Bug 1053910
| Summary: | SELinux is preventing /usr/sbin/ssmtp from 'append' accesses on the file /var/lib/munin/dead.letter. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | dubultra |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 20 | CC: | dmitry, dominick.grift, dwalsh, lvrabec, mgrepl, pschiffe |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:20564711bc8898afa2cdae8b5b8f18ffd3ee81fd096decba9a2244814a62ab77 | ||
| Fixed In Version: | selinux-policy-3.12.1-171.fc20 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-26 01:53:05 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I see it also for other SELinux domains. Why is dead.letter created in this directory rather than in HOMEDIR? Is /var/lib/munin munin homedir? Yes, /var/lib/munin is munin homedir: $ grep munin /etc/passwd munin:x:988:984:Munin user:/var/lib/munin:/sbin/nologin Will you update selinux policy? peter So we should just allow this 8e6694820d3a96a9bd79519f5350c8917b9b60d9 fixes this in git. OK. I'm returning the bug back to you then. Well this is also about
type=AVC msg=audit(1389832812.997:5827): avc: denied { open } for pid=25053 comm="sendmail" path="/var/lib/munin/dead.letter" dev="sda3" ino=1853255 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file
not just "append".
That patch will also give append. Oops, I read append_inherited_file_perms against append_files_pattern. Sorry. selinux-policy-3.12.1-167.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-167.fc20 Package selinux-policy-3.12.1-167.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-167.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-7240/selinux-policy-3.12.1-167.fc20 then log in and leave karma (feedback). selinux-policy-3.12.1-171.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-171.fc20 Package selinux-policy-3.12.1-171.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-171.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-7499/selinux-policy-3.12.1-171.fc20 then log in and leave karma (feedback). selinux-policy-3.12.1-171.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: SELinux is preventing /usr/sbin/ssmtp from 'append' accesses on the file /var/lib/munin/dead.letter. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ssmtp should be allowed append access on the dead.letter file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sendmail /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023 Target Context system_u:object_r:munin_var_lib_t:s0 Target Objects /var/lib/munin/dead.letter [ file ] Source sendmail Source Path /usr/sbin/ssmtp Port <Unknown> Host (removed) Source RPM Packages ssmtp-2.64-10.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-106.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17 UTC 2013 x86_64 x86_64 Alert Count 246 First Seen 2014-01-14 15:55:12 EST Last Seen 2014-01-15 19:40:12 EST Local ID 0353b6fc-c30a-487a-b3bc-7d6279c6b6a3 Raw Audit Messages type=AVC msg=audit(1389832812.997:5827): avc: denied { append } for pid=25053 comm="sendmail" name="dead.letter" dev="sda3" ino=1853255 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file type=AVC msg=audit(1389832812.997:5827): avc: denied { open } for pid=25053 comm="sendmail" path="/var/lib/munin/dead.letter" dev="sda3" ino=1853255 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1389832812.997:5827): arch=x86_64 syscall=open success=yes exit=ESRCH a0=12062c0 a1=441 a2=1b6 a3=1 items=0 ppid=25010 pid=25053 auid=989 uid=989 gid=986 euid=989 suid=989 fsuid=989 egid=12 sgid=12 fsgid=12 ses=580 tty=(none) comm=sendmail exe=/usr/sbin/ssmtp subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) Hash: sendmail,system_mail_t,munin_var_lib_t,file,append Additional info: reporter: libreport-2.1.11 hashmarkername: setroubleshoot kernel: 3.11.10-301.fc20.x86_64 type: libreport