Bug 1716937
Summary: | SELinux prevents opendkim from executing /usr/bin/bash | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Göran Uddeborg <goeran> | ||||
Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> | ||||
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 30 | CC: | dwalsh | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2019-10-02 19:44:21 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Göran Uddeborg
2019-06-04 12:28:21 UTC
Hi, Are you able to reproduce it? Thanks, Lukas. Created attachment 1579919 [details]
AVC:s in permissive mode
Yes! After some failed attempts I've finally managed to reproduce it. It happens when I receive an email with an DKIM signature that is INvalid. It doesn't happen too often, thus a bit hard to find.
Anyway, when I found this, I could reproduce it by sending myself an intentionally broken message. What Opendkim tries to do is to send postmaster a message reporting about the failure. It executes the system call
execve("/bin/sh", ["sh", "-c", "/usr/sbin/sendmail -t -fpostmaster"], ["LANG=sv_SE.utf8", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin", "HOME=/var/run/opendkim", "LOGNAME=opendkim", "USER=opendkim", "INVOCATION_ID=1173df22a0f6463b8c630ac1ae70a61a", "JOURNAL_STREAM=9:39867", "OPTIONS=-x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid", "DKIM_SELECTOR=default", "DKIM_KEYDIR=/etc/opendkim/keys"] <unfinished ...>
This is the call that fails in enforcing mode. Obviously, it will shortly after that try to exec the sendmail binary too, which would also have failed.
I put my machine in permissive mode, and repeated the experiment. I got the ng AVC:s in the attached file. I guess not all those should be allowed. My understanding is that dkim_milter_t should be allowed to execute shell_exec_t and sendmail_exec_t, and to transition into the sendmail_t domain. But I'm sure you know this better than I do!
commit 36d8b45d3923aa95555125258ba53e5fb43a376f (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Fri Jun 14 22:49:53 2019 +0200 Allow dkim_milter_t to use shell BZ(1716937) So far so good, but that still doesn't allow it to transition into sendmail_t when later executing sendmail, does it? FEDORA-2019-9da5c35472 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472 selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472 selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. I don't understand why, but I can't see any difference. I have the following installed: selinux-policy-3.14.3-39.fc30.noarch selinux-policy-targeted-3.14.3-39.fc30.noarch selinux-policy-devel-3.14.3-39.fc30.noarch selinux-policy-sandbox-3.14.3-39.fc30.noarch selinux-policy-doc-3.14.3-39.fc30.noarch When I give sendmail a mail with a broken signature, I still get this AVC: type=AVC msg=audit(1561490481.576:346018): avc: denied { execute } for pid=29243 comm="opendkim" name="bash" dev="dm-0" ino=117309473 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 commit 2a22f41f1795f6f53324f330b3632b376c2f1430 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Lukas Vrabec <lvrabec> Date: Mon Jul 1 22:02:00 2019 +0200 Allow dkim_milter_t domain to execute shell BZ(17116937) FEDORA-2019-9c513c4cf8 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9c513c4cf8 selinux-policy-3.14.3-40.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9c513c4cf8 With 3.14.3-40.fc30 it comes further. The original AVC is gone now. But opendkim still fails when it tries to execute sendmail in order to actually report the failure. (See comment 2 for what the shell being executed will try to do.) time->Thu Jul 11 11:57:39 2019 type=AVC msg=audit(1562839059.337:557821): avc: denied { execute } for pid=17358 comm="sh" name="sendmail.sendmail" dev="dm-0" ino=117424600 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=0 ---- time->Thu Jul 11 11:57:39 2019 type=AVC msg=audit(1562839059.337:557822): avc: denied { getattr } for pid=17358 comm="sh" path="/usr/sbin/sendmail.sendmail" dev="dm-0" ino=117424600 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=0 ---- time->Thu Jul 11 11:57:39 2019 type=AVC msg=audit(1562839059.337:557823): avc: denied { getattr } for pid=17358 comm="sh" path="/usr/sbin/sendmail.sendmail" dev="dm-0" ino=117424600 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=0 selinux-policy-3.14.3-40.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. Not fully resolved yet as indicated above, so I reopen. (Let me know if you prefer a separate bugzilla for the remaining problems.) commit 9250a22c9745056b5175bcdc0edef65662a61b77 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Lukas Vrabec <lvrabec> Date: Tue Jul 16 22:23:20 2019 +0200 Allow dkim-milter to send e-mails BZ(1716937) FEDORA-2019-b156bd756a has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-b156bd756a selinux-policy-3.14.3-41.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-b156bd756a With 3.14.3-41.fc30 I still see the following AVCs. To my eyes, it looks very similar to what it looked before. (As a consequence, the warning mail is still not sent.) time->Sat Jul 20 15:16:35 2019 type=AVC msg=audit(1563628595.286:155244): avc: denied { execute } for pid=26909 comm="sh" name="sendmail.sendmail" dev="dm-0" ino=117424600 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=0 ---- time->Sat Jul 20 15:16:35 2019 type=AVC msg=audit(1563628595.286:155245): avc: denied { getattr } for pid=26909 comm="sh" path="/usr/sbin/sendmail.sendmail" dev="dm-0" ino=117424600 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=0 ---- time->Sat Jul 20 15:16:35 2019 type=AVC msg=audit(1563628595.286:155246): avc: denied { getattr } for pid=26909 comm="sh" path="/usr/sbin/sendmail.sendmail" dev="dm-0" ino=117424600 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=0 selinux-policy-3.14.3-41.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. As before, reopening since not fully resolved. Closing again. I reopened since the functionality wasn't there yet. But since this is because of other problems later in the process, I created a separate bug 1757950 to take care of those. |