Bug 1988339

Summary: HTTP script cannot send mails due to sendmail not being able to read on stdin
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Amith <apeetham>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.4CC: lvrabec, mmalik, plautrba, ssekidde
Target Milestone: rcKeywords: Triaged
Target Release: 8.6Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-89.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2049372 (view as bug list) Environment:
Last Closed: 2022-05-10 15:14:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2049372    

Description Renaud Métrich 2021-07-30 10:35:35 UTC 
Description of problem:

There is a boolean to let HTTPD scripts send mails: httpd_can_sendmail
Even with this booleans, cgi-bin scripts cannot send mails in the end because sendmail is not able to read the mail on standard input, the mail being a (deleted) temporary file labeled with httpd_sys_rw_content_t. This ends up having an empty mail being sent.

Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-67.el8.noarch, also seen on RHEL7

How reproducible:

Always

Steps to Reproduce:
1. Create a cgi-bin script that sends mail

/var/www/cgi-bin/test.sh:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
#!/bin/sh

cat << EOF
Content-type: text/html

EOF

exec /usr/local/bin/testmail.sh
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

/usr/local/bin/testmail.sh:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
#!/bin/bash
echo "$(basename $0): $(id -Z)"
echo "testmail.sh" | mail -r root@localhost -s "testmail" -a /var/www/html/foo root@localhost
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

# echo "FOO" > /var/www/html/foo
# chmod +x /usr/local/bin/testmail.sh /var/www/cgi-bin/test.sh
# restorecon -Frv /var/www/html/foo /usr/local/bin/testmail.sh /var/www/cgi-bin/test.sh

2. Start httpd and call the cgi-bin script

# systemctl start httpd
# curl http://localhost/cgi-bin/test.sh
testmail.sh: system_u:system_r:httpd_sys_script_t:s0

3. Check the mail content


Actual results:

# mail
Heirloom Mail version 12.5 7/5/10.  Type ? for help.
"/var/spool/mail/root": 1 message 1 unread
>U  1 Apache                Fri Jul 30 12:30  11/401   
& 
Message  1:
From root@localhost  Fri Jul 30 12:30:33 2021
Return-Path: <root@localhost>
X-Original-To: root@localhost
Delivered-To: root@localhost
Date: Fri, 30 Jul 2021 12:30:33 +0200 (CEST)
From: Apache <root@localhost>
Status: RO


# ausearch -m avc -ts recent -i
----
type=PROCTITLE msg=audit(07/30/2021 12:30:33.200:1256) : proctitle=send-mail -i -r root@localhost -- root@localhost 
type=EXECVE msg=audit(07/30/2021 12:30:33.200:1256) : argc=6 a0=send-mail a1=-i a2=-r a3=root@localhost a4=-- a5=root@localhost 
type=SYSCALL msg=audit(07/30/2021 12:30:33.200:1256) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5567599af3d2 a1=0x55675bb709d0 a2=0x7ffd9bad6ac0 a3=0x8 items=0 ppid=1 pid=6046 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=sendmail exe=/usr/sbin/sendmail.postfix subj=system_u:system_r:system_mail_t:s0 key=(null) 
type=AVC msg=audit(07/30/2021 12:30:33.200:1256) : avc:  denied  { read } for  pid=6046 comm=sendmail path=/tmp/RsHEeyJh (deleted) dev="dm-0" ino=52299521 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=0 


Expected results:

Non-empty mail + no AVC


Additional info:

The issue is due to having the mail command (running as httpd_sys_script_t) create a temporary file in /tmp (of httpd service) as httpd_sys_rw_content_t because of the automatic transition in the policy.
This temporary file is used as stdin for sendmail command, which runs as system_mail_t but the file cannot be read due to missing rules in the policy.
Comment 1 Zdenek Pytela 2022-01-25 19:57:11 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/1026
Comment 9 errata-xmlrpc 2022-05-10 15:14:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995