Bug 1657327

Summary: arpwatch service cannot send e-mails
Product: [Fedora] Fedora Reporter: Zdenek Pytela <zpytela>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 29CC: dwalsh, lvrabec, mgrepl, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.2-47.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-01-18 02:14:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1644568    
Bug Blocks:    

Description Zdenek Pytela 2018-12-07 16:28:40 UTC
Description of problem:
The arpwatch service cannot send e-mails about the changes in data file.

Version-Release number of selected component (if applicable):
arpwatch-2.1a15-43.fc29.x86_64
selinux-policy-targeted-3.14.2-42.fc29.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install arpwatch
2. Start the arpwatch service
3. Check for AVC denials

Actual results:
AVC denials appear in the log:
allow system_mail_t arpwatch_data_t:dir { add_name create read remove_name write };
allow system_mail_t arpwatch_data_t:file { create getattr link open read setattr unlink write };

Expected results:
No AVC denials

Additional info:
The esmtp package is the default sendmail provider in newer Fedoras.
Arpwatch starts sending e-mails once bz 1644568 is resolved or the arpwatch_t domain is in permissive mode.

Comment 1 Zdenek Pytela 2018-12-18 16:15:08 UTC
Sending e-mails is a part of core functionality of arpwatch. In newer fedoras, the esmtp package is installed which provides the sendmail rpm-capability. The ~arpwatch directory is a data directory for the service with a specific context, therefore the daemon is unable to create the ~/.esmtp-queue directory for enqueueing e-mails. An equivalency rule cannot be used as /var/lib/arpwatch is the daemon working directory.

Pull request:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/76

Also note a rule like this may be required for all daemons with a specific home directory which send e-mails.

Requires bz 1644568 to be resolved so that the esmtp service can start.

Additionally, labeling for the directory needs to be put in place using one of these approaches:
1. patching the esmtp package so that it adjusts the directory context right after running mkdir
2. include /var/lib/arpwatch/.esmtp_queue with the correct label in the rpm package
3. add a file transition rule into the policy as well
4. suggest to run mkdir && restorecon as a workaround

Comment 2 Zdenek Pytela 2018-12-18 16:49:11 UTC
Another pull request created:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/77

to add the file transition for /var/lib/arpwatch/.esmtp_queue (option 3 in the previous comment)

Comment 3 Lukas Vrabec 2019-01-14 16:56:19 UTC
PR merged.

Comment 4 Fedora Update System 2019-01-16 16:16:51 UTC
selinux-policy-3.14.2-47.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fe7af4a346

Comment 5 Fedora Update System 2019-01-17 02:11:24 UTC
selinux-policy-3.14.2-47.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fe7af4a346

Comment 6 Fedora Update System 2019-01-18 02:14:07 UTC
selinux-policy-3.14.2-47.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.