Bug 254076
| Summary: | SELinux/apcupsd quirk with email reports | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Anthony Messina <amessina> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Current | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-08-24 13:37:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Please update to the latest policy, apcuspd transitions to sendmail |
Description of problem: With SELinux in permissive mode, it prevents apcupsd from interacting with the sendmail(.postfix) binary. The strange thing is, it looks as though the sendmail(.postfix) binary is trying to operate under the apcupsd_t context; that doesn't seem right. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.6.4-33.fc7 apcupsd-3.14.1-2.fc7 postfix-2.4.3-2.fc7 How reproducible: Every time a power failure occurs and apcupsd tries to send an email. Steps to Reproduce: 1. Enable apcupsd 2. Pull the power plug Actual results: avc: denied { ioctl } for comm="sendmail" dev=sockfs egid=0 euid=0 exe="/usr/sbin/sendmail.postfix" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="" path="socket:[112735]" pid=5009 scontext=system_u:system_r:apcupsd_t:s0 sgid=0 subj=system_u:system_r:apcupsd_t:s0 suid=0 tclass=udp_socket tcontext=system_u:system_r:apcupsd_t:s0 tty=(none) uid=0 avc: denied { create } for comm="postdrop" dev=sda2 egid=90 euid=0 exe="/usr/sbin/postdrop" exit=4 fsgid=90 fsuid=0 gid=0 items=0 name="707034.5013" pid=5013 scontext=system_u:system_r:apcupsd_t:s0 sgid=90 subj=system_u:system_r:apcupsd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tty=(none) uid=0 avc: denied { getattr } for comm="postdrop" dev=sda2 egid=90 euid=0 exe="/usr/sbin/postdrop" exit=0 fsgid=90 fsuid=0 gid=0 items=0 name="707034.5013" path="/var/spool/postfix/maildrop/707034.5013" pid=5013 scontext=system_u:system_r:apcupsd_t:s0 sgid=90 subj=system_u:system_r:apcupsd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tty=(none) uid=0 avc: denied { rename } for comm="postdrop" dev=sda2 egid=90 euid=0 exe="/usr/sbin/postdrop" exit=0 fsgid=90 fsuid=0 gid=0 items=0 name="707034.5013" pid=5013 scontext=system_u:system_r:apcupsd_t:s0 sgid=90 subj=system_u:system_r:apcupsd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tty=(none) uid=0 avc: denied { write } for comm="postdrop" dev=sda2 egid=90 euid=0 exe="/usr/sbin/postdrop" exit=1437 fsgid=90 fsuid=0 gid=0 items=0 name="AD8AC53D991" path="/var/spool/postfix/maildrop/AD8AC53D991" pid=5013 scontext=system_u:system_r:apcupsd_t:s0 sgid=90 subj=system_u:system_r:apcupsd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tty=(none) uid=0 avc: denied { setattr } for comm="postdrop" dev=sda2 egid=90 euid=0 exe="/usr/sbin/postdrop" exit=0 fsgid=90 fsuid=0 gid=0 items=0 name="AD8AC53D991" pid=5013 scontext=system_u:system_r:apcupsd_t:s0 sgid=90 subj=system_u:system_r:apcupsd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tty=(none) uid=0 avc: denied { add_name } for comm="postdrop" dev=sda2 egid=90 euid=0 exe="/usr/sbin/postdrop" exit=4 fsgid=90 fsuid=0 gid=0 items=0 name="999567.5039" pid=5039 scontext=system_u:system_r:apcupsd_t:s0 sgid=90 subj=system_u:system_r:apcupsd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tty=(none) uid=0 avc: denied { remove_name } for comm="postdrop" dev=sda2 egid=90 euid=0 exe="/usr/sbin/postdrop" exit=0 fsgid=90 fsuid=0 gid=0 items=0 name="999567.5039" pid=5039 scontext=system_u:system_r:apcupsd_t:s0 sgid=90 subj=system_u:system_r:apcupsd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tty=(none) uid=0 Expected results: I would expect that the sendmail(.postfix) binary would run under it's own context and that apcupsd would also be ale to initiate a message using the sendmail(.postfix) binary, as other daemons do. Additional info: