Bug 1273371
Summary: | SELinux violations with Mail delivery sendmail | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Peter Vreman <peter.vreman> |
Component: | SELinux | Assignee: | Lukas Zapletal <lzap> |
Status: | CLOSED UPSTREAM | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 6.1.2 | CC: | bbuckingham, bkearney, lzap, peter.vreman |
Target Milestone: | Unspecified | Keywords: | FutureFeature, Triaged |
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
URL: | http://projects.theforeman.org/issues/12398 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-02-27 09:07:45 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1122832 |
Description
Peter Vreman
2015-10-20 10:11:19 UTC
Peter, this looks like harmless bug which we will fix in 6.2. Can you please show me what sendmail tries to append to that file? The issue is in STDERR/STDOUT file handlers, we redirect them in the process into the file, but then when sendmail is spawned and SELinux domain changed, we do not put these handlers back so the child process tries to append there. Most likely there was some problem in delivery and sendmail writes an error to STDERR. Thanks for the report! Upstream bug component is SELinux I did a setenforce Permissive and then Sycned a repo with ErrataMail configured. The selinux alert is logged, but the /var/run/foreman/pids/dynflow_executor.output is not updated, see also the stat output: [crash] root@li-lc-1578:~# getenforce Permissive Dec 12 13:03:02 li-lc-1578 setroubleshoot: SELinux is preventing /usr/sbin/sendmail.postfix from append access on the file /var/run/foreman/pids/dynflow_executor.output. For complete SELinux messages. run sealert -l f18505a6-ebc3-4770-8205-106d83deb862 Dec 12 13:03:03 li-lc-1578 setroubleshoot: SELinux is preventing /usr/sbin/sendmail.postfix from getattr access on the file /var/run/foreman/pids/dynflow_executor.output. For complete SELinux messages. run sealert -l 8fa5b509-f57e-4a4f-874b-7b21fd42e281 Dec 12 13:03:03 li-lc-1578 setroubleshoot: SELinux is preventing /usr/sbin/postdrop from append access on the file /var/run/foreman/pids/dynflow_executor.output. For complete SELinux messages. run sealert -l 9883532b-2900-4b27-b4b0-5a552b7cd0cf Dec 12 13:03:03 li-lc-1578 setroubleshoot: SELinux is preventing /usr/sbin/postdrop from getattr access on the file /var/run/foreman/pids/dynflow_executor.output. For complete SELinux messages. run sealert -l 55482ba8-7211-49eb-b09a-0af8f5bf0e8a [crash] root@li-lc-1578:~# cat /var/run/foreman/pids/dynflow_executor.output Starting Rails environment API controllers newer than Apipie cache! Run apipie:cache rake task to regenerate cache. /opt/rh/ruby193/root/usr/share/gems/gems/ffi-1.0.9/lib/ffi/platform.rb:27: Use RbConfig instead of obsolete and deprecated Config. /usr/share/foreman/app/models/concerns/encryptable.rb:5: warning: already initialized constant ENCRYPTION_PREFIX /usr/share/foreman/app/models/concerns/encryptable.rb:5: warning: already initialized constant ENCRYPTION_PREFIX /usr/share/foreman/app/models/concerns/encryptable.rb:5: warning: already initialized constant ENCRYPTION_PREFIX Starting listener Everything ready [crash] root@li-lc-1578:~# stat /var/run/foreman/pids/dynflow_executor.output File: `/var/run/foreman/pids/dynflow_executor.output' Size: 621 Blocks: 8 IO Block: 4096 regular file Device: fd01h/64769d Inode: 1200391 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 494/ foreman) Gid: ( 493/ foreman) Access: 2015-12-12 12:49:40.846866122 +0000 Modify: 2015-12-12 12:15:14.193413296 +0000 Change: 2015-12-12 12:15:14.193413296 +0000 [crash] root@li-lc-1578:~# Ok thats fine, the apipie:cache is just a warning, not error. For the record, we are tracking this as low-priority bug as it does not affect anything (IIUC). I have a pending patch in one of our Ruby dependencies to fix the leaked file descriptor: https://github.com/thuehlinger/daemons/pull/43 Patch was accepted upstream in the rubygem daemons, output will be now in syslog rather than leaked descriptor: https://github.com/theforeman/foreman-tasks/pull/234 lzap, is this commet for the correct bug? Huh, well this is a valid bug, it's not urgent as this is a file descriptor leak. Fixed upstream, we need to wait until they release new version. I am going to close this bug as we track this problem upstream and it will be part of the Satellite future releases. |