Bug 1167468

Summary: Files in /etc/mail have wrong context
Product: Red Hat Enterprise Linux 7 Reporter: Martin Žember <mzember>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: low    
Version: 7.2CC: dapospis, ebenes, lvrabec, mgrepl, mmalik, mzember, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-133.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 15:10:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Žember 2014-11-24 20:57:01 UTC 
Description of problem:
/etc/mail/virtusertable.db has wrong SELinux context.

There are more files like that:
Mislabeled regular file '/etc/mail/virtusertable.db' found. Labeled as 'system_u:object_r:etc_mail_t:s0', should be 'system_u:object_r:etc_aliases_t:s0'.
    Mislabeled regular file '/etc/mail/access.db' found. Labeled as 'system_u:object_r:etc_mail_t:s0', should be 'system_u:object_r:etc_aliases_t:s0'.
    Mislabeled regular file '/etc/mail/domaintable.db' found. Labeled as 'system_u:object_r:etc_mail_t:s0', should be 'system_u:object_r:etc_aliases_t:s0'.
    Mislabeled regular file '/etc/mail/mailertable.db' found. Labeled as 'system_u:object_r:etc_mail_t:s0', should be 'system_u:object_r:etc_aliases_t:s0'.
    Mislabeled regular file '/etc/mail/aliasesdb-stamp' found. Labeled as 'system_u:object_r:etc_mail_t:s0', should be 'system_u:object_r:etc_aliases_t:s0'.

Version-Release number of selected component (if applicable):
RHEL-7.1-20141029.0

How reproducible:
Always

Steps to Reproduce:
1. Use the compose RHEL-7.1-20141029.0 (sendmail is already installed)
2. ls -Z /etc/mail/virtusertable.db

Actual results:
-rw-r-----. root root system_u:object_r:etc_mail_t:s0  /etc/mail/virtusertable.db


Expected results:
-rw-r-----. root root system_u:object_r:etc_aliases_t:s0 /etc/mail/virtusertable.db


Additional info:
Labels are inherited automatically from /etc/mail when sendmail is installed.

They could be relabelled in scriptlets or fixed in selinux-policy by transition rules. I do not know which one is the correct solution.

A scriptlet is doing this with the files:
# rpm -q --scripts sendmail | grep db
        chown root /etc/aliases.db /etc/mail/access.db                 /etc/mail/mailertable.db /etc/mail/domaintable.db                 /etc/mail/virtusertable.db

Running restorecon on those would re-label the files with correct labels.
Comment 2 Martin Žember 2014-11-24 21:09:47 UTC 
# rpm -q selinux-policy
selinux-policy-3.13.1-6.el7.noarch
Comment 6 Jaroslav Škarvada 2015-02-17 20:35:53 UTC 
They are created in %post by calling make which calls makemap. Reassigning to selinux-policy.
Comment 7 Miroslav Grepl 2015-04-09 11:13:14 UTC 
We need to update

mta_filetrans_named_content()
Comment 10 Dalibor Pospíšil 2015-09-22 08:56:57 UTC 
# yum remove sendmail
# rpm -q selinux-policy
selinux-policy-3.13.1-31.el7.noarch
# yum install -y /etc/mail/virtusertable.db
# ls -Z /etc/mail/virtusertable.db
-rw-r-----. root root unconfined_u:object_r:etc_mail_t:s0 /etc/mail/virtusertable.db
# restorecon -Rv /etc/mail
restorecon reset /etc/mail/virtusertable.db context unconfined_u:object_r:etc_mail_t:s0->unconfined_u:object_r:etc_aliases_t:s0
restorecon reset /etc/mail/access.db context unconfined_u:object_r:etc_mail_t:s0->unconfined_u:object_r:etc_aliases_t:s0
restorecon reset /etc/mail/domaintable.db context unconfined_u:object_r:etc_mail_t:s0->unconfined_u:object_r:etc_aliases_t:s0
restorecon reset /etc/mail/mailertable.db context unconfined_u:object_r:etc_mail_t:s0->unconfined_u:object_r:etc_aliases_t:s0
restorecon reset /etc/mail/aliasesdb-stamp context unconfined_u:object_r:etc_mail_t:s0->unconfined_u:object_r:etc_aliases_t:s0

This also happens on selinux-policy-3.13.1-52.el7.
Comment 13 Miroslav Grepl 2015-09-22 15:04:14 UTC 
Ok, filename transition rules are not applied. Any idea when/how are these files created?
Comment 17 Lukas Vrabec 2016-06-22 15:15:31 UTC 
Could anybody test this issue? I believe this is already fixed. 

Thank you.
Comment 18 Dalibor Pospíšil 2016-07-04 11:40:49 UTC 
It appears to me not fixed yet.

# yum remove sendmail
# rpm -q selinux-policy
selinux-policy-3.13.1-83.el7.noarch
# ls -Z /etc/mail/virtusertable.db
-rw-r-----. root root unconfined_u:object_r:etc_mail_t:s0 /etc/mail/virtusertable.db
# restorecon -Rv /etc/mail
restorecon reset /etc/mail/virtusertable.db context unconfined_u:object_r:etc_mail_t:s0->unconfined_u:object_r:etc_aliases_t:s0
restorecon reset /etc/mail/access.db context unconfined_u:object_r:etc_mail_t:s0->unconfined_u:object_r:etc_aliases_t:s0
restorecon reset /etc/mail/domaintable.db context unconfined_u:object_r:etc_mail_t:s0->unconfined_u:object_r:etc_aliases_t:s0
restorecon reset /etc/mail/mailertable.db context unconfined_u:object_r:etc_mail_t:s0->unconfined_u:object_r:etc_aliases_t:s0
restorecon reset /etc/mail/aliasesdb-stamp context unconfined_u:object_r:etc_mail_t:s0->unconfined_u:object_r:etc_aliases_t:s0

Shouldn't it be fixed in the postinstall scriptlet by calling restorecon?
Comment 22 errata-xmlrpc 2017-08-01 15:10:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861