Bug 1545230

Summary: certmonger is not allowed to use local MTA
Product: Red Hat Enterprise Linux 7 Reporter: Thorsten Scherf <tscherf>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 7.4CC: lvrabec, mgrepl, mjahoda, mkosek, mmalik, mthacker, plautrba, ssekidde, tmihinto, tscherf
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-203.el7 Doc Type: Bug Fix
Doc Text:
Previously, an SELinux rule that allows the certmonger daemon to use local Mail Transfer Agent (MTA) was missing. As a consequence, certmonger was not able to send e-mails with SELinux in enforcing mode. With this update, the missing rule has been added to the SELinux system policy, and certmonger can now send e-mails with SELinux in enforcing mode.
 Story Points: ---
Clone Of:
: 1588363 (view as bug list) Environment:
Last Closed: 2018-10-30 10:02:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1588363    
Attachments:
Description Flags
selinux denials none

Description Thorsten Scherf 2018-02-14 12:38:06 UTC 
Description of problem:
Certmonger can be configured to send notifications about certificates that are going to expire soon either via syslog or mail. While the syslog-based configuration works without any problems, certmonger can not send emails with SELinux in enforcing mode.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-189.el7.noarch
certmonger-0.78.4-3.el7.x86_64

How reproducible:
- Configure certmonger to send notifications via email:

# grep -v '^#' /etc/certmonger/certmonger.conf 
[defaults]
notification_method = mail 
notification_destination = root

- Change system date so that a certificate that is tracked by certmonger is going to expire soon (e.g. 10 days before the actual expiration)

Steps to Reproduce:
1.
2.
3.

Actual results:
certmonger does not send an email alert because of SELinux AVC denials.

Expected results:
certmonger is supposed to send an email alert.

Additional info:
# grep AVC /var/log/audit/audit.log |audit2allow 

#============= certmonger_t ==============
allow certmonger_t etc_mail_t:dir getattr;
allow certmonger_t etc_mail_t:file { getattr open read };
allow certmonger_t fs_t:filesystem getattr;
allow certmonger_t mqueue_spool_t:dir { add_name getattr open read remove_name search write };
allow certmonger_t mqueue_spool_t:file { create getattr lock open read unlink write };
allow certmonger_t self:process setrlimit;
allow certmonger_t sendmail_exec_t:file { execute execute_no_trans open read };

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow certmonger_t smtp_port_t:tcp_socket name_connect;
Comment 1 Milos Malik 2018-02-14 12:54:03 UTC 
Please attach SELinux denials too:

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Thank you
Comment 2 Thorsten Scherf 2018-02-14 13:09:18 UTC 
Created attachment 1395899 [details]
selinux denials
Comment 3 Martin Kosek 2018-02-15 08:35:38 UTC 
It would be good to fix this for both RHEL and Fedora. The certificate renewal is a challenging FreeIPA workflow and having ability to easily send notifications if the certificate renewal fails could save users from dealing with the situation when they miss it and certificates expire.
Comment 4 Milos Malik 2018-02-15 08:41:48 UTC 
Do you need the bug fixed in RHEL-7.5?
Comment 5 Thorsten Scherf 2018-02-15 10:07:49 UTC 
(In reply to Milos Malik from comment #4)
> Do you need the bug fixed in RHEL-7.5?

Ideally yes.
Comment 6 Martin Kosek 2018-02-15 10:34:34 UTC 
(In reply to Milos Malik from comment #4)
> Do you need the bug fixed in RHEL-7.5?

It would be indeed good to having it fixed in RHEL-7.5. However, given it is not a new regression or a blocker for someone and given that RHEL-7.5 testing is in late testing stage, I will not push on it.

It would be good though for having it in some 7.5 Batch Update, so that RHEL-7.5 customers can start leveraging certmonger mail notifications before RHEL-7.6 comes.
Comment 7 Thorsten Scherf 2018-04-27 08:17:44 UTC 
(In reply to Milos Malik from comment #4)
> Do you need the bug fixed in RHEL-7.5?

Now that RHEL-7.5 has been GA'ed, would it be feasible to release a 7.5 z-stream to resolve this issue also in the current release?
Comment 16 errata-xmlrpc 2018-10-30 10:02:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111