spamassassin pre-compiled rules

Dominick Grift domg472 at gmail.com
Sat Jul 11 16:38:16 UTC 2009 

On Sat, 2009-07-11 at 05:06 -0700, Vadym Chepkov wrote:
> spamassassin rules got updated recently and I got this avc
> 
> type=AVC msg=audit(1247216252.200:31900): avc:  denied  { execute } for  pid=24001 comm="spamd" path="/var/lib/spamassassin/compiled/5.010/3.002005/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so" dev=dm-3 ino=124989 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:spamd_var_lib_t:s0 tclass=file
> 
> audit2allow suggests this
> #============= spamd_t ==============
> allow spamd_t spamd_var_lib_t:file execute;
> seems reasonable, but why is it missing in standard policy?
> 
> Sincerely yours,
>   Vadym Chepkov

Is that file part of the package? 
/var/lib/spamassassin/compiled/5.010/3.002005/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so

It is probably created by spamd_t.

The problem is that if you allow spamd_t to execute files with type
spamd_var_lib_t then spamd_t can run everything
in /var/lib/spamassassin.

This is not so nice but it might not be a problem either

Looking at the path it appears that spamd put compiled stuff
under /var/lib/spamassassin/compiled/ 

assuming that all stuff under there should be executable by spamd_t, one
could consider to introduce a new type for spamd_t executable files
there.

That would look something like this:

myspamd.te:
policy_module(myspamd, 0.0.1)
type spamd_var_lib_exec_t;
files_type(spamd_var_lib_exec_t)
require { type spamd_t; }
filetrans_pattern(spamd_t, spamd_var_lib_exec_t, spamd_var_lib_exec_t,
{ dir file })
manage_dirs_pattern(spamd_t, spamd_var_lib_exec_t, spamd_var_lib_exec_t)
manage_files_pattern(spamd_t, spamd_var_lib_exec_t,
spamd_var_lib_exec_t)
exec_files_pattern(spamd_t, spamd_var_lib_exec_t, spamd_var_lib_exec_t)

myspamd.fc:
/var/lib/spamassassin/compiled(/.*)?  --
gen_context(system_u:object_r:spamd_var_lib_exec_t, s0)

But i guess that depends on your security requirements

For now this could be considered a bug in selinux-policy


> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090711/6effd4af/attachment.sig>

More information about the fedora-selinux-list mailing list