Bug 283481

Summary: SElinux prevents smartd from sending warning mails
Product: [Fedora] Fedora Reporter: Felix Schwarz <felix.schwarz>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: medium    
Version: 7CC: jon.fairbairn
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-30 19:06:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
first selinux denial (complete output of sealert)
none
extracted selinux denials
none
generated policy addition with audit2allow
none
Bodged extra allowals for exim over selinux-policy-2.6.4-43.fc7
none
result of grepping for exim through an audit log none

Description Felix Schwarz 2007-09-08 12:02:43 UTC 
Description of problem:
In the default Fedora setup smartd will send a warning mail to root if it
detects a disk problem (such as Current_Pending_Sector > 0). 

Unfortunately, this does not work with SElinux set to enforcing and using exim
(did not test with other mtas).

Version-Release number of selected component (if applicable):
exim-4.66-3.fc7
selinux-policy-2.6.4-40.fc7
smartmontools-5.37-3.1.fc7

How reproducible:
Always

Steps to Reproduce:
1. Set SElinux to enforcing
2. Edit /etc/smartd.conf: 
  Remove *SMARTD*AUTOGENERATED* to prevent that the config file will be
overwritten at next startup.
  Configure smart that it sends a test message at every startup by adding "-M
test", e.g. /dev/sdb -d ata -H -m root -M test
  Restart smartd
3. look at the selinux error log 
  
Actual results:
In /var/log/messages something like this will appear:
Sep  8 13:59:09 ws2 smartd[17638]: Test of mail to root produced unexpected
output (438 bytes) to STDOUT/STDERR:  2007-09-
08 13:59:09 1ITyxx-0004aX-79 Cannot open main log file "/var/log/exim/main.log":
Permission denied: euid=93 egid=93 2007-0
9-08 13:59:09 1ITyxx-0004aX-79 Failed to create spool file
/var/spool/exim/input//1ITyxx-0004aX-79-D: Permission denied 20
07-09-08 13:59:09 1ITyxx-0004aX-79 Cannot open main log file
"/var/log/exim/main.log": Permission denied: euid=93 egid=93 

I add the exact SElinux error messages etc. as attachements.

Expected results:
The warning message should be sent.
Comment 1 Felix Schwarz 2007-09-08 12:02:43 UTC 
Created attachment 190701 [details]
first selinux denial (complete output of sealert)
Comment 2 Felix Schwarz 2007-09-08 12:04:14 UTC 
Created attachment 190711 [details]
extracted selinux denials
Comment 3 Felix Schwarz 2007-09-08 12:04:54 UTC 
Created attachment 190721 [details]
generated policy addition with audit2allow
Comment 4 Daniel Walsh 2007-09-13 17:09:03 UTC 
Added rudimentary exim policy selinux-policy-2.6.4-43.fc7.src.rpm
Comment 5 Jón Fairbairn 2007-10-02 15:28:52 UTC 
A recent upgrade to selinux-policy-2.6.4-43.fc7
(or possibly -targeted-) seems to cause exim to be denied for many cases.

eg
type=AVC msg=audit(1191268740.384:7357): avc:  denied  { entrypoint } for 
pid=9568 comm="crond" name="exim" dev=md2 ino=259656
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:exim_exec_t:s0 tclass=file

I'm a complete novice with SELinux, but I'll attach the .te file I knocked
together to circumvent this.
Comment 6 Jón Fairbairn 2007-10-02 15:33:22 UTC 
Created attachment 213581 [details]
Bodged extra allowals for exim over selinux-policy-2.6.4-43.fc7

I suspect the beginning of this .te file is bogus; I freely admit that I didn't
know what I was doing.	I did seem to need all the allows though.

[before I updated to 2.6.4-43 I had no problems running exim]
Comment 7 Daniel Walsh 2007-10-02 16:38:45 UTC 
Could you attach the audit.log used to generate these rules.

Thanks.
Comment 8 Jón Fairbairn 2007-10-10 17:04:20 UTC 
Created attachment 222791 [details]
result of grepping for exim through an audit log

I think this attachment covers them.  I've been away and logrotate has run...
Comment 9 Daniel Walsh 2008-01-30 19:06:49 UTC 
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.