[Bug 452738] New: selinux denials when using razor and spamassassin (spamd)

bugzilla at redhat.com bugzilla at redhat.com
Tue Jun 24 18:07:29 UTC 2008 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.




https://bugzilla.redhat.com/show_bug.cgi?id=452738

           Summary: selinux denials when using razor and spamassassin
                    (spamd)
           Product: Fedora
           Version: 9
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: low
          Priority: low
         Component: perl-Razor-Agent
        AssignedTo: redhat-bugzilla at linuxnetz.de
        ReportedBy: roth at ursus.net
         QAContact: extras-qa at fedoraproject.org
                CC: dwalsh at redhat.com,fedora-perl-devel-list at redhat.com


Description of problem:

The selinux targeted policy allows the use of razor-admin and razor-report in
selinux enforcing mode (razor_per_role_template etc.) but it not sufficient to
allow spamassassin to launch razor via its Perl API.  When using spamassassin,
the razor libraries, config files, etc. are invoked from the spamd_t domain. 
Tying together razor and spamassassin (spamd_t) using the templates in razor.if
results in module compilation errors due to conflicting rules.

Version-Release number of selected component (if applicable):

perl-Razor-Agent-2.84-4.fc9.i386
spamassassin-3.2.4-4.fc9.i386
selinux-policy-targeted-3.3.1-64.fc9.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

I did some quick cut-and-paste with razor.if and I came up with a simpler
interface that can be used to interface to spamd_t:

########################################
## <summary>
##	Invoke razor libraries from the target domain
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ursus_razor_perl_client',`

  gen_require(`
    type razor_t;
    type razor_log_t;
    type razor_var_lib_t;
  ')

  # subset of rules from razor_common_domain_template

  manage_dirs_pattern($1,razor_log_t,razor_log_t)
  manage_files_pattern($1,razor_log_t,razor_log_t)
  manage_lnk_files_pattern($1,razor_log_t,razor_log_t)
  # FIXME: this may end up depositing log files with incorrect labels

  manage_dirs_pattern($1,razor_var_lib_t,razor_var_lib_t)
  manage_files_pattern($1,razor_var_lib_t,razor_var_lib_t)
  manage_lnk_files_pattern($1,razor_var_lib_t,razor_var_lib_t)
  corenet_tcp_sendrecv_razor_port($1)

  dnl allow $1 { razor_t }:process { signal };
  dnl probably only needed for scripts and such

')

razor_per_role_template(user, user_t, user_r)
ursus_razor_perl_client(spamd_t)

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

More information about the Fedora-perl-devel-list mailing list