RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 856536 - AVCs when running spamassassin test with disabled unconfined and unlabelednet
Summary: AVCs when running spamassassin test with disabled unconfined and unlabelednet
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.4
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-09-12 09:19 UTC by Michal Trunecka
Modified: 2015-02-25 10:45 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-25 10:45:55 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Michal Trunecka 2012-09-12 09:19:38 UTC 
Description of problem:
AVC was reported during spamassassin automation test with unconfined and unlabelednet selinux modules disabled. The test passes when both modules are enabled. 

AVC reported in permissive mode:
----
time->Wed Sep 12 11:12:32 2012
type=PATH msg=audit(1347441152.567:6485): item=1 name="razor-agent.log" inode=162576 dev=08:03 mode=0100600 ouid=504 ogid=505 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0
type=PATH msg=audit(1347441152.567:6485): item=0 name="/home/user32413/mail" inode=159905 dev=08:03 mode=040775 ouid=504 ogid=505 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0
type=CWD msg=audit(1347441152.567:6485):  cwd="/home/user32413/mail"
type=SYSCALL msg=audit(1347441152.567:6485): arch=c000003e syscall=2 success=yes exit=4 a0=4c2dee0 a1=441 a2=1b6 a3=33ab31dbe0 items=2 ppid=851 pid=852 auid=0 uid=504 gid=505 euid=504 suid=504 fsuid=504 egid=505 sgid=505 fsgid=505 tty=(none) ses=3 comm="spamassassin" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1347441152.567:6485): avc:  denied  { create } for  pid=852 comm="spamassassin" name="razor-agent.log" scontext=unconfined_u:system_r:spamc_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1347441152.567:6485): avc:  denied  { add_name } for  pid=852 comm="spamassassin" name="razor-agent.log" scontext=unconfined_u:system_r:spamc_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1347441152.567:6485): avc:  denied  { write } for  pid=852 comm="spamassassin" name="mail" dev=sda3 ino=159905 scontext=unconfined_u:system_r:spamc_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir


Version-Release number of selected component (if applicable):
spamassassin-3.3.1-2.el6.x86_64
selinux-policy-3.7.19-161.el6.noarch
selinux-policy-minimum-3.7.19-161.el6.noarch
selinux-policy-targeted-3.7.19-161.el6.noarch
selinux-policy-mls-3.7.19-161.el6.noarch
selinux-policy-doc-3.7.19-161.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. semodule -d unconfined; semodule -d unlabelednet
2. Run automation test:
/CoreOS/selinux-policy/Regression/bz481387-cannot-execute-spamassassin

  
Actual results:
AVC is reported

Expected results:
No AVC
Comment 2 Daniel Walsh 2012-09-12 11:03:26 UTC 
These AVC's have nothing to do with unconfined being disabled.  What directories does spamassassin need to write in the homedir?  

/root/\.pyzor(/.*)?	system_u:object_r:spamc_home_t:s0
/root/\.spamd(/.*)?	system_u:object_r:spamc_home_t:s0
/root/\.razor(/.*)?	system_u:object_r:spamc_home_t:s0
/root/\.spamassassin(/.*)?	system_u:object_r:spamc_home_t:s0


We have labels for these.  But this test looks like spamc is spewing into ~/
Comment 3 Michal Trunecka 2012-11-05 17:42:14 UTC 
After the test finishes, there is correct razor-agent.log file in .razor directory. But when running in permissive mode, there is also razor-agent.log file in the ~/mail directory, which causes the avc.

It may be related with the comment in /usr/share/perl5/Razor2/Client/Agent.pm before assigning 'razor-agent.log' string into logfile variable:

    # Note: we start logging before we process '-create' ,
    # so logfile will not go into a newly created razorhome

But I don't understand what it exactly means. Following code is in 
/usr/share/perl5/Razor2/Logger.pm and in the $name variable is the mentioned filename:

        open (LOGF, ">>$name") or do {
            if ($self->{DontDie}) {
                open LOGF, ">>/dev/null" or do {
                    print STDERR "Failed to open /dev/null, $!\n";
                };
            } else {
                die $!;
            }
        };

It would explain that nothing happens when the access is denied.
Comment 4 Miroslav Grepl 2012-11-06 08:53:47 UTC 
So the question is why there needs to be also ~/mail dir with the razor-agent.log file.
Comment 5 RHEL Program Management 2012-12-14 08:17:36 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 10 Miroslav Grepl 2015-02-25 10:45:55 UTC 
We have fixes in RHEL7 where we are able to fix it using filename transitions. It needs to be fixed by either restorecond or restorecon in RHEL6.
Note You need to log in before you can comment on or make changes to this bug.