Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=452738
Summary: selinux denials when using razor and spamassassin (spamd) Product: Fedora Version: 9 Platform: All OS/Version: Linux Status: NEW Severity: low Priority: low Component: perl-Razor-Agent AssignedTo: redhat-bugzilla@linuxnetz.de ReportedBy: roth@ursus.net QAContact: extras-qa@fedoraproject.org CC: dwalsh@redhat.com,fedora-perl-devel-list@redhat.com
Description of problem:
The selinux targeted policy allows the use of razor-admin and razor-report in selinux enforcing mode (razor_per_role_template etc.) but it not sufficient to allow spamassassin to launch razor via its Perl API. When using spamassassin, the razor libraries, config files, etc. are invoked from the spamd_t domain. Tying together razor and spamassassin (spamd_t) using the templates in razor.if results in module compilation errors due to conflicting rules.
Version-Release number of selected component (if applicable):
perl-Razor-Agent-2.84-4.fc9.i386 spamassassin-3.2.4-4.fc9.i386 selinux-policy-targeted-3.3.1-64.fc9.noarch
How reproducible:
Steps to Reproduce: 1. 2. 3.
Actual results:
Expected results:
Additional info:
I did some quick cut-and-paste with razor.if and I came up with a simpler interface that can be used to interface to spamd_t:
######################################## ## <summary> ## Invoke razor libraries from the target domain ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`ursus_razor_perl_client',`
gen_require(` type razor_t; type razor_log_t; type razor_var_lib_t; ')
# subset of rules from razor_common_domain_template
manage_dirs_pattern($1,razor_log_t,razor_log_t) manage_files_pattern($1,razor_log_t,razor_log_t) manage_lnk_files_pattern($1,razor_log_t,razor_log_t) # FIXME: this may end up depositing log files with incorrect labels
manage_dirs_pattern($1,razor_var_lib_t,razor_var_lib_t) manage_files_pattern($1,razor_var_lib_t,razor_var_lib_t) manage_lnk_files_pattern($1,razor_var_lib_t,razor_var_lib_t) corenet_tcp_sendrecv_razor_port($1)
dnl allow $1 { razor_t }:process { signal }; dnl probably only needed for scripts and such
')
razor_per_role_template(user, user_t, user_r) ursus_razor_perl_client(spamd_t)
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: selinux denials when using razor and spamassassin (spamd)
https://bugzilla.redhat.com/show_bug.cgi?id=452738
redhat-bugzilla@linuxnetz.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|dwalsh@redhat.com |redhat-bugzilla@linuxnetz.de AssignedTo|redhat-bugzilla@linuxnetz.de|dwalsh@redhat.com Component|perl-Razor-Agent |selinux-policy-targeted QAContact|extras-qa@fedoraproject.org |benl@redhat.com
------- Additional Comments From redhat-bugzilla@linuxnetz.de 2008-06-24 14:35 EST ------- This is not a problem of razor/spamassassin, but of selinux-policy. Re- assigning to selinux-policy. Daniel, can you take care of it, please?
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: selinux denials when using razor and spamassassin (spamd)
https://bugzilla.redhat.com/show_bug.cgi?id=452738
------- Additional Comments From dwalsh@redhat.com 2008-06-30 13:46 EST ------- Could you please attach the audit.log file that you used to generate this policy.
Currently razor should be transitioning to spamd_t
If you update to the current policy (selinux-policy-3.3.1-72.fc9.noarch) do you still need your custom policy?
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: selinux denials when using razor and spamassassin (spamd)
https://bugzilla.redhat.com/show_bug.cgi?id=452738
------- Additional Comments From roth@ursus.net 2008-07-10 14:20 EST ------- Yes, it transitions to spamd_t, at which point it no longer has access to razor's data and config files.
I'm attaching the output of 'sealert -l' for the various AVCs generated when I disable my above-posted policy changes. These were generated on a system running with selinux-policy-targeted-3.3.1-74.fc9.noarch.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: selinux denials when using razor and spamassassin (spamd)
https://bugzilla.redhat.com/show_bug.cgi?id=452738
------- Additional Comments From roth@ursus.net 2008-07-10 14:21 EST ------- Created an attachment (id=311501) --> (https://bugzilla.redhat.com/attachment.cgi?id=311501&action=view) sealert output
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: selinux denials when using razor and spamassassin (spamd)
https://bugzilla.redhat.com/show_bug.cgi?id=452738
dwalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |MODIFIED
------- Additional Comments From dwalsh@redhat.com 2008-07-15 14:16 EST ------- You can allow this for now.
# audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp
Fixed in selinux-policy-3.3.1-78.fc9.noarch
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=452738
Daniel Walsh dwalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |CLOSED Resolution| |CURRENTRELEASE
--- Comment #6 from Daniel Walsh dwalsh@redhat.com 2008-11-17 17:04:48 EDT --- Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.
perl-devel@lists.fedoraproject.org
-
Red Hat Bugzilla