Bug 1657327
| Summary: | arpwatch service cannot send e-mails | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Zdenek Pytela <zpytela> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 29 | CC: | dwalsh, lvrabec, mgrepl, plautrba, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.2-47.fc29 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-01-18 02:14:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1644568 | ||
| Bug Blocks: | |||
Sending e-mails is a part of core functionality of arpwatch. In newer fedoras, the esmtp package is installed which provides the sendmail rpm-capability. The ~arpwatch directory is a data directory for the service with a specific context, therefore the daemon is unable to create the ~/.esmtp-queue directory for enqueueing e-mails. An equivalency rule cannot be used as /var/lib/arpwatch is the daemon working directory. Pull request: https://github.com/fedora-selinux/selinux-policy-contrib/pull/76 Also note a rule like this may be required for all daemons with a specific home directory which send e-mails. Requires bz 1644568 to be resolved so that the esmtp service can start. Additionally, labeling for the directory needs to be put in place using one of these approaches: 1. patching the esmtp package so that it adjusts the directory context right after running mkdir 2. include /var/lib/arpwatch/.esmtp_queue with the correct label in the rpm package 3. add a file transition rule into the policy as well 4. suggest to run mkdir && restorecon as a workaround Another pull request created: https://github.com/fedora-selinux/selinux-policy-contrib/pull/77 to add the file transition for /var/lib/arpwatch/.esmtp_queue (option 3 in the previous comment) PR merged. selinux-policy-3.14.2-47.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fe7af4a346 selinux-policy-3.14.2-47.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fe7af4a346 selinux-policy-3.14.2-47.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: The arpwatch service cannot send e-mails about the changes in data file. Version-Release number of selected component (if applicable): arpwatch-2.1a15-43.fc29.x86_64 selinux-policy-targeted-3.14.2-42.fc29.noarch How reproducible: Always Steps to Reproduce: 1. Install arpwatch 2. Start the arpwatch service 3. Check for AVC denials Actual results: AVC denials appear in the log: allow system_mail_t arpwatch_data_t:dir { add_name create read remove_name write }; allow system_mail_t arpwatch_data_t:file { create getattr link open read setattr unlink write }; Expected results: No AVC denials Additional info: The esmtp package is the default sendmail provider in newer Fedoras. Arpwatch starts sending e-mails once bz 1644568 is resolved or the arpwatch_t domain is in permissive mode.