Bug 253742

Summary: sendmail and cfengine issues.
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 8Keywords: Reopened
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 3.0.8-95.fc8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-27 23:07:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2007-08-21 17:31:06 UTC 
Description of problem:

I use cfengine to reload sendmail if needed.  This fails in development with the
following denials:

Aug 21 11:02:59 lynx kernel: audit(1187715779.021:126): avc:  denied  { read }
for  pid=3533 comm="newaliases" path="pipe:[12155]" dev=pipefs ino=12155
scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
Aug 21 11:02:59 lynx kernel: audit(1187715779.022:127): avc:  denied  { write }
for  pid=3533 comm="newaliases"
path="/var/cfengine/outputs/cf_lynx_cora_nwra_com_2007-08-21--11-00-03" dev=sda6
ino=18486 scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=file
Aug 21 11:02:59 lynx kernel: audit(1187715779.266:128): avc:  denied  {
execute_no_trans } for  pid=2253 comm="sendmail"
path="/usr/sbin/sendmail.sendmail" dev=sda3 ino=1039513
scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
Aug 21 11:02:59 lynx kernel: audit(1187715779.271:129): avc:  denied  {
execute_no_trans } for  pid=2262 comm="sendmail"
path="/usr/sbin/sendmail.sendmail" dev=sda3 ino=1039513
scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file

First two is presumably the attempt to send the output of newaliases to the
cfengine log file.  The second two seem to be the killers.  After this, sendmail
is no longer running.

When I start sendmail by hand with "service sendmail start", I then get:

Aug 21 11:25:42 lynx kernel: audit(1187717142.781:130): avc:  denied  { read
write } for  pid=3825 comm="newaliases" name="0" dev=devpts ino=2
scontext=root:system_r:sendmail_t:s0
tcontext=root:object_r:unconfined_devpts_t:s0 tclass=chr_file
Aug 21 11:25:42 lynx kernel: audit(1187717142.782:131): avc:  denied  { read
write } for  pid=3825 comm="newaliases" path="/dev/pts/0" dev=devpts ino=2
scontext=root:system_r:sendmail_t:s0
tcontext=root:object_r:unconfined_devpts_t:s0 tclass=chr_file
Aug 21 11:25:42 lynx kernel: audit(1187717142.819:132): avc:  denied  {
dac_override } for  pid=3825 comm="newaliases" capability=1
scontext=root:system_r:sendmail_t:s0 tcontext=root:system_r:sendmail_t:s0
tclass=capability
Aug 21 11:25:42 lynx kernel: audit(1187717142.819:133): avc:  denied  {
dac_override } for  pid=3825 comm="newaliases" capability=1
scontext=root:system_r:sendmail_t:s0 tcontext=root:system_r:sendmail_t:s0
tclass=capability
Aug 21 11:25:42 lynx kernel: audit(1187717142.820:134): avc:  denied  {
dac_override } for  pid=3825 comm="newaliases" capability=1
scontext=root:system_r:sendmail_t:s0 tcontext=root:system_r:sendmail_t:s0
tclass=capability
Aug 21 11:25:42 lynx kernel: audit(1187717142.833:135): avc:  denied  { read
write } for  pid=3829 comm="sendmail" name="0" dev=devpts ino=2
scontext=root:system_r:sendmail_t:s0
tcontext=root:object_r:unconfined_devpts_t:s0 tclass=chr_file
Aug 21 11:25:42 lynx kernel: audit(1187717142.833:136): avc:  denied  { read
write } for  pid=3829 comm="sendmail" path="/dev/pts/0" dev=devpts ino=2
scontext=root:system_r:sendmail_t:s0
tcontext=root:object_r:unconfined_devpts_t:s0 tclass=chr_file
Aug 21 11:25:42 lynx kernel: audit(1187717142.833:137): avc:  denied  { read
write } for  pid=3829 comm="sendmail" path="/dev/pts/0" dev=devpts ino=2
scontext=root:system_r:sendmail_t:s0
tcontext=root:object_r:unconfined_devpts_t:s0 tclass=chr_file
Aug 21 11:25:42 lynx kernel: audit(1187717142.834:138): avc:  denied  { read
write } for  pid=3829 comm="sendmail" path="/dev/pts/0" dev=devpts ino=2
scontext=root:system_r:sendmail_t:s0
tcontext=root:object_r:unconfined_devpts_t:s0 tclass=chr_file

but sendmail starts fine.

Version-Release number of selected component (if applicable):
selinux-policy-3.0.5-8.fc8
Comment 1 Daniel Walsh 2007-09-10 14:34:41 UTC 
Fixed in selinux-policy-3.0.7-8.fc8.src.rpm
Comment 2 Daniel Walsh 2007-09-12 17:00:40 UTC 
ALready fixed in rawhide
Comment 3 Orion Poplawski 2008-02-08 16:16:09 UTC 
Still seeing denials with the output of commands run by cfengine trying to get
logged:

Feb  7 15:00:29 ranier kernel: audit(1202421629.349:5): avc:  denied  { write }
for  pid=5376 comm="newaliases"
path="/var/cfengine/outputs/cf_ranier_cora_nwra_com_2008-02-07--15-00-04"
dev=dm-2 ino=229508 scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=file

Perhaps /var/cfengine/outputs should get labeled var_log_t?

selinux-policy-3.0.8-81.fc8
Comment 4 Daniel Walsh 2008-03-05 22:28:36 UTC 
This is a simple redirection of stdout.  newaliases output is being redirected
to the cfengine log file.  This log file should probably be in var_log.
Comment 5 Orion Poplawski 2008-03-05 22:55:22 UTC 
(In reply to comment #4)
> This is a simple redirection of stdout.  newaliases output is being redirected
> to the cfengine log file.  This log file should probably be in var_log.

Agreed, but I think it will take a while to get cfengine FHS compliant.  In the
meantime, can we get /var/cfengine/outputs labeled as var_log_t?  It's
equivalent to /var/log/cfengine.
Comment 6 Daniel Walsh 2008-03-18 18:50:32 UTC 
Fixed in selinux-policy-3.0.8-95.fc8
Comment 7 Orion Poplawski 2008-03-27 23:07:11 UTC 
Confirmed fixed.  Thanks!