Bug 1323224

Summary: mailx fails when used with mail server other than Sendmail Inc sendmail or postfix
Product: [Fedora] Fedora Reporter: Lukas Vrabec <lvrabec>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 25CC: dominick.grift, dwalsh, gordon.messmer, lvrabec, mgrepl, mmalik, plautrba, pvrabec
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-181.fc25 selinux-policy-3.13.1-208.fc25 selinux-policy-3.13.1-225.20.fc25 selinux-policy-3.13.1-225.22.fc25 selinux-policy-3.13.1-225.23.fc25 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1162305 Environment:
Last Closed: 2017-11-01 16:39:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Vrabec 2016-04-01 15:15:19 UTC 
+++ This bug was initially created as a clone of Bug #1162305 +++

Description of problem:
/bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution.  If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail.

Because mailx isn't SUID, there's virtually no value in transitioning to the sendmail_t domain on execution.  When Sendmail Inc sendmail or Postfix is used, the sendmail_t transition will occur on execution of their sendmail binary, and its behavior will be confined correctly.

That is, there is no benefit to labeling /sbin/mailx and no cost to not labeling it.

Could you please remove the sendmail_exec_t label on /sbin/mailx from policy, so that it is labeled bin_t?

How reproducible:
Always.

Steps to Reproduce:
1. Install Courier MTA (for example)
2. Install cron job that executes "mail" to send email

--- Additional comment from RHEL Product and Program Management on 2014-11-10 14:57:05 EST ---

Since this bug report was entered in bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Libor Miksik on 2015-03-11 11:20:56 EDT ---

Since the release flag was set to ? after the qa_ack and pm_ack flags were set to + (was likely set for the previous release), the qa_ack and pm_ack flags have been reset to ? by the bugbot (pm-rhel). This action ensures the proper review by Product Management.

--- Additional comment from Libor Miksik on 2015-11-04 00:34:42 EST ---

Since the release flag was set to ? after the qa_ack and pm_ack flags were set to + (was likely set for the previous release), the qa_ack and pm_ack flags have been reset to ? by the bugbot (pm-rhel). This action ensures the proper review by Product Management.

--- Additional comment from Miroslav Grepl on 2015-12-18 10:33:32 EST ---

Could you attach raw AVC messages?

Thank you.

--- Additional comment from Gordon Messmer on 2015-12-21 01:27:52 EST ---

I can, but they're not meaningful.  They document the problem with only one non-Sendmail Inc. sendmail binary, and in only one configuration.  Adding these will not remedy the problem completely.

type=USER_AVC msg=audit(1450678921.538:9380): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1450678921.613:9383): avc:  denied  { read } for  pid=8480 comm="submit" name="enablefiltering" dev="dm-1" ino=133928 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.613:9383): avc:  denied  { open } for  pid=8480 comm="submit" path="/etc/courier/enablefiltering" dev="dm-1" ino=133928 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.614:9384): avc:  denied  { getattr } for  pid=8480 comm="submit" path="/etc/courier/enablefiltering" dev="dm-1" ino=133928 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.615:9385): avc:  denied  { read } for  pid=8480 comm="submit" name="aliases.dat" dev="dm-1" ino=131119 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.615:9385): avc:  denied  { open } for  pid=8480 comm="submit" path="/etc/courier/aliases.dat" dev="dm-1" ino=131119 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.615:9386): avc:  denied  { getattr } for  pid=8480 comm="submit" path="/etc/courier/aliases.dat" dev="dm-1" ino=131119 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.615:9387): avc:  denied  { lock } for  pid=8480 comm="submit" path="/etc/courier/aliases.dat" dev="dm-1" ino=131119 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.615:9388): avc:  denied  { read } for  pid=8480 comm="submit" name="locals" dev="dm-1" ino=143725 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=lnk_file

--- Additional comment from Miroslav Grepl on 2016-01-04 04:32:24 EST ---

You are right, it makes sense.

--- Additional comment from Lukas Vrabec on 2016-03-11 11:13:52 EST ---

We have more troubles around labeling mailx. I'm going to test it. 

Thank you for reporting bug.
Comment 1 Jan Kurik 2016-07-26 04:37:42 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.
Comment 2 Fedora Update System 2016-08-12 15:57:31 UTC 
selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-662487f8f1
Comment 3 Fedora Update System 2016-08-17 03:02:43 UTC 
selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2017-08-14 15:22:38 UTC 
selinux-policy-3.13.1-225.20.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-837f04c39a
Comment 5 Fedora Update System 2017-08-15 03:51:30 UTC 
selinux-policy-3.13.1-225.20.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-837f04c39a
Comment 6 Fedora Update System 2017-08-27 06:22:28 UTC 
selinux-policy-3.13.1-225.20.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2017-09-01 09:35:15 UTC 
selinux-policy-3.13.1-225.22.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5d4f3635ee
Comment 8 Fedora Update System 2017-09-03 06:25:19 UTC 
selinux-policy-3.13.1-225.22.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5d4f3635ee
Comment 9 Fedora Update System 2017-09-07 23:20:38 UTC 
selinux-policy-3.13.1-225.22.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2017-10-10 12:01:05 UTC 
selinux-policy-3.13.1-225.23.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4d00e4db6a
Comment 11 Fedora Update System 2017-10-11 04:22:34 UTC 
selinux-policy-3.13.1-225.23.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4d00e4db6a
Comment 12 Fedora Update System 2017-11-01 16:39:44 UTC 
selinux-policy-3.13.1-225.23.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.