Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=452738
Summary: selinux denials when using razor and spamassassin
(spamd)
Product: Fedora
Version: 9
Platform: All
OS/Version: Linux
Status: NEW
Severity: low
Priority: low
Component: perl-Razor-Agent
AssignedTo: redhat-bugzilla(a)linuxnetz.de
ReportedBy: roth(a)ursus.net
QAContact: extras-qa(a)fedoraproject.org
CC: dwalsh@redhat.com,fedora-perl-devel-list(a)redhat.com
Description of problem:
The selinux targeted policy allows the use of razor-admin and razor-report in
selinux enforcing mode (razor_per_role_template etc.) but it not sufficient to
allow spamassassin to launch razor via its Perl API. When using spamassassin,
the razor libraries, config files, etc. are invoked from the spamd_t domain.
Tying together razor and spamassassin (spamd_t) using the templates in razor.if
results in module compilation errors due to conflicting rules.
Version-Release number of selected component (if applicable):
perl-Razor-Agent-2.84-4.fc9.i386
spamassassin-3.2.4-4.fc9.i386
selinux-policy-targeted-3.3.1-64.fc9.noarch
How reproducible:
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
I did some quick cut-and-paste with razor.if and I came up with a simpler
interface that can be used to interface to spamd_t:
########################################
## <summary>
## Invoke razor libraries from the target domain
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ursus_razor_perl_client',`
gen_require(`
type razor_t;
type razor_log_t;
type razor_var_lib_t;
')
# subset of rules from razor_common_domain_template
manage_dirs_pattern($1,razor_log_t,razor_log_t)
manage_files_pattern($1,razor_log_t,razor_log_t)
manage_lnk_files_pattern($1,razor_log_t,razor_log_t)
# FIXME: this may end up depositing log files with incorrect labels
manage_dirs_pattern($1,razor_var_lib_t,razor_var_lib_t)
manage_files_pattern($1,razor_var_lib_t,razor_var_lib_t)
manage_lnk_files_pattern($1,razor_var_lib_t,razor_var_lib_t)
corenet_tcp_sendrecv_razor_port($1)
dnl allow $1 { razor_t }:process { signal };
dnl probably only needed for scripts and such
')
razor_per_role_template(user, user_t, user_r)
ursus_razor_perl_client(spamd_t)
--
Configure bugmail:
https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.