Bug 2103675

Summary: mrtg cannot send mails
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 8.6CC: lvrabec, mmalik, vcrhonek
Target Milestone: rcKeywords: Triaged
Target Release: 8.8Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-111.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 09:03:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2022-07-04 13:16:40 UTC 
Description of problem:

When setting the SELinux to enforcing, "mail" command in the following mrtg script won't be executed as expected.

mrtg_alert.sh:
~~~
RCPT=mrtg-alert
echo "$YEAR/$MONTH/$DAY $HOUR:$MINUTE $PROG: $MESG" | mail -s "mrtg report" $RCPT
~~~

The root cause for this is multiple:


1. First mrtg_t executes "mail" (bin_t), running in caller context (mrtg_t), which then tries to create a temporary file

    With current policy, mrtg_t domain cannot create temporary files in /tmp directory:

    1.1 It cannot create nodes in the directory

    # sesearch -A -s mrtg_t -t tmp_t -c dir -p add_name
    --> nothing

    1.2 It cannot writes to files

    # sesearch -A -s mrtg_t -t tmp_t -c file -p write
    --> nothing

2. Then later, assuming "mail" could create the temporary file, it will execute "sendmail" binary, which requires setting a special context (to execute as sendmail_t)

    With current policy, mrtg_t cannot execute sendmail binary

    # sesearch -A -s mrtg_t -t sendmail_exec_t -c file -p execute
    --> nothing

I'm not sure allowing writing to "tmp_t" is wise, I think we need some alternate domain for files in "tmp_t" generated by the mail command, e.g. mrtg_tmp_t.

Version-Release number of selected component (if applicable):

RHEL7 and RHEL8

How reproducible:

Always

Steps to Reproduce:
1. Create a fake "mrtg" executable that will execute "mail" internally

    # cat > /usr/local/bin/fake_mrtg << EOF
    #!/bin/sh
    echo "Foo" | mail -s "fake_mrtg" root@localhost
    EOF

    # chmod +x /usr/local/bin/fake_mrtg
    # chcon -t mrtg_exec_t /usr/local/bin/fake_mrtg

2. Start it as a transient service

    # systemd-run --unit=fake_mrgt /usr/local/bin/fake_mrtg

Actual results:

type=PROCTITLE msg=audit(07/04/2022 15:15:00.406:95) : proctitle=mail -s /usr/local/bin/fake_mrtg root@localhost 
type=SYSCALL msg=audit(07/04/2022 15:15:00.406:95) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x1643820 a1=O_RDWR|O_CREAT|O_EXCL a2=0600 a3=0x62c2e7d4 items=0 ppid=1311 pid=1314 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=mail exe=/usr/bin/mailx subj=system_u:system_r:mrtg_t:s0 key=(null) 
type=AVC msg=audit(07/04/2022 15:15:00.406:95) : avc:  denied  { write } for  pid=1314 comm=mail name=tmp dev="dm-0" ino=16777287 scontext=system_u:system_r:mrtg_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 

Other AVCs are hidden because there is a dontaudit on "tmp_t" files

Expected results:

Works fine

Additional info:

Following rules are needed, *assuming it's wise to allow writing to /tmp"*:
~~~
sendmail_domtrans(mrtg_t)
allow mrtg_t tmp_t:dir { add_name remove_name write };
allow mrtg_t tmp_t:file { create setattr unlink write };
~~~
Comment 9 errata-xmlrpc 2023-05-16 09:03:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965