Re: Spamassassin emails have wrong perms -- CC'ed to selinux list

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

Richard E Miles wrote:
> On Sun, 29 Jan 2006 22:53:25 -0600
> Justin Willmert <justin@xxxxxxxxxx> wrote:
>
>   
> > Ivan Gyurdiev wrote:
> >     
> > > > I'm cc-ing this to the fedora-selinux-list. I think some of the 
> > > > problems may be applicable there.
> > > >
> > > > OK, after some more testing, when I disable SELinux, many of the 
> > > > errors go away. First of all, I get rid of the error message saying 
> > > > user can not be found and with it the 'still running as root' error. 
> > > > Second, it is able to access the bayes_journal file (as long as 
> > > > normal unix permissions are right, which I've figured out). So I 
> > > > guess the problem is an SELinux issue which I can't solve. I'd attach 
> > > > some avc error messages, but I can't seem to find any. I've looked in 
> > > > maillog, secure, and messages, but nothing.
> > > >         
> > > Have you looked in the audit log, where all such messages are usually 
> > > found ?
> > > /var/log/audit.log
> > >
> > >       
> > Below is what showed up in audit/audit.log when I sent a message through
> > spamassassin. I'm _*really*_ rusty on SELinux...it's the one thing I
> > have to deal with quite often that I haven't been able to learn how to
> > use...it's so foreign to me. I've never looked in audit.log before: the
> > avc messages used to show up in messages, but now as far back as my logs
> > go, I don't have a single avc message. This all looks like jibberish to
> > me, so I need your guy's help.
> >
> > Thanks,
> > Justin
> >
> >     type=AVC msg=audit(1138596151.681:104174): avc:  denied  {
> >     name_connect } for  pid=23796 comm="spamd" dest=389
> >     scontext=root:system_r:spamd_t
> >     tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
> >     type=SYSCALL msg=audit(1138596151.681:104174): arch=40000003
> >     syscall=102 success=no exit=-13 a0=3 a1=bfb2dc20 a2=1229cb8 a3=7
> >     items=0 pid=23796 auid=600 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> >     sgid=0 fsgid=0 comm="spamd" exe="/usr/bin/perl"
> >     type=SOCKADDR msg=audit(1138596151.681:104174):
> >     saddr=02000185C0A801940000000000000000
> >     type=SOCKETCALL msg=audit(1138596151.681:104174): nargs=3 a0=7
> >     a1=9b1fe80 a2=10
> >     type=AVC msg=audit(1138596153.220:104175): avc:  denied  {
> >     name_connect } for  pid=23796 comm="spamd" dest=389
> >     scontext=root:system_r:spamd_t
> >     tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
> >     type=SYSCALL msg=audit(1138596153.220:104175): arch=40000003
> >     syscall=102 success=no exit=-13 a0=3 a1=bfb2dc20 a2=1229cb8 a3=7
> >     items=0 pid=23796 auid=600 uid=0 gid=0 euid=99 suid=0 fsuid=99
> >     egid=99 sgid=0 fsgid=99 comm="spamd" exe="/usr/bin/perl"
> >     type=SOCKADDR msg=audit(1138596153.220:104175):
> >     saddr=02000185C0A801940000000000000000
> >     type=SOCKETCALL msg=audit(1138596153.220:104175): nargs=3 a0=7
> >     a1=9b6a6f0 a2=10
> >     type=AVC msg=audit(1138596160.388:104176): avc:  denied  {
> >     name_connect } for  pid=23797 comm="spamd" dest=389
> >     scontext=root:system_r:spamd_t
> >     tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
> >     type=SYSCALL msg=audit(1138596160.388:104176): arch=40000003
> >     syscall=102 success=no exit=-13 a0=3 a1=bfb2dc20 a2=1229cb8 a3=7
> >     items=0 pid=23797 auid=600 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> >     sgid=0 fsgid=0 comm="spamd" exe="/usr/bin/perl"
> >     type=SOCKADDR msg=audit(1138596160.388:104176):
> >     saddr=02000185C0A801940000000000000000
> >     type=SOCKETCALL msg=audit(1138596160.388:104176): nargs=3 a0=7
> >     a1=9b20050 a2=10
> >     type=AVC msg=audit(1138596164.032:104177): avc:  denied  {
> >     name_connect } for  pid=23797 comm="spamd" dest=389
> >     scontext=root:system_r:spamd_t
> >     tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
> >     type=SYSCALL msg=audit(1138596164.032:104177): arch=40000003
> >     syscall=102 success=no exit=-13 a0=3 a1=bfb2dc20 a2=1229cb8 a3=7
> >     items=0 pid=23797 auid=600 uid=0 gid=0 euid=99 suid=0 fsuid=99
> >     egid=99 sgid=0 fsgid=99 comm="spamd" exe="/usr/bin/perl"
> >     type=SOCKADDR msg=audit(1138596164.032:104177):
> >     saddr=02000185C0A801940000000000000000
> >     type=SOCKETCALL msg=audit(1138596164.032:104177): nargs=3 a0=7
> >     a1=9b84af0 a2=10
> >
> >     
> I get these also on my system. So you're not the only one. Is there a fix for this?
>
>   
Ok I have placed an updated version of policy on my people page.  It 
will be in rawhide tonight.

ftp://people.redhat.com/dwalsh/SELinux/Fedora

But you can solve these problems yourself by using audit2allow and 
loadable modules.

If you ran

audit2allow -M spamd /var/log/audit/audit.log

You would have seen something like this.

>  audit2allow -M spamd -i /var/log/audit/audit.log
> Generating type enforcment file: spamd.te
> Compiling policy: checkmodule -M -m -o spamd.mod spamd.te
> semodule_package -o spamd.pp -m spamd.mod
> Building package: semodule_package -o spamd.pp -m spamd.mod
>
> ******************** IMPORTANT ***********************
>
> In order to load this newly created policy package into the kernel,
> you are required to execute
>
> semodule -i spamd.pp
If you then ran the semodue -i spamd.pp

it should fix your problem.

This is the te file that audit2allow created
> module spamd 1.0;
>
> require {
>         role object_r;
>         role system_r;
>
>         class tcp_socket name_connect;
>
>         type ldap_port_t;
>         type spamd_t;
>  };
>
>
> allow spamd_t ldap_port_t:tcp_socket name_connect;
When policy gets updated with your fix, you could remove this loadable 
module with the command
semodule -r slapd

semodule -l

will list all of your loadable modules.