Bug 837944 - selinux policy prevents sa-update, gpg unable to access keys
selinux policy prevents sa-update, gpg unable to access keys
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
Unspecified Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-05 17:22 EDT by Scott Shambarger
Modified: 2012-12-20 10:16 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-20 10:16:37 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
sa-update with audit (5.84 KB, text/plain)
2012-07-10 15:04 EDT, Scott Shambarger
no flags Details

  None (edit)
Description Scott Shambarger 2012-07-05 17:22:18 EDT
Description of problem:
sa-update cron fails, error unable to verify signature on update files

Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-134

How reproducible:
/etc/cron.d/sa-update fails with selinux enabled.  With setenforce 0, sa-update succeeds.

Steps to Reproduce:
1. Install configure spamassassin
2. Set SAUPDATE=yes in /etc/sysconfig/sa-update
3. Allow cron to run cron.d/sa-update
  
Actual results:
sa-update.log shows the following error:
gpg: can't open `/etc/mail/spamassassin/channel.d/sought.conf': Permission denied
The update downloaded successfully, but it was not signed with a trusted GPG
key.  Instead, it was signed with the following keys:

    6C6191E3

Perhaps you need to import the channel's GPG key?  For example:

    wget http://spamassassin.apache.org/updates/GPG.KEY 
    sa-update --import GPG.KEY

Expected results:
sa-update should succeed, sa-update.log should contain:
SpamAssassin: Update processed successfully

Additional info:
# gpg --homedir=/etc/mail/spamassassin/sa-update-keys -k | grep 6C6191E3
results in :
pub   1024D/6C6191E3 2007-08-12 [expires: 2017-08-09]

sa-update.cron -> sa-update --import /etc/mail/spamassassin/channel.d/sought.conf is failing

sa-update.cron -> sa-update --channel sought.rules.yerp.org --gpgkey 6C6191E3 is also failing

# audit2allow -b shows the following errors:
#============= gpg_t ==============
allow gpg_t etc_mail_t:file read;

#============= spamd_update_t ============== 
allow spamd_update_t self:capability dac_read_search;

# audit2why -b shows the details (edited for space):
avc:  denied  { dac_read_search } for pid=23151 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability

avc:  denied  { read } for  pid=23152 comm="gpg" name="pubring.gpg" dev="dm-0" ino=2098175 scontext=system_u:system_r:gpg_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_mail_t:s0 tclass=file

After setenforce 0, audit2allow -b returns:
#============= gpg_t ==============
#!!!! The source type 'gpg_t' can write to a 'dir' of the following types:
# gpg_secret_t, user_home_t, user_tmp_type, user_home_dir_t, tmp_t, gpg_agent_tmp_t

allow gpg_t etc_mail_t:dir { write remove_name add_name };
allow gpg_t etc_mail_t:file { read create unlink link };
allow spamd_update_t self:capability dac_read_search;

audit2why -b has a long list of details, but they're probably not required for this description.
Comment 1 Miroslav Grepl 2012-07-09 02:08:59 EDT
Could you turn on full auditing

# auditctl -w /etc/shadow -p w

Then try to recreate AVC an then execute

# ausearch -m avc -ts recent
Comment 2 Scott Shambarger 2012-07-10 15:03:15 EDT
Ran the audit, attaching the report :)
Comment 3 Scott Shambarger 2012-07-10 15:04:09 EDT
Created attachment 597415 [details]
sa-update with audit

I'm guessing you wanted this run with setenforce 0 as well...
Comment 4 Daniel Walsh 2012-07-11 14:36:06 EDT
Do we want to prevent tools like spamassassin from accessing this data?

Data in /etc/mail/spamassassin/sa-update-keys/ how about other mail clients?
Comment 5 Scott Shambarger 2012-07-11 18:36:31 EDT
In the strictest sense, /etc/mail/spamassassin/sa-update-keys is only used by /bin/gpg spawned by /bin/sa-update.  I've grep'd through the rest of the spamassassin codebase, and nothing else refers to that directory or it's contents.

Giving that directory (and it's contents) it's own selinux type that can only be accessed by gpg as spawned by sa-update would be the strictest security option... but anything that allows the update to work is fine in my book :)
Comment 6 Michael Cronenworth 2012-09-28 09:25:15 EDT
Any update on this?
Comment 7 Daniel Walsh 2012-09-28 11:51:43 EDT
Oops we dropped the ball on this one.  I just added rules to F18 to handle this.  Miroslav can you back port.
Comment 9 Fedora Update System 2012-10-08 10:05:19 EDT
selinux-policy-3.10.0-153.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-153.fc17
Comment 10 Fedora Update System 2012-10-08 17:56:22 EDT
Package selinux-policy-3.10.0-153.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-153.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15652/selinux-policy-3.10.0-153.fc17
then log in and leave karma (feedback).
Comment 11 Michael Cronenworth 2012-10-09 09:21:09 EDT
This issue seems to be fixed, but a new issue has raised its head. Bug 864501.
Comment 12 Scott Shambarger 2012-10-09 14:09:08 EDT
Ran a test against -153, and I still get one of the original errors:

type=AVC msg=audit(1349783609.527:2595): avc:  denied  { dac_read_search } for  pid=6496 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability

I fixed this with the following SE module:

require {
    class capability { dac_read_search };
    type spamd_update_t;
};

allow spamd_update_t self:capability dac_read_search;

... note: the above also appears to fix Bug 864501.
Comment 13 Daniel Walsh 2012-10-09 14:18:27 EDT
Do you have /root/.spamassassin?
Comment 14 Scott Shambarger 2012-10-09 14:21:05 EDT
Correction: the fix above does silence the audit, but doesn't fix Bug 864501 (my first test didn't need an update).
Comment 15 Fedora Update System 2012-12-20 10:16:39 EST
selinux-policy-3.10.0-153.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.