Bug 1666004

Summary: SELinux policy prevents mailman working with exim
Product: [Fedora] Fedora Reporter: David Anderson <fedora-packaging2>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 29CC: dwalsh, lvrabec, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.2-64.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-18 01:56:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Anderson 2019-01-14 16:07:17 UTC 
The details were reported in https://bugzilla.redhat.com/show_bug.cgi?id=1450693 which got automatically closed when Fedora 27 was EOL-ed. The problem is unchanged in Fedora 29.

The same problem still exists in RHEL / CentOS 7.

Currently the work-around is to run your mailer daemon (exim, in my case) unconfined by SELinux.

Here are some example AVCs (which weren't included in the F27 report):

type=AVC msg=audit(1547476466.962:20785635): avc:  denied  { execute } for  pid=3180 comm="exim" name="mailman" dev="sda" ino=2690167 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1547476466.962:20785635): avc:  denied  { execute_no_trans } for  pid=3180 comm="exim" path="/usr/lib/mailman/mail/mailman" dev="sda" ino=2690167 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
Comment 1 David Anderson 2019-03-13 17:54:16 UTC 
Anything further I can do to help with this? Not being able to confine exim, a large daemon with several historical root holes, is not good.
Comment 2 Zdenek Pytela 2019-03-13 20:46:05 UTC 
Hi David,

Thank you for reporting the issue and providing the reference to the previous bugzilla. We will investigate on it and get back to you.
Comment 3 David Anderson 2019-04-11 13:37:46 UTC 
As described in the prior report, the root problem seems to be simple: there are two rules that apply to /usr/lib/mailman/mail/mailman, and they are applied in the wrong order (irrelevant lines snipped):

# semanage fcontext -l |grep /usr/lib/mailman
/usr/lib/mailman.*/mail/mailman                    regular file       system_u:object_r:mailman_mail_exec_t:s0 
/usr/lib/mailman/bin(/.*)?                         all files          system_u:object_r:bin_t:s0 

This can be worked-around locally - a new rule manually added will take final precedence:

# semanage fcontext -a -t mailman_mail_exec_t /usr/lib/mailman/mail/mailman
# restorecon /usr/lib/mailman/mail/mailman
# ls -Z /usr/lib/mailman/mail/mailman
-rwxr-sr-x. root mailman system_u:object_r:mailman_mail_exec_t:s0 /usr/lib/mailman/mail/mailman
Comment 4 David Anderson 2019-04-11 13:38:37 UTC 
I've performed the work-around in https://bugzilla.redhat.com/show_bug.cgi?id=1666004#c3 and verified that mail now successfully enters mailman from exim (over SMTP), without any AVCs.
Comment 6 Zdenek Pytela 2019-06-14 12:33:46 UTC 
David,

Thank you for reporting the issue and for the investigation. It really turns out there two clashing rules with regexp, just a small correction for the paths:

/usr/lib/mailman/mail(/.*)?                        all files          system_u:object_r:bin_t:s0
/usr/lib/mailman.*/mail/mailman                    regular file       system_u:object_r:mailman_mail_exec_t:s0

I've created a PR to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/115
Comment 7 Lukas Vrabec 2019-06-14 14:56:14 UTC 
commit cd224374bb8af1cea70d86f9594b9213f23bba03 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date:   Fri Jun 14 13:58:42 2019 +0200

    Create explicit fc rule for mailman executable BZ(1666004)
Comment 8 Fedora Update System 2019-06-18 11:33:08 UTC 
FEDORA-2019-096a80ef39 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-096a80ef39
Comment 9 Fedora Update System 2019-06-19 04:13:58 UTC 
selinux-policy-3.14.2-61.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-096a80ef39
Comment 10 Fedora Update System 2019-07-10 12:47:29 UTC 
FEDORA-2019-2eec328cc1 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-2eec328cc1
Comment 11 Fedora Update System 2019-07-11 03:10:55 UTC 
selinux-policy-3.14.2-62.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-2eec328cc1
Comment 12 Fedora Update System 2019-07-19 08:08:46 UTC 
FEDORA-2019-8071724c9b has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-8071724c9b
Comment 13 Fedora Update System 2019-07-20 03:41:52 UTC 
selinux-policy-3.14.2-63.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8071724c9b
Comment 14 Fedora Update System 2019-08-02 07:50:17 UTC 
FEDORA-2019-b51794f502 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-b51794f502
Comment 15 Fedora Update System 2019-08-03 02:02:19 UTC 
selinux-policy-3.14.2-64.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-b51794f502
Comment 16 Fedora Update System 2019-08-18 01:56:36 UTC 
selinux-policy-3.14.2-64.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.