Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 172088 - (selinux) problems when invoquing spamassassin from procmail
Summary: (selinux) problems when invoquing spamassassin from procmail
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
: 176902 (view as bug list)
Depends On:
Blocks: FC5Target
TreeView+ depends on / blocked
 
Reported: 2005-10-31 09:34 UTC by Nicolas Mailhot
Modified: 2007-11-30 22:11 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-02-21 23:31:48 UTC


Attachments (Terms of Use)
new audit.log after the jumbo gcc4.1 rawhide updates (deleted)
2006-02-16 07:21 UTC, Nicolas Mailhot
no flags Details
real new audit.log (sorry about the previous mistake) (deleted)
2006-02-16 07:36 UTC, Nicolas Mailhot
no flags Details
audit.log for selinux-policy-targeted-2.2.15-4 (deleted)
2006-02-16 19:53 UTC, Nicolas Mailhot
no flags Details

Description Nicolas Mailhot 2005-10-31 09:34:24 UTC
Description of problem:

Like many people I have the following block in my .procmailrc

:0fw: .spamc.lock
* < 256000
| spamc


Unfortunately it seems the default selinux policy blocks this action


type=CWD msg=audit(1130749836.551:3779):  cwd="/home/nim/.maildir"
type=PATH msg=audit(1130749836.551:3779): item=0 name="/usr/bin/spamc"
flags=1  inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1130749839.979:3780): avc:  denied  { execute } for
pid=11852 comm="procmail" name="spamc" dev=dm-0 ino=3349141
scontext=system_u:system_r:postfix_local_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1130749839.979:3780): arch=c000003e syscall=59
success=no exit=-13 a0=51c1d1 a1=51c170 a2=51bfc0 a3=51c1d1 items=1
pid=11852 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 comm="procmail" exe="/usr/bin/procmail"
type=CWD msg=audit(1130749839.979:3780):  cwd="/home/nim/.maildir"
type=PATH msg=audit(1130749839.979:3780): item=0 name="/usr/bin/spamc"
flags=101  inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1130749839.983:3781): avc:  denied  { getattr } for
pid=11852 comm="sh" name="spamc" dev=dm-0 ino=3349141
scontext=system_u:system_r:postfix_local_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=filetype=SYSCALL
msg=audit(1130749839.983:3781): arch=c000003e syscall=4 success=no
exit=-13 a0=6bf780 a1=7fffffefb5c0 a2=7fffffefb5c0 a3=2 items=1
pid=11852 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 comm="sh" exe="/bin/bash"
type=AVC_PATH msg=audit(1130749839.983:3781):  path="/usr/bin/spamc"
type=CWD msg=audit(1130749839.983:3781):  cwd="/home/nim/.maildir"
type=PATH msg=audit(1130749839.983:3781): item=0 name="/usr/bin/spamc"
flags=1  inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00


Version-Release number of selected component (if applicable):

selinux-policy-targeted-1.27.2-10
libselinux-1.27.17-1
procmail-3.22-16
postfix-2.2.5-1
spamassassin-3.1.0-1.fc5


How reproducible:
Always


Steps to Reproduce:
1. add the block to your .procmailrc
2. configure your MTA to pipe mail through procmail
3. switch to enforcing mode
4. receive some mail


Additional info:

This was also reported on the fedora selinux ML

Comment 1 Nicolas Mailhot 2005-10-31 09:40:10 UTC
postfix + procmail + spamassassin -> CCing Thomas Woerner, Peter Vrabec, Brock
Organ, Warren Togami


Comment 2 Warren Togami 2005-10-31 15:26:47 UTC
It would be important to fix this, because procmail is a popular way of invoking
spamassassin during delivery.

Comment 3 Nicolas Mailhot 2005-11-01 15:21:16 UTC
Seems fixed in selinux-policy-targeted-1.27.2-11

Thanks a lot Daniel!

Comment 4 Nicolas Mailhot 2005-11-05 09:44:41 UTC
After 

Comment 5 Nicolas Mailhot 2005-11-05 09:45:33 UTC
After a few days and selinux updates the problem seems to be back :

type=CWD msg=audit(1131183641.607:1712):  cwd="/home/nim/.maildir"
type=PATH msg=audit(1131183641.607:1712): item=0 name="/usr/bin/spamc" flags=101
 inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1131183641.611:1713): avc:  denied  { getattr } for 
pid=19310 comm="sh" name="spamc" dev=dm-0 ino=3349141
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1131183641.611:1713): arch=c000003e syscall=4 success=no
exit=-13 a0=6bf790 a1=7fffffa0cb00 a2=7fffffa0cb00 a3=2 items=1 pid=19310
auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 comm="sh" exe="/bin/bash"
type=AVC_PATH msg=audit(1131183641.611:1713):  path="/usr/bin/spamc"
type=CWD msg=audit(1131183641.611:1713):  cwd="/home/nim/.maildir"
type=PATH msg=audit(1131183641.611:1713): item=0 name="/usr/bin/spamc" flags=1 
inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1131183642.971:1714): avc:  denied  { execute } for 
pid=19313 comm="procmail" name="spamc" dev=dm-0 ino=3349141
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1131183642.971:1714): arch=c000003e syscall=59 success=no
exit=-13 a0=51c0b1 a1=51c050 a2=51bea0 a3=51c0b1 items=1 pid=19313
auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 comm="procmail" exe="/usr/bin/procmail"

Comment 6 Daniel Walsh 2005-11-07 16:30:19 UTC
Fixed in selinux-policy-targeted-1.27.2-16

Comment 7 Nicolas Mailhot 2005-11-12 18:30:08 UTC
Well, it's not but there is some progress

With selinux-policy-targeted-1.27.2-19 I have these bits in the logs :

type=SOCKADDR msg=audit(1131820021.653:174): saddr=0200030F7F0000010000000000000000
type=AVC msg=audit(1131820022.657:175): avc:  denied  { name_connect } for 
pid=4467 comm="spamc" dest=783 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamd_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1131820022.657:175): arch=c000003e syscall=42 success=no
exit=-13 a0=3 a1=7fffff9b58b0 a2=10 a3=8 items=0 pid=4467 auid=4294967295
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
comm="spamc" exe="/usr/bin/spamc"

So procmail manages to invoque spamc now, which tries to connect to spamd on its
standard port (783, cf
http://spamassassin.apache.org/full/3.1.x/dist/doc/spamc.html) and is then
blocked by selinux

Comment 8 Bojan Smojver 2005-11-13 22:16:32 UTC
Just a "me too" with the selinux-policy-targeted-1.27.1-2.11. Here is a snip
from the audit.log file:

-------------------------
type=AVC msg=audit(1131649834.979:6): avc:  denied  { connect } for  pid=2194 co
mm="spamd" scontext=system_u:system_r:spamd_t tcontext=system_u:system_r:spamd_t
 tclass=tcp_socket
type=SYSCALL msg=audit(1131649834.979:6): arch=40000003 syscall=102 success=no e
xit=-13 a0=3 a1=bfe981d0 a2=1252cb8 a3=6 items=0 pid=2194 auid=4294967295 uid=0 
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="spamd" exe="/usr/bin/per
l"
-------------------------

I'm using this in the /etc/procmailrc:

-------------------------
# Process spam using spamassassin client for spamd
:0fw:
* < 10485760
| spamc
-------------------------

Comment 9 Nicolas Mailhot 2005-11-19 14:29:31 UTC
With selinux-policy-targeted-2.0.1-2 there is a spamassassin pôlicy regression :
it can not do dns requests anymore (wasn't this fixed a few weeks ago ?)

# audit2allow < /var/log/audit/audit.log | grep spamd
allow spamd_t sbin_t:dir getattr;


type=AVC_PATH msg=audit(1132409745.363:5):  path="/sbin"
type=CWD msg=audit(1132409745.363:5):  cwd="/"
type=PATH msg=audit(1132409745.363:5): item=0 name="/sbin" flags=1 
inode=2523137 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1132409745.363:6): avc:  denied  { getattr } for  pid=2475
comm="spamd" name="sbin" dev=dm-0 ino=3342339
scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:sbin_t:s0
tclass=dir
type=SYSCALL msg=audit(1132409745.363:6): arch=c000003e syscall=4 success=no
exit=-13 a0=7fffffcc9380 a1=7fffffcc92d0 a2=7fffffcc92d0 a3=51a945 items=1
pid=2475 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="spamd" exe="/usr/bin/perl"


allow spamd_t port_t:udp_socket name_bind;

type=AVC msg=audit(1132409829.360:34): avc:  denied  { name_bind } for  pid=2498
comm="spamd" src=12081 scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1132409829.360:34): arch=c000003e syscall=49 success=no
exit=-13 a0=8 a1=18bc510 a2=10 a3=679720 items=0 pid=2498 auid=4294967295 uid=0
gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 comm="spamd"
exe="/usr/bin/perl"
type=SOCKADDR msg=audit(1132409829.360:34): saddr=02002F31000000000000000000000000


Comment 10 Nicolas Mailhot 2005-11-19 14:36:47 UTC
and spamc is still forbidden to talk to spamd

allow procmail_t spamd_port_t:tcp_socket name_connect;

Nov 19 15:36:51 rousalka spamc[3457]: connect(AF_INET) to spamd at 127.0.0.1
failed, retrying (#1 of 3): Permission denied
Nov 19 15:36:52 rousalka spamc[3457]: connect(AF_INET) to spamd at 127.0.0.1
failed, retrying (#2 of 3): Permission denied
Nov 19 15:36:53 rousalka spamc[3457]: connect(AF_INET) to spamd at 127.0.0.1
failed, retrying (#3 of 3): Permission denied
type=AVC msg=audit(1132411011.204:59): avc:  denied  { name_connect } for 
pid=3457 comm="spamc" dest=783 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamd_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1132411011.204:59): arch=c000003e syscall=42 success=no
exit=-13 a0=3 a1=7fffffece640 a2=10 a3=22 items=0 pid=3457 auid=4294967295
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
comm="spamc" exe="/usr/bin/spamc"
type=SOCKADDR msg=audit(1132411011.204:59): saddr=0200030F7F0000010000000000000000
type=AVC msg=audit(1132411012.208:60): avc:  denied  { name_connect } for 
pid=3457 comm="spamc" dest=783 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamd_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1132411012.208:60): arch=c000003e syscall=42 success=no
exit=-13 a0=3 a1=7fffffece640 a2=10 a3=8 items=0 pid=3457 auid=4294967295
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
comm="spamc" exe="/usr/bin/spamc"
type=SOCKADDR msg=audit(1132411012.208:60): saddr=0200030F7F0000010000000000000000
type=AVC msg=audit(1132411013.212:61): avc:  denied  { name_connect } for 
pid=3457 comm="spamc" dest=783 scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:spamd_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1132411013.212:61): arch=c000003e syscall=42 success=no
exit=-13 a0=3 a1=7fffffece640 a2=10 a3=8 items=0 pid=3457 auid=4294967295
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
comm="spamc" exe="/usr/bin/spamc"
type=SOCKADDR msg=audit(1132411013.212:61): saddr=0200030F7F0000010000000000000000



Comment 11 Nicolas Mailhot 2005-12-04 16:02:19 UTC
And I'm seeing a lot of spamassassin access problems in maillog, they're not in
audit.log but probably only because it's filtered

Spamassassin can not access user conf files (~/.spamassassin/*) from procmail

This with selinux-policy-targeted-2.0.8-1

Comment 12 Dave Jones 2006-01-05 04:27:50 UTC
*** Bug 176902 has been marked as a duplicate of this bug. ***

Comment 13 Daniel Walsh 2006-02-14 20:59:24 UTC
So you are getting avc messages that procmail_t wants to read user_home_t?


Comment 14 Nicolas Mailhot 2006-02-14 21:11:29 UTC
I see a lot of
17336:type=AVC msg=audit(1139950805.203:21026): avc:  denied  { read } for 
pid=8322 comm="spamd" name="identity" dev=dm-1 ino=5931396
scontext=user_u:system_r:spamd_t:s0-s0:c0.c255
tcontext=user_u:object_r:user_home_t:s0 tclass=lnk_file

But I need to check carefully again after the jumbo rawhide gcc 4.1 rebuild  update

Comment 15 Nicolas Mailhot 2006-02-16 07:20:27 UTC
New report.
For a time after the update everything seemed fine with little or no AVCs
Just to be sure I updated again today to get the last bits, rebooted in
autorelabel, init 1, rm audit.log, init 6

This new report is after the last reboot where everything should have been
clean. Well it isn't. First hint of trouble :

$ evolution
CalDAV Eplugin starting up ...

(evolution:2562): evolution-smime-WARNING **: Failed all methods for initializin
g NSS

(evolution:2562): camel-WARNING **: Failed to initialize NSS

And then the audit.log is full of AVCs (some of them procmail-related)

I really feel there is a big problem with selinux on x86_64 - policies seem sane
 but the system *always* degenerates after a few days.


Comment 16 Nicolas Mailhot 2006-02-16 07:21:57 UTC
Created attachment 124742 [details]
new audit.log after the jumbo gcc4.1 rawhide updates

Comment 17 Nicolas Mailhot 2006-02-16 07:23:50 UTC
I don't have time to do a rpm -Va now, since most of the FC and FE packages
where rebuilt and reinstalled recently I expect it to give a clean result
(except for bug #177976 effects)

Comment 18 Nicolas Mailhot 2006-02-16 07:36:19 UTC
Created attachment 124743 [details]
real new audit.log (sorry about the previous mistake)

Comment 19 Daniel Walsh 2006-02-16 15:10:38 UTC
Going through you log I generate the following allow rules
allow fetchmail_t home_root_t:dir search;
- Fixed in tonights rawhide
allow hald_t self:capability setgid;
- Already fixed in rawhide
allow spamd_t root_t:file append;
- Where is this file?  Seems like a potential labeleing problem
allow spamd_t user_home_t:lnk_file read;
- Already fixed in rawhide
allow unconfined_t self:process execstack;
- Working on fix the nss libraries to remove this requirement

Comment 20 Nicolas Mailhot 2006-02-16 16:49:08 UTC
(In reply to comment #19)

> allow spamd_t root_t:file append;
> - Where is this file?  Seems like a potential labeleing problem

The only append denial I have is

4:type=AVC msg=audit(1140073978.634:5): avc:  denied  { append } for  pid=2065
comm="spamd" name="razor-agent.log" dev=dm-0 ino=1168
scontext=system_u:system_r:spamd_t:s0 tcontext=user_u:object_r:root_t:s0 tclass=file

[root@rousalka nim]# locate razor-agent.log
/razor-agent.log
/home/nim/.razor/razor-agent.log
/root/.razor/razor-agent.log
/var/spool/amavisd/.razor/razor-agent.log

it's the razor logfile

Comment 21 Nicolas Mailhot 2006-02-16 19:49:00 UTC
With selinux-policy-targeted-2.2.15-4 :

1. there are still many procmail+spamd problems :

Feb 16 20:48:31 rousalka spamd[2182]: spamd: connection from
localhost.localdomain [127.0.0.1] at port 52169
Feb 16 20:48:31 rousalka spamd[2182]: spamd: setuid to nim succeeded
Feb 16 20:48:31 rousalka spamd[2182]: spamd: creating default_prefs:
/home/nim/.spamassassin/user_prefs
Feb 16 20:48:31 rousalka spamd[2182]: mkdir /home/nim: Le fichier existe. at
/usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm line 1467
Feb 16 20:48:31 rousalka spamd[2182]: config: cannot write to
/home/nim/.spamassassin/user_prefs: Permission non accordée
Feb 16 20:48:31 rousalka spamd[2182]: spamd: failed to create readable
default_prefs: /home/nim/.spamassassin/user_prefs
Feb 16 20:48:31 rousalka spamd[2182]: mkdir /home/nim: Le fichier existe. at
/usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm line 1467
Feb 16 20:48:31 rousalka spamd[2182]: spamd: processing message
<200602161935.k1GJZNfk016466@www.beta.redhat.com> for nim:500
Feb 16 20:48:35 rousalka spamd[2182]: internal error
Feb 16 20:48:35 rousalka spamd[2182]: pyzor: check failed: internal error
Feb 16 20:48:35 rousalka spamd[2182]: mkdir /home/nim: Le fichier existe. at
/usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm line 1467
Feb 16 20:48:35 rousalka spamd[2182]: locker: safe_lock: cannot create tmp
lockfile /home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2182
for /home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée
Feb 16 20:48:35 rousalka spamd[2182]: auto-whitelist: open of auto-whitelist
file failed: locker: safe_lock: cannot create tmp lockfile
/home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2182 for
/home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée
Feb 16 20:48:35 rousalka spamd[2182]: Can't call method "finish" on an undefined
value at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/AWL.pm line 397.
Feb 16 20:48:35 rousalka spamd[2182]: spamd: clean message (2.9/5.0) for nim:500
in 3.9 seconds, 5482 bytes.

2. rpm -Va is affected too

# rpm -Va > /tmp/rpm.log
prelink: /usr/bin/tiffgt: Could not parse `/usr/bin/tiffgt: error while loading
shared libraries: libGL.so.1: cannot enable executable stack as shared object
requires: Permission denied'
prelink: /usr/bin/tiffgt: at least one of file's dependencies has changed since
prelinking
prelink: /usr/bin/eu-nm: Could not parse `/usr/bin/eu-nm: error while loading
shared libraries: /usr/bin/eu-nm: cannot enable executable stack as shared
object requires: Permission denied'
prelink: /usr/bin/eu-nm: at least one of file's dependencies has changed since
prelinking
prelink: /usr/lib64/libglut.so.3.8.0: Could not parse
`/usr/lib64/libglut.so.3.8.0: error while loading shared libraries: libGL.so.1:
cannot enable executable stack as shared object requires: Permission denied'


Comment 22 Nicolas Mailhot 2006-02-16 19:53:45 UTC
Created attachment 124780 [details]
audit.log for selinux-policy-targeted-2.2.15-4

Comment 23 Daniel Walsh 2006-02-21 23:31:48 UTC
You should not have spamd writing files to /.  If you want this you will need to
write your own policy modules using

audit2allow -M spamd -i /var/log/audit/audit.log



Note You need to log in before you can comment on or make changes to this bug.