Bug 838918 - avc: denied { read } for ... comm="pyzor" path="/tmp/.spamassassin5957Fs1AbXtmp" ... scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:spamd_tmp_t:s0 tclass=file
avc: denied { read } for ... comm="pyzor" path="/tmp/.spamassassin5957Fs1AbXt...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-10 08:46 EDT by Milos Malik
Modified: 2013-11-04 09:20 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-12 15:12:30 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2012-07-10 08:46:11 EDT
Description of problem:
 * probably a leaked file descriptor
 * following message was often seen in the output of "service spamassassin status" command:
Jul 10 14:35:26 dhcp-24-118.brq.redhat.com spamd[7946]: pyzor: check failed: internal error, python traceback seen in response

Version-Release number of selected component (if applicable):
selinux-policy-minimum-3.10.0-137.el7.noarch
selinux-policy-doc-3.10.0-137.el7.noarch
selinux-policy-3.10.0-137.el7.noarch
selinux-policy-mls-3.10.0-137.el7.noarch
selinux-policy-devel-3.10.0-137.el7.noarch
selinux-policy-targeted-3.10.0-137.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-7 machine with active targeted policy
2. run following automated test:
   /CoreOS/selinux-policy/Regression/bz486187-spamassassin-not-working
3. search for AVCs
  
Actual results:
----
time->Tue Jul 10 14:25:20 2012
type=SYSCALL msg=audit(1341923120.098:18440): arch=c000003e syscall=59 success=yes exit=0 a0=409f470 a1=23d9bd0 a2=115e120 a3=7fffb2c67230 items=0 ppid=5957 pid=5958 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pyzor" exe="/usr/bin/python2.7" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1341923120.098:18440): avc:  denied  { read } for  pid=5958 comm="pyzor" path="/tmp/.spamassassin5957Fs1AbXtmp" dev="sda4" ino=6033676 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:spamd_tmp_t:s0 tclass=file
----

Expected results:
* no AVCs
Comment 1 Miroslav Grepl 2012-07-11 10:00:25 EDT
Could you add AVC msgs in permissive mode with full auditing?
Comment 2 Miroslav Grepl 2012-07-11 10:07:05 EDT
I would also say will see a problem with admin_home_t because of

/root/\.pyzor(/.*)?     gen_context(system_u:object_r:spamc_home_t,s0)
/root/\.razor(/.*)?     gen_context(system_u:object_r:spamc_home_t,s0)

and we don't have a transition rule for admin_home_t.
Comment 3 Milos Malik 2012-07-12 04:22:09 EDT
Seen in permissive mode:
----
time->Thu Jul 12 10:19:01 2012
type=PATH msg=audit(1342081141.201:20046): item=2 name=(null) inode=3671913 dev=08:04 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
type=PATH msg=audit(1342081141.201:20046): item=1 name=(null) inode=3680202 dev=08:04 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0
type=PATH msg=audit(1342081141.201:20046): item=0 name="/usr/bin/pyzor" inode=3680561 dev=08:04 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:spamc_exec_t:s0
type=CWD msg=audit(1342081141.201:20046):  cwd="/"
type=EXECVE msg=audit(1342081141.201:20046): argc=2 a0="/usr/bin/python" a1="-Wignore::DeprecationWarning"
type=EXECVE msg=audit(1342081141.201:20046): argc=4 a0="/usr/bin/python" a1="-Wignore::DeprecationWarning" a2="/usr/bin/pyzor" a3="check"
type=SYSCALL msg=audit(1342081141.201:20046): arch=c000003e syscall=59 success=yes exit=0 a0=38fd350 a1=1c395d0 a2=9be120 a3=8 items=3 ppid=14131 pid=14132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pyzor" exe="/usr/bin/python2.7" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1342081141.201:20046): avc:  denied  { read } for  pid=14132 comm="pyzor" path="/tmp/.spamassassin14131G6GsJmtmp" dev="sda4" ino=6033689 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:spamd_tmp_t:s0 tclass=file
----
time->Thu Jul 12 10:19:01 2012
type=SYSCALL msg=audit(1342081141.210:20047): arch=c000003e syscall=16 success=no exit=-25 a0=0 a1=5401 a2=7fff31690ca0 a3=20 items=0 ppid=14131 pid=14132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pyzor" exe="/usr/bin/python2.7" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1342081141.210:20047): avc:  denied  { ioctl } for  pid=14132 comm="pyzor" path="/tmp/.spamassassin14131G6GsJmtmp" dev="sda4" ino=6033689 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:spamd_tmp_t:s0 tclass=file
----
time->Thu Jul 12 10:19:01 2012
type=SYSCALL msg=audit(1342081141.213:20048): arch=c000003e syscall=5 success=yes exit=0 a0=0 a1=7fff31690c20 a2=7fff31690c20 a3=33015b9020 items=0 ppid=14131 pid=14132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pyzor" exe="/usr/bin/python2.7" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1342081141.213:20048): avc:  denied  { getattr } for  pid=14132 comm="pyzor" path="/tmp/.spamassassin14131G6GsJmtmp" dev="sda4" ino=6033689 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:spamd_tmp_t:s0 tclass=file
----
time->Thu Jul 12 10:19:01 2012
type=PATH msg=audit(1342081141.285:20049): item=1 name="/root/.pyzor" inode=3407995 dev=08:04 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:admin_home_t:s0
type=PATH msg=audit(1342081141.285:20049): item=0 name="/root/" inode=3407873 dev=08:04 mode=040550 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:admin_home_t:s0
type=CWD msg=audit(1342081141.285:20049):  cwd="/"
type=SYSCALL msg=audit(1342081141.285:20049): arch=c000003e syscall=83 success=yes exit=0 a0=1ceebf0 a1=1ff a2=33015b39c8 a3=20 items=2 ppid=14131 pid=14132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pyzor" exe="/usr/bin/python2.7" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1342081141.285:20049): avc:  denied  { create } for  pid=14132 comm="pyzor" name=".pyzor" scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1342081141.285:20049): avc:  denied  { add_name } for  pid=14132 comm="pyzor" name=".pyzor" scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1342081141.285:20049): avc:  denied  { write } for  pid=14132 comm="pyzor" name="root" dev="sda4" ino=3407873 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1342081141.285:20049): avc:  denied  { dac_override } for  pid=14132 comm="pyzor" capability=1  scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:system_r:spamc_t:s0 tclass=capability
----
time->Thu Jul 12 10:19:01 2012
type=PATH msg=audit(1342081141.302:20050): item=1 name="/root/.pyzor/servers" inode=3407996 dev=08:04 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:admin_home_t:s0
type=PATH msg=audit(1342081141.302:20050): item=0 name="/root/.pyzor/" inode=3407995 dev=08:04 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:admin_home_t:s0
type=CWD msg=audit(1342081141.302:20050):  cwd="/"
type=SYSCALL msg=audit(1342081141.302:20050): arch=c000003e syscall=2 success=yes exit=3 a0=1d0c390 a1=241 a2=1b6 a3=238 items=2 ppid=14131 pid=14132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pyzor" exe="/usr/bin/python2.7" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1342081141.302:20050): avc:  denied  { write open } for  pid=14132 comm="pyzor" name="servers" dev="sda4" ino=3407996 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1342081141.302:20050): avc:  denied  { create } for  pid=14132 comm="pyzor" name="servers" scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
----
time->Thu Jul 12 10:19:01 2012
type=PATH msg=audit(1342081141.648:20051): item=0 name="/root/.pyzor/servers" inode=3407996 dev=08:04 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:admin_home_t:s0
type=CWD msg=audit(1342081141.648:20051):  cwd="/"
type=SYSCALL msg=audit(1342081141.648:20051): arch=c000003e syscall=2 success=yes exit=3 a0=1cc1000 a1=0 a2=1b6 a3=238 items=1 ppid=14131 pid=14132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pyzor" exe="/usr/bin/python2.7" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1342081141.648:20051): avc:  denied  { read } for  pid=14132 comm="pyzor" name="servers" dev="sda4" ino=3407996 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
----
Comment 4 Miroslav Grepl 2012-07-12 05:57:54 EDT
# needed by pyzor running as spamc_t
allow spamc_t self:capability dac_override;
userdom_admin_home_dir_filetrans(spamc_t, spamc_home_t , dir, ".pyzor")

allow spamc_t spamd_tmp_t:file read_inherited_file_perms;

would be needed.
Comment 5 Miroslav Grepl 2012-07-13 05:04:26 EDT
I added fixes to rawhide.

Note You need to log in before you can comment on or make changes to this bug.