Description of problem: sa-update cron fails, error unable to verify signature on update files Version-Release number of selected component (if applicable): selinux-policy-3.10.0-134 How reproducible: /etc/cron.d/sa-update fails with selinux enabled. With setenforce 0, sa-update succeeds. Steps to Reproduce: 1. Install configure spamassassin 2. Set SAUPDATE=yes in /etc/sysconfig/sa-update 3. Allow cron to run cron.d/sa-update Actual results: sa-update.log shows the following error: gpg: can't open `/etc/mail/spamassassin/channel.d/sought.conf': Permission denied The update downloaded successfully, but it was not signed with a trusted GPG key. Instead, it was signed with the following keys: 6C6191E3 Perhaps you need to import the channel's GPG key? For example: wget http://spamassassin.apache.org/updates/GPG.KEY sa-update --import GPG.KEY Expected results: sa-update should succeed, sa-update.log should contain: SpamAssassin: Update processed successfully Additional info: # gpg --homedir=/etc/mail/spamassassin/sa-update-keys -k | grep 6C6191E3 results in : pub 1024D/6C6191E3 2007-08-12 [expires: 2017-08-09] sa-update.cron -> sa-update --import /etc/mail/spamassassin/channel.d/sought.conf is failing sa-update.cron -> sa-update --channel sought.rules.yerp.org --gpgkey 6C6191E3 is also failing # audit2allow -b shows the following errors: #============= gpg_t ============== allow gpg_t etc_mail_t:file read; #============= spamd_update_t ============== allow spamd_update_t self:capability dac_read_search; # audit2why -b shows the details (edited for space): avc: denied { dac_read_search } for pid=23151 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability avc: denied { read } for pid=23152 comm="gpg" name="pubring.gpg" dev="dm-0" ino=2098175 scontext=system_u:system_r:gpg_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_mail_t:s0 tclass=file After setenforce 0, audit2allow -b returns: #============= gpg_t ============== #!!!! The source type 'gpg_t' can write to a 'dir' of the following types: # gpg_secret_t, user_home_t, user_tmp_type, user_home_dir_t, tmp_t, gpg_agent_tmp_t allow gpg_t etc_mail_t:dir { write remove_name add_name }; allow gpg_t etc_mail_t:file { read create unlink link }; allow spamd_update_t self:capability dac_read_search; audit2why -b has a long list of details, but they're probably not required for this description.
Could you turn on full auditing # auditctl -w /etc/shadow -p w Then try to recreate AVC an then execute # ausearch -m avc -ts recent
Ran the audit, attaching the report :)
Created attachment 597415 [details] sa-update with audit I'm guessing you wanted this run with setenforce 0 as well...
Do we want to prevent tools like spamassassin from accessing this data? Data in /etc/mail/spamassassin/sa-update-keys/ how about other mail clients?
In the strictest sense, /etc/mail/spamassassin/sa-update-keys is only used by /bin/gpg spawned by /bin/sa-update. I've grep'd through the rest of the spamassassin codebase, and nothing else refers to that directory or it's contents. Giving that directory (and it's contents) it's own selinux type that can only be accessed by gpg as spawned by sa-update would be the strictest security option... but anything that allows the update to work is fine in my book :)
Any update on this?
Oops we dropped the ball on this one. I just added rules to F18 to handle this. Miroslav can you back port.
Added. http://git.fedorahosted.org/cgit/selinux-policy.git/commit/?h=f17&id=bb347ad748248a8282bc49cb209f9f0cf3bd258a
selinux-policy-3.10.0-153.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-153.fc17
Package selinux-policy-3.10.0-153.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-153.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-15652/selinux-policy-3.10.0-153.fc17 then log in and leave karma (feedback).
This issue seems to be fixed, but a new issue has raised its head. Bug 864501.
Ran a test against -153, and I still get one of the original errors: type=AVC msg=audit(1349783609.527:2595): avc: denied { dac_read_search } for pid=6496 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability I fixed this with the following SE module: require { class capability { dac_read_search }; type spamd_update_t; }; allow spamd_update_t self:capability dac_read_search; ... note: the above also appears to fix Bug 864501.
Do you have /root/.spamassassin?
Correction: the fix above does silence the audit, but doesn't fix Bug 864501 (my first test didn't need an update).
selinux-policy-3.10.0-153.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.