Bug 738140 - spamd/exim AVCs on delivery attempt when unconfined is off
Summary: spamd/exim AVCs on delivery attempt when unconfined is off
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: spamassassin
Version: 15
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Warren Togami
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-14 05:52 UTC by Robin Powell
Modified: 2012-02-15 21:15 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-15 21:15:04 UTC


Attachments (Terms of Use)

Description Robin Powell 2011-09-14 05:52:52 UTC
Pretty straightforward:

type=AVC msg=audit(1315979064.478:125461): avc:  denied  { read } for  pid=26788 comm="spamd" name="shadow" dev=vda2 ino=264049 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1315979064.478:125461): avc:  denied  { open } for  pid=26788 comm="spamd" name="shadow" dev=vda2 ino=264049 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1315979064.482:125462): avc:  denied  { getattr } for  pid=26788 comm="spamd" path="/etc/shadow" dev=vda2 ino=264049 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file

Note that I had to turn dontaudit off to see these.

-Robin

Comment 1 Miroslav Grepl 2011-09-14 07:50:59 UTC
I don't think these AVC causes spamd fails.

So spamd doesn't work in enforcing mode and if you switch to permissive then spamd works but without AVC msgs?

Comment 2 Robin Powell 2011-09-14 08:20:30 UTC
I don't think they cause fails either, but I haven't looked all that hard, and spamd is fairly robust to errors; it could be failing to perform a particular check but otherwise succeeding.

Which doesn't mean you want to allow this necessarily; this was a "just FYI" sort of thing; struck me as worth mentioning.

-Robin

Comment 3 Miroslav Grepl 2011-09-15 14:04:23 UTC
But still I don't know it the spamd works for you in enforcing mode or not?

Comment 4 Daniel Walsh 2011-09-15 14:27:50 UTC
Spamd should definitely not be trying to read the /etc/shadow file. 
Does this use the pam stack somehow?

Comment 5 Robin Powell 2011-09-16 01:07:28 UTC
Sorry about that.  Yes, it totally works even if it can't open /etc/shadow.  I can give you an strace of the two cases if you care.

-Robin

Comment 6 Daniel Walsh 2011-09-16 15:22:26 UTC
Ok Do you know if it is using the pam stack?  I guess we can dontaudit the access.

Comment 7 Robin Powell 2011-09-17 07:21:52 UTC
I don't know, no.  If you can tell me how to figure that out, I'll look.

The access already is dontaudit; I said that at the beginning.

Sorry, I didn't mean to waste people's time like this.

-Robin


Note You need to log in before you can comment on or make changes to this bug.