Bug 172470
| Summary: | mgetty post receive fax operations fail with SELinux enabled | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Brad Wade <bugzilla> | ||||||||
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||||||
| Status: | CLOSED RAWHIDE | QA Contact: | |||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | 5 | CC: | newchief | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | i386 | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2006-05-05 15:01:56 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
|
Description
Brad Wade
2005-11-04 22:05:24 UTC
Created attachment 120850 [details]
local.te
I looked at some of the other bug reports dealing with selinux-targeted and saw
that if I do the following, then I can create a local policy that will allow
the previously blocked items to run:
1. # /usr/sbin/setenforce 0
2. Stopped the auditd daemon.
3. Cleared the /var/log/audit/audit.log file (actually, I just backed it up by
renaming it)
4. Started the auditd daemon.
5. Received a fax.
6. # cd /etc/selinux/targeted/src/policy/
7. # /usr/bin/audit2allow -i < /var/log/audit/audit.log >>
domains/misc/local.te
I have attached the resulting local.te file. I am quite surprised at the
entries in local.te--mgetty seems to want to access everything. Also, I had to
comment out the
#allow getty_t unconfined_t:dir { getattr read search };
line so that I could run "make load" in the /etc/selinux/targeted/src/policy/
directory. After running "make load", I can now receive faxes and have my
new_fax script run properly.
I will also post my new_fax script.
Created attachment 120852 [details]
Post-fax receive script run by mgetty
My new_fax script is actually a combination of new_fax.hpa and printfax located
in /usr/share/doc/mgetty-1.1.33/samples/ with some minor customizations (I
couldn't get pbmtolj working). I have commented out the username where I send
email. I have an HP LaserJet 5L printer and the script works great for
printing.
I should also note that mgetty is also not allowed to save faxes in the default
installation directory: /var/spool/fax/incoming without the previous local.te
policy.
Also, I have the following mgetty packages installed:
# rpm -qa | grep mgetty
mgetty-sendfax-1.1.33-3_FC4
mgetty-1.1.33-3_FC4
mgetty-voice-1.1.33-3_FC4
mgetty-viewfax-1.1.33-3_FC4
and pbm packages (used for working with fax documents):
# rpm -qa | grep pbm
netpbm-progs-10.28-1.FC4.2
netpbm-10.28-1.FC4.2
Russell, I'm available to help fix this bug. Let me know how I can help. Brad Can you just disable trans for mgetty? If you set getty_disable_trans boolean does your script work? setsebool -P getty_disable_trans=1 Another option would be to write a fax policy. Basically take your script and build a domain for it to be started for mgetty. Giving getty all the privs to allow your script to work would make it too weak for the majority of people who do not have mgetty accepting faxes. Soon I'm going to run Fax-receiving box working on already installed FC4, so any solutions for this bug seem to be important to me. (In reply to comment #4) Dan, Thanks for the reply. I usually reply much sooner--I've been busy interviewing for a new job among other things. > Can you just disable trans for mgetty? > > If you set getty_disable_trans boolean does your script work? > > setsebool -P getty_disable_trans=1 I tried looking for the boolean, but couldn't find it. I tried looking for anything with 'getty' it before I posted. I have selinux-policy-targeted-1.27.1-2.14 installed. Should I have such a boolean, and if so, where do I find it (i.e., where did I lose it? :) ). > Another option would be to write a fax policy. Basically take your script and > build a domain for it to be started for mgetty. Giving getty all the privs to > allow your script to work would make it too weak for the majority of people who > do not have mgetty accepting faxes. Good suggestion. I was thinking about it--the mgetty.config file allows you to notify someone when a fax is received. I regenerated a new local.te to allow email notification (without regards to running the new_fax script) and I got a much smaller file: allow getty_t bin_t:lnk_file read; allow getty_t devtty_t:chr_file { read write }; allow getty_t self:fifo_file { getattr write }; allow getty_t self:process setpgid; allow getty_t proc_t:file { getattr read }; allow getty_t shell_exec_t:file { execute execute_no_trans getattr read }; allow getty_t var_spool_t:dir { add_name search write }; allow getty_t var_spool_t:file { create getattr setattr write }; I think that this would be an allowable addition to the current policy since it only allows the user to send mail (the only thing that wasn't allowed to run in mgetty.config). As far as running a script, I agree that my original local.te file would be too permissive for most people. Will you point me to a good resource on how to build domains? Thanks! Created attachment 121961 [details]
New local.te
Decided to create an attachment of last local.te.
P.S. Daniel, sorry about addressing that last message to you as Dan--I was
going off memory.
Russell and Daniel, I'd still like to see this bug resolved. In the latest version of selinux-targeted (I have selinux-policy-targeted-1.27.1-2.22), it now lists the getty_disabled_trans boolean. With this boolean disabled, nothing is allowed to happen (mgetty can not save faxes, email, etc.). It seems to me that mgetty should be allowed to received faxes in the directory that the mgetty-sendfax rpm creates (i.e., /var/spool/fax/incoming). It would also appear reasonable that it can email the user in the config script. With getty_disabled_trans enabled, mgetty will only save a fax in the /tmp directory. It still can't send an email or run the script in the config file--both of which I would assume would happen with this boolean enabled. Again, I am available to help you fix this bug. Thanks for your time. Dear Russell and Daniel, I realize that with Fedora Core 5 just being released that you have had your hands full. I would still like to see this bug resolved. I have created my own local.te several times, only to have it not work with nearly every release of selinux-policy-targeted. I really think a more permanent fix is wanting. I think the following would solve the problem: 1. Allow mgetty to write to the /var/spool/fax and its subdirectories (incoming and outgoing). This seems reasonable since mgetty-sendfax*.rpm creates these directories. 2. Allow mgetty to send mail. This seems reasonable since its part of the mgetty source code. 3. For those that want to run the new_fax script, either allow getty_disable_trans to do this or as previously mentioned, create a domain (I haven't tried that yet--however, I believe it would most would change after updated selinux-policy-targeted). Again, I am available to help fix this bug. I usually use another computer with my cell phone attached to make the fax call to debug things. Hoping to resolve this bug soon...thanks! Changes /var/spool/fax to getty_var_run_t. Allowed getty to send mail Need help on the fax part. Fixed in selinux-policy-2.2.29-2.fc5 Thanks for the reply. I'm still running FC4. However, enabling getty_disable_trans now allows my script to run. I don't know if the latest version of selinux-policy-targeted did that (I have 1.27.1-2.22) or if I forgot to restart init earlier. Either way, it works. It might be a bit before I'm able to install FC5. I'll test it after I get it installed. Thanks for fixing /var/spool/fax and allowing getty to send mail. Right now, though, I'm very happy that I can use mgetty on FC4 without any problems. If it's OK with you, let's leave this bug open until we can verify that the fix works on FC5. Thanks again. I got thinking about it. The only other thing that my script does that is not allowed by the current policy (or built into mgetty) is to print the fax. I don't think the policy would be too lenient to print and most scripts included with mgetty include the option to print. Will you allow that option, too? Also, are there plans to backport the changes you've made to FC4? Thanks! Closing as these have been marked as modified, for a while. Feel free to reopen if not fixed |