RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 628866 - init script searches cwd which can cause SELinux denials
Summary: init script searches cwd which can cause SELinux denials
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: spamassassin
Version: 6.0
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks: 836169 1070830 1159820
TreeView+ depends on / blocked
 
Reported: 2010-08-31 08:45 UTC by Milos Malik
Modified: 2016-07-27 08:38 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-27 08:38:16 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
CPAN 67602 0 None None None Never

Description Milos Malik 2010-08-31 08:45:57 UTC 
Description of problem:
Some administrators don't use "service" command when managing a service. They still do it this way:
/etc/init.d/SERVICE start
/etc/init.d/SERVICE restart
/etc/init.d/SERVICE stop
This procedure can cause SELinux denials when an administrator issues the command in unusual location (usual location is for example / or /root , selinux-policy is aware of usual locations and SELinux denials are dontaudited). I would like to ask to fix the init script in such a way that it does not search for programs in current working directory.

Version-Release number of selected component (if applicable):
spamassassin-3.3.1-2.el6.i686
selinux-policy-3.7.19-42.el6.noarch
selinux-policy-doc-3.7.19-42.el6.noarch
selinux-policy-minimum-3.7.19-42.el6.noarch
selinux-policy-mls-3.7.19-42.el6.noarch
selinux-policy-targeted-3.7.19-42.el6.noarch

How reproducible:
always

Steps to Reproduce:
# cd /var/log/audit
# /etc/init.d/spamassassin start
Starting spamd:                                              [  OK  ]
# /etc/init.d/spamassassin stop
Stopping spamd:                                            [  OK  ]
# ausearch -m avc -ts recent
----
time->Tue Aug 31 10:27:46 2010
type=SYSCALL msg=audit(1283243266.323:155): arch=40000003 syscall=195 success=no exit=-13 a0=8325e28 a1=82fc0c0 a2=6fdff4 a3=82fc008 items=0 ppid=4237 pid=4238 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="spamd" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1283243266.323:155): avc:  denied  { search } for  pid=4238 comm="spamd" name="audit" dev=dm-0 ino=9973 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
----

Actual results:
an AVC appears

Expected results:
no AVC appears

Additional info:
Comment 1 RHEL Program Management 2011-01-07 15:52:07 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 2 Petr Lautrbach 2011-04-15 13:43:36 UTC 
This is caused by Net::DNS module which defaults behaviour is to read /etc/resolv.conf, $HOME/resolv.conf and ./.resolv.conf even if config_file is specified in new method. Last 2 files shouldn't be read by default since it's possible security issue - user can drop .resolv.conf pointing to malicious dns server.

Workaround for ./.resolv.conf would be to change directory to / right at the beginning of spamd. However there is still $HOME/resolv.conf issue left but selinux doesn't complain about it.
Comment 3 Marcela Mašláňová 2011-04-20 07:36:56 UTC 
I created bug for Net::DNS upstream, but I'm not sure if it's bug for them or how they will handle it. It might be better to fix it in spamassassin as you proposed. At least for now.
Comment 4 RHEL Program Management 2011-07-05 23:43:21 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 12 Jakub Jelen 2015-11-30 14:54:44 UTC 
It is possible to fix it as in comment #5 and earlier:

diff --git a/spamd/redhat-rc-script.sh b/spamd/redhat-rc-script.sh
index dfe09db..05a07f3 100755
--- a/spamd/redhat-rc-script.sh
+++ b/spamd/redhat-rc-script.sh
@@ -41,6 +41,7 @@ case "$1" in
        [ -x /sbin/portrelease ] && /sbin/portrelease spamd &>/dev/null || :
        # Start daemon.
        echo -n $"Starting $prog: "
+       cd /
        daemon $NICELEVEL spamd $SPAMDOPTIONS -r $SPAMD_PID
        RETVAL=$?
         echo


Moving to rhel-6.8 (as it was lying forgotten here). CPAN upstream bug is fixed now, but I don't think we can bet on its update, so preferred fix will be the above mentioned one. Left for consideration is the possible regression that the different working directory can cause.
Comment 14 Peter Vrabec 2016-07-27 08:38:16 UTC 
When Red Hat shipped 6.8 on May 10, 2016 RHEL 6 entered Production Phase 2.
https://access.redhat.com/support/policy/updates/errata#Production_2_Phase
That means only "Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released". 

Additionally, this issue has been resolved in Red Hat Enterprise Linux 7 which is still in Production Phase 1. Please consider upgrading to RHEL 7 where less than critical bugs, hardware enablement and feature requests can be addressed. Please re-open this Bugzilla if it is production impacting and critical for the customer and provide a thorough business justification.
Note You need to log in before you can comment on or make changes to this bug.