reproduce:
1. Send mail to spamassassin by editing /etc/sysconfig/spamassassin:
SPAMDOPTIONS="-d -c -m5 -H -u mail"
and restarting the spamassassin service
2. watch /var/log/messages
3. observe avc denials
4. run 'restorecon -v mail'

  
Actual results:
avc denials continue to appear

Expected results:
no avc denails should be observed

Additional info:
Mar  8 15:07:05 atmayogi setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./user_prefs (mail_spool_t). For complete SELinux messages. run sealert -l 62198810-eede-4bd7-bfb7-0d40c977dd59
Mar  8 15:07:05 atmayogi setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/spool/mail/.spamassassin/user_prefs (mail_spool_t). For complete SELinux messages. run sealert -l 5a8870e3-0521-46ba-becc-dd7663473be9
Mar  8 15:07:05 atmayogi setroubleshoot: SELinux is preventing spamd (spamd_t) "read" to ./user_prefs (mail_spool_t). For complete SELinux messages. run sealert -l 4b11da28-7c1b-4e3a-a4a8-3b53aa42a024
Mar  8 15:07:05 atmayogi setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/spool/mail/.spamassassin/bayes_toks (mail_spool_t). For complete SELinux messages. run sealert -l 801c3d02-0893-4339-9d79-dbc749eef6cc
Mar  8 15:07:05 atmayogi setroubleshoot: SELinux is preventing spamd (spamd_t) "getattr" to /var/spool/mail/.spamassassin/bayes_toks (mail_spool_t). For complete SELinux messages. run sealert -l 801c3d02-0893-4339-9d79-dbc749eef6cc
Mar  8 15:07:19 atmayogi setroubleshoot: SELinux is preventing spamd (spamd_t) "write" to ./.spamassassin (mail_spool_t). For complete SELinux messages. run sealert -l cd2e8187-879f-4de8-9483-b15340dd64c6

Comment 1 Daniel Walsh 2010-03-08 20:37:49 UTC
Miroslav,

Add

mta_manage_spool(spamd_t)

This is what RHEL6 has.

Comment 3 Daniel Walsh 2010-03-09 14:59:41 UTC
Miroslav, if other bugs in beta come in please add this.  Or add it to 5.6.

Comment 4 Joshua Wulf 2010-04-22 22:01:11 UTC
Is there anything that I can install to test this?

Comment 5 Daniel Walsh 2010-04-23 12:51:19 UTC
You can build a policy module to allow this.

# cat > myspamd.te  << _EOF
policy_module(myspamd, 1.0)
gen_require(`
           type spamd_t;
')
mta_manage_spool(spamd_t)
_EOF
# make -f /usr/share/selinux/devel/Makefile
# semodule -i myspamd.pp

This will add the rules and then you can test if this solves your problems.

Comment 6 Joshua Wulf 2010-04-26 23:07:58 UTC
I got a syntax error for the ` not being closed by another `, or something like that, so I did:

policy_module(myspamd, 1.0)
gen_require(
           type spamd_t;
)
mta_manage_spool(spamd_t)

This seemed to work, and I loaded the resultant SELinux module. Now I get the following:


Source Context                system_u:system_r:spamc_t
Target Context                system_u:system_r:sendmail_t
Target Objects                pipe [ fifo_file ]
Source                        spamc
Source Path                   /usr/bin/spamc
Port                          <Unknown>
Host                          atmayogi.com
Source RPM Packages           spamassassin-3.2.5-1.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-279.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     atmayogi.com
Platform                      Linux atmayogi.com 2.6.18-194.el5 #1 SMP Tue Mar
                              16 21:52:43 EDT 2010 i686 i686
Alert Count                   18696
First Seen                    Mon Sep  7 09:21:12 2009
Last Seen                     Tue Apr 27 09:04:46 2010
Local ID                      dfe5db79-9ffe-4b82-bd80-da23ce8d6674
Line Numbers                  

Raw Audit Messages            

host=atmayogi.com type=AVC msg=audit(1272323086.489:69590): avc:  denied  { write } for  pid=17442 comm="spamc" path="pipe:[2864779]" dev=pipefs ino=2864779 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=fifo_file

host=atmayogi.com type=SYSCALL msg=audit(1272323086.489:69590): arch=40000003 syscall=11 success=yes exit=0 a0=8f30d98 a1=8f33498 a2=8f333d8 a3=3 items=0 ppid=17441 pid=17442 auid=4294967295 uid=0 gid=12 euid=0 suid=0 fsuid=0 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0 key=(null)

Comment 7 Daniel Walsh 2010-04-27 14:18:28 UTC
Miroslav, F13 has

	sendmail_rw_pipes(spamc_t)


This needs to be back ported.

Comment 8 Joshua Wulf 2010-04-29 23:38:44 UTC
This has fixed it. The messages no longer appear in syslog.

Comment 9 Orion Poplawski 2010-05-18 18:08:50 UTC
What is this fixed in?  With selinux-policy-2.4.6-279.el5 I still get:

type=AVC msg=audit(1274205757.808:10460): avc:  denied  { write } for  pid=3779 comm="spamc" path="pipe:[2731252]" dev=pipefs ino=2731252 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=fifo_file
type=AVC msg=audit(1274205757.808:10460): avc:  denied  { read write } for  pid=3779 comm="spamc" path="socket:[2731050]" dev=sockfs ino=2731050 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket

although spam assassin appears to work.

# semodule -l | grep spam
spamassassin    1.9.0

Comment 11 Miroslav Grepl 2010-07-22 09:27:29 UTC
Fixed in selinux-policy-2.4.6-281.el5.noarch

Comment 14 Jaromir Hradilek 2011-01-05 16:10:04 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
When running SELinux in the enforcing mode, various SpamAssassin operations may have been denied, and multiple denial messages could be written to the /var/log/messages log file. This error has been fixed, and selinux-policy packages now contain updated SELinux rules, which permit appropriate operations.

Comment 16 errata-xmlrpc 2011-01-13 21:48:33 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html


Note You need to log in before you can comment on or make changes to this bug.