Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1162305

Summary: mailx fails when used with mail server other than Sendmail Inc sendmail or postfix
Product: Red Hat Enterprise Linux 7 Reporter: Gordon Messmer <gordon.messmer>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: low    
Version: 7.0CC: gordon.messmer, lvrabec, mgrepl, mmalik, plautrba, pvrabec
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-81.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1166664 1210298 1323224 (view as bug list) Environment:
Last Closed: 2016-11-04 02:17:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1166664, 1210298    

Description Gordon Messmer 2014-11-10 19:40:55 UTC 
Description of problem:
/bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution.  If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail.

Because mailx isn't SUID, there's virtually no value in transitioning to the sendmail_t domain on execution.  When Sendmail Inc sendmail or Postfix is used, the sendmail_t transition will occur on execution of their sendmail binary, and its behavior will be confined correctly.

That is, there is no benefit to labeling /sbin/mailx and no cost to not labeling it.

Could you please remove the sendmail_exec_t label on /sbin/mailx from policy, so that it is labeled bin_t?

How reproducible:
Always.

Steps to Reproduce:
1. Install Courier MTA (for example)
2. Install cron job that executes "mail" to send email
Comment 4 Miroslav Grepl 2015-12-18 15:33:32 UTC 
Could you attach raw AVC messages?

Thank you.
Comment 5 Gordon Messmer 2015-12-21 06:27:52 UTC 
I can, but they're not meaningful.  They document the problem with only one non-Sendmail Inc. sendmail binary, and in only one configuration.  Adding these will not remedy the problem completely.

type=USER_AVC msg=audit(1450678921.538:9380): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1450678921.613:9383): avc:  denied  { read } for  pid=8480 comm="submit" name="enablefiltering" dev="dm-1" ino=133928 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.613:9383): avc:  denied  { open } for  pid=8480 comm="submit" path="/etc/courier/enablefiltering" dev="dm-1" ino=133928 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.614:9384): avc:  denied  { getattr } for  pid=8480 comm="submit" path="/etc/courier/enablefiltering" dev="dm-1" ino=133928 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.615:9385): avc:  denied  { read } for  pid=8480 comm="submit" name="aliases.dat" dev="dm-1" ino=131119 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.615:9385): avc:  denied  { open } for  pid=8480 comm="submit" path="/etc/courier/aliases.dat" dev="dm-1" ino=131119 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.615:9386): avc:  denied  { getattr } for  pid=8480 comm="submit" path="/etc/courier/aliases.dat" dev="dm-1" ino=131119 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.615:9387): avc:  denied  { lock } for  pid=8480 comm="submit" path="/etc/courier/aliases.dat" dev="dm-1" ino=131119 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.615:9388): avc:  denied  { read } for  pid=8480 comm="submit" name="locals" dev="dm-1" ino=143725 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=lnk_file
Comment 6 Miroslav Grepl 2016-01-04 09:32:24 UTC 
You are right, it makes sense.
Comment 7 Lukas Vrabec 2016-03-11 16:13:52 UTC 
We have more troubles around labeling mailx. I'm going to test it. 

Thank you for reporting bug.
Comment 10 errata-xmlrpc 2016-11-04 02:17:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html