Bug 1046952

Summary: SELinux is preventing /usr/bin/mailx from 'ioctl' accesses on the file /home/tbecker/rsync_backup.log.
Product: [Fedora] Fedora Reporter: Tim Becker <tbecker>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: dominick.grift, dwalsh, lvrabec, mgrepl, ssekidde
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:f2d8fb7708d88fc6d5a255267d895e777b9529ff5d6a0443c72880e614fb12b6
Fixed In Version: selinux-policy-3.12.1-116.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-16 07:11:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tim Becker 2013-12-27 16:59:39 UTC 
Description of problem:
I have a cron that mails this file and selinux is diabled on this system.  Why is this still being denied?
SELinux is preventing /usr/bin/mailx from 'ioctl' accesses on the file /home/tbecker/rsync_backup.log.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that mailx should be allowed ioctl access on the rsync_backup.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:system_mail_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/tbecker/rsync_backup.log [ file ]
Source                        mail
Source Path                   /usr/bin/mailx
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           mailx-12.5-10.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-106.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.12.5-302.fc20.x86_64 #1 SMP Tue
                              Dec 17 20:42:32 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-12-27 09:55:20 MST
Last Seen                     2013-12-27 09:55:20 MST
Local ID                      97342c42-8b9b-47ac-802d-16c4d2c4d9a9

Raw Audit Messages
type=AVC msg=audit(1388163320.29:614): avc:  denied  { ioctl } for  pid=4767 comm="mail" path="/home/tbecker/rsync_backup.log" dev="dm-1" ino=3670331 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file


type=SYSCALL msg=audit(1388163320.29:614): arch=x86_64 syscall=ioctl success=no exit=ENOTTY a0=0 a1=5401 a2=7ffff8f210e0 a3=8 items=0 ppid=3711 pid=4767 auid=0 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=2 tty=(none) comm=mail exe=/usr/bin/mailx subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)

Hash: mail,system_mail_t,user_home_t,file,ioctl

Additional info:
reporter:       libreport-2.1.10
hashmarkername: setroubleshoot
kernel:         3.12.5-302.fc20.x86_64
type:           libreport
Comment 1 Simon Sekidde 2013-12-27 17:52:30 UTC 
Are you booting with "enforcing=0" or with the SELINUX line in /etc/selinux/config set to SELINUX=disabled?
Comment 2 Tim Becker 2013-12-27 18:17:59 UTC 
SELINUX=disabled  Here's my /etc/selinix/conf file

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
Comment 3 Simon Sekidde 2013-12-27 20:09:04 UTC 
Tim, 

This is likely a problem with the libselinux package. Boot with "selinux=0" so that the kernel does not load any of the SELinux infrastructure if you really want to disable SELinux entirely.
Comment 4 Daniel Walsh 2014-01-03 19:01:29 UTC 
fixed in libselinux-2.2.1-6.fc20
Comment 5 Fedora Update System 2014-01-13 22:57:20 UTC 
selinux-policy-3.12.1-116.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-116.fc20
Comment 6 Fedora Update System 2014-01-15 05:58:50 UTC 
Package selinux-policy-3.12.1-116.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-116.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2014-01-16 07:11:52 UTC 
selinux-policy-3.12.1-116.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.