Bug 1162305

Summary: mailx fails when used with mail server other than Sendmail Inc sendmail or postfix
Product: Red Hat Enterprise Linux 7 Reporter: Gordon Messmer <gordon.messmer>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: low    
Version: 7.0CC: gordon.messmer, lvrabec, mgrepl, mmalik, plautrba, pvrabec
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-81.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1166664 1210298 1323224 (view as bug list) Environment:
Last Closed: 2016-11-04 02:17:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1166664, 1210298    

Description Gordon Messmer 2014-11-10 19:40:55 UTC 
Description of problem:
/bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution.  If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail.

Because mailx isn't SUID, there's virtually no value in transitioning to the sendmail_t domain on execution.  When Sendmail Inc sendmail or Postfix is used, the sendmail_t transition will occur on execution of their sendmail binary, and its behavior will be confined correctly.

That is, there is no benefit to labeling /sbin/mailx and no cost to not labeling it.

Could you please remove the sendmail_exec_t label on /sbin/mailx from policy, so that it is labeled bin_t?

How reproducible:
Always.

Steps to Reproduce:
1. Install Courier MTA (for example)
2. Install cron job that executes "mail" to send email
Comment 4 Miroslav Grepl 2015-12-18 15:33:32 UTC 
Could you attach raw AVC messages?

Thank you.
Comment 5 Gordon Messmer 2015-12-21 06:27:52 UTC 
I can, but they're not meaningful.  They document the problem with only one non-Sendmail Inc. sendmail binary, and in only one configuration.  Adding these will not remedy the problem completely.

type=USER_AVC msg=audit(1450678921.538:9380): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1450678921.613:9383): avc:  denied  { read } for  pid=8480 comm="submit" name="enablefiltering" dev="dm-1" ino=133928 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.613:9383): avc:  denied  { open } for  pid=8480 comm="submit" path="/etc/courier/enablefiltering" dev="dm-1" ino=133928 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.614:9384): avc:  denied  { getattr } for  pid=8480 comm="submit" path="/etc/courier/enablefiltering" dev="dm-1" ino=133928 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.615:9385): avc:  denied  { read } for  pid=8480 comm="submit" name="aliases.dat" dev="dm-1" ino=131119 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.615:9385): avc:  denied  { open } for  pid=8480 comm="submit" path="/etc/courier/aliases.dat" dev="dm-1" ino=131119 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.615:9386): avc:  denied  { getattr } for  pid=8480 comm="submit" path="/etc/courier/aliases.dat" dev="dm-1" ino=131119 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.615:9387): avc:  denied  { lock } for  pid=8480 comm="submit" path="/etc/courier/aliases.dat" dev="dm-1" ino=131119 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.615:9388): avc:  denied  { read } for  pid=8480 comm="submit" name="locals" dev="dm-1" ino=143725 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=lnk_file
Comment 6 Miroslav Grepl 2016-01-04 09:32:24 UTC 
You are right, it makes sense.
Comment 7 Lukas Vrabec 2016-03-11 16:13:52 UTC 
We have more troubles around labeling mailx. I'm going to test it. 

Thank you for reporting bug.
Comment 10 errata-xmlrpc 2016-11-04 02:17:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html