Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 452738 - selinux denials when using razor and spamassassin (spamd)
Summary: selinux denials when using razor and spamassassin (spamd)
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 9
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-24 18:07 UTC by Carl Roth
Modified: 2008-11-17 22:04 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-11-17 22:04:48 UTC


Attachments (Terms of Use)
sealert output (deleted)
2008-07-10 18:21 UTC, Carl Roth
no flags Details

Description Carl Roth 2008-06-24 18:07:28 UTC
Description of problem:

The selinux targeted policy allows the use of razor-admin and razor-report in
selinux enforcing mode (razor_per_role_template etc.) but it not sufficient to
allow spamassassin to launch razor via its Perl API.  When using spamassassin,
the razor libraries, config files, etc. are invoked from the spamd_t domain. 
Tying together razor and spamassassin (spamd_t) using the templates in razor.if
results in module compilation errors due to conflicting rules.

Version-Release number of selected component (if applicable):

perl-Razor-Agent-2.84-4.fc9.i386
spamassassin-3.2.4-4.fc9.i386
selinux-policy-targeted-3.3.1-64.fc9.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

I did some quick cut-and-paste with razor.if and I came up with a simpler
interface that can be used to interface to spamd_t:

########################################
## <summary>
##	Invoke razor libraries from the target domain
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ursus_razor_perl_client',`

  gen_require(`
    type razor_t;
    type razor_log_t;
    type razor_var_lib_t;
  ')

  # subset of rules from razor_common_domain_template

  manage_dirs_pattern($1,razor_log_t,razor_log_t)
  manage_files_pattern($1,razor_log_t,razor_log_t)
  manage_lnk_files_pattern($1,razor_log_t,razor_log_t)
  # FIXME: this may end up depositing log files with incorrect labels

  manage_dirs_pattern($1,razor_var_lib_t,razor_var_lib_t)
  manage_files_pattern($1,razor_var_lib_t,razor_var_lib_t)
  manage_lnk_files_pattern($1,razor_var_lib_t,razor_var_lib_t)
  corenet_tcp_sendrecv_razor_port($1)

  dnl allow $1 { razor_t }:process { signal };
  dnl probably only needed for scripts and such

')

razor_per_role_template(user, user_t, user_r)
ursus_razor_perl_client(spamd_t)

Comment 1 Robert Scheck 2008-06-24 18:35:43 UTC
This is not a problem of razor/spamassassin, but of selinux-policy. Re-
assigning to selinux-policy. Daniel, can you take care of it, please?

Comment 2 Daniel Walsh 2008-06-30 17:46:15 UTC
Could you please attach the audit.log file that you used to generate this policy.

Currently razor should be transitioning to spamd_t

If you update to the current policy (selinux-policy-3.3.1-72.fc9.noarch)
do you still need your custom policy?

Comment 3 Carl Roth 2008-07-10 18:20:26 UTC
Yes, it transitions to spamd_t, at which point it no longer has access to
razor's data and config files.

I'm attaching the output of 'sealert -l' for the various AVCs generated when I
disable my above-posted policy changes.  These were generated on a system
running with selinux-policy-targeted-3.3.1-74.fc9.noarch.


Comment 4 Carl Roth 2008-07-10 18:21:29 UTC
Created attachment 311501 [details]
sealert output

Comment 5 Daniel Walsh 2008-07-15 18:16:11 UTC
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-78.fc9.noarch

Comment 6 Daniel Walsh 2008-11-17 22:04:48 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.


Note You need to log in before you can comment on or make changes to this bug.