[Mimedefang] Selinux AVC's with F25

Philip Prindeville philipp_subx at redfish-solutions.com
Sun Feb 19 17:44:38 EST 2017 

> On Feb 13, 2017, at 10:26 AM, Philip Prindeville <philipp_subx at redfish-solutions.com> wrote:
> 
> [Putting Robert on Bcc…]
> 
> I upgraded recently to F25 from F24.  I had configured my MDF service in systemd as stock.
> 
> No changes were made to MDF concurrent to the upgrade.
> 
> Now I’m seeing a bunch of:
> 
> type=AVC msg=audit(1487004730.889:2463): avc:  denied  { read } for  pid=24701 comm="mimedefang.pl" name="razor-agent.log" dev="sda6" ino=9306726 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=lnk_file permissive=0
> 
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
> 
> 		You can use audit2allow to generate a loadable module to allow this access.
> 
> There’s a symlink with that path on my system:
> 
> lrwxrwxrwx. 1 defang defang system_u:object_r:spamd_var_run_t:s0 9 Dec 14  2011 /var/spool/MIMEDefang/.razor/razor-agent.log -> /dev/null
> 
> and I see it being created via the temp files at startup:
> 
> /usr/lib/tmpfiles.d/mimedefang.conf:d /var/spool/MIMEDefang/.razor 0750 defang defang - -
> /usr/lib/tmpfiles.d/mimedefang.conf:L+ /var/spool/MIMEDefang/.razor/razor-agent.log - - - - /dev/null
> 
> 
> The file is accessed in Razor2::Client::Config, which is pulled into MDF via SpamAssassin which has:
> 
> loadplugin Mail::SpamAssassin::Plugin::Razor2
> 
> in it.
> 
> So, not really sure what the point of a log file pointing at /dev/null would be or why MDF is responsible for creating it given that it’s SpamAssassin that ends up scribbling on it, etc.  Why not skip creating the file, and not write at all if you can’t open it because it doesn’t exist...
> 
> Anyone know what the fix for this is?
> 
> Thanks,
> 
> -Philip


Well, I took a shot at fixing this:

https://github.com/toddr/Razor2-Client-Agent/pull/2

and we’ll see if it gets accepted.

If it is, then the fix might be to have a file /etc/razor/razor-agent.conf containing:

logfile none

where ‘none’ is a keyword telling Razor2::Client::Logger to open /dev/null as the destination.

Hopefully this is as SElinux friendly as possible.

Skoll: any thoughts?  Scheck?

in mimedefang-2.79 the file redhat/mimedefang-init.in contains the block:

    if [ ! -L @SPOOLDIR@/.razor/razor-agent.log ]; then
        # The Razor2 log is mostly useless, and we can't change its location.
        # In order to prevent it from filling up the spool, we just link it to
        # /dev/null.
        ln -sf /dev/null @SPOOLDIR@/.razor/razor-agent.log
        chown -h defang:defang @SPOOLDIR@/.razor/razor-agent.log
    fi


but I’m not sure I understand it.  Why can’t we change it’s location?  On my system, Razor2::Agent::Client only ever gets invoked via Mail::SpamAssassin which only ever gets invoked by Mimedefang.

>From my perspective, Mimedefang rules the roost and can pretty much do whatever it wants.

-Philip

More information about the MIMEDefang mailing list