[CentOS] procmail can't invoke spamc/spamassassin in 5.3 due to SElinux denials

Mike A. Harris

mharris at mharris.ca
Fri Apr 3 13:52:11 UTC 2009


I just discovered that my spam filters are not being properly executed 
in CentOS 5.3 because when procmail attempts to invoke spamc.  I have 
spamd running properly, and can invoke spamassassin and spamc from the 
bash prompt manually without any issues, however procmail fails with 
"permission denied" then bails.  Watching the procmail.log I get the 
following:

procmail: Executing "/usr/bin/spamc"
/bin/sh: /usr/bin/spamc: Permission denied
procmail: Program failure (126) of "/usr/bin/spamc"
procmail: Rescue of unfiltered data succeeded


Examining the SElinux audit logs, I discovered:

type=AVC msg=audit(1238765234.301:1752): avc:  denied  { execute } for 
pid=20177 comm="procmail" name="spamc" dev=hda1 ino=936505 
scontext=system_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file 
type=SYSCALL msg=audit(1238765234.301:1752): arch=40000003 syscall=11 
success=no exit=-13 a0=95c0d90 a1=95c0020 a2=95c3cf0 a3=0 items=0 
ppid=20176 pid=20177 auid=4294967295 uid=500 gid=500 euid=500 suid=500 
fsuid=500 egid=500 sgid=12 fs
gid=500 tty=(none) ses=4294967295 comm="procmail" 
exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1238765234.325:1753): avc:  denied  { read } for 
pid=20177 comm="sh" name="spamc" dev=hda1 ino=936505 
scontext=system_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1238765234.325:1753): arch=40000003 syscall=5 
success=no exit=-13 a0=9a95718 a1=8000 a2=0 a3=8000 items=0 ppid=20176 
pid=20177 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 
egid=500 sgid=500 fsgid=50
0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" 
subj=system_u:system_r:procmail_t:s0 key=(null)


Here is a similar web forum report from someone else:

	http://tinyurl.com/cpkvpg

Didn't find any reports in CentOS bugzilla about this yet, however I 
found one in Red Hat bugzilla:

	https://bugzilla.redhat.com/show_bug.cgi?id=486187

Shall I file a tracking bug in CentOS bugzilla, or just wait for the 
trickle down?



More information about the CentOS mailing list