Bug 616182 - I use spamassassin with settingsd stored in a postgresql db and I get the following selinux warning
Summary: I use spamassassin with settingsd stored in a postgresql db and I get the fol...
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
(Show other bugs)
Version: 13
Hardware: All Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-19 19:37 UTC by Gabriel Ramirez
Modified: 2010-07-23 02:27 UTC (History)
0 users

Fixed In Version: selinux-policy-3.7.19-39.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-23 02:27:13 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Gabriel Ramirez 2010-07-19 19:37:48 UTC
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Gabriel Ramirez 2010-07-19 19:53:19 UTC
I use spamassassin-3.3.1-2.fc13.x86_64 and it store settings in a postgresql-8.4.4-1.fc13.x86_64 database by following instructions 

http://svn.apache.org/repos/asf/spamassassin/tags/spamassassin_current_release_3.3.x/sql/README

but I get the following security alert (I set the spamd_t domain to permissive):

Summary:

SELinux is preventing /usr/bin/perl "name_connect" access .

Detailed Description:

[spamd has a permissive type (spamd_t). This access was not denied.]

SELinux denied access requested by spamd. It is not expected that this access is
required by spamd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
.

Additional Information:

Source Context                unconfined_u:system_r:spamd_t:s0
Target Context                system_u:object_r:postgresql_port_t:s0
Target Objects                None [ tcp_socket ]
Source                        spamd
Source Path                   /usr/bin/perl
Port                          5432
Host                          stargate.zn9.acapulco.ag
Source RPM Packages           perl-5.10.1-114.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-33.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost
Platform                      Linuxlocalhost
                              2.6.33.6-147.fc13.x86_64 #1 SMP Tue Jul 6 22:32:17
                              UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 19 Jul 2010 02:21:22 PM CDT
Last Seen                     Mon 19 Jul 2010 02:36:05 PM CDT
Local ID                      90f684f8-d152-4903-a35e-9ef26572e142
Line Numbers                  

Raw Audit Messages            

node=localhost type=AVC msg=audit(1279568165.441:25221): avc:  denied  { name_connect } for  pid=18577 comm="spamd" dest=5432 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket

node=localhost type=SYSCALL msg=audit(1279568165.441:25221): arch=c000003e syscall=42 success=yes exit=128 a0=6 a1=375cf90 a2=10 a3=7fffb2a34c70 items=0 ppid=18575 pid=18577 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="spamd" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamd_t:s0 key=(null)


I made a selinux module spamdlocal.pp via audit2allow 
but a selinux boolean with a default of disabled ( I will enabled because I need it)  will be great

Thanks, 


Gabriel

Comment 2 Daniel Walsh 2010-07-19 20:18:17 UTC
We have

ptional_policy(`
	corenet_tcp_connect_postgresql_port(spamd_t)
	corenet_sendrecv_postgresql_client_packets(spamd_t)

	postgresql_stream_connect(spamd_t)
')

In Rawhide policy.

Comment 3 Miroslav Grepl 2010-07-21 07:37:53 UTC
Fixed in selinux-policy-3.7.19-39.fc13.noarch

Comment 4 Fedora Update System 2010-07-21 15:33:56 UTC
selinux-policy-3.7.19-39.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-39.fc13

Comment 5 Fedora Update System 2010-07-23 02:26:45 UTC
selinux-policy-3.7.19-39.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.