Bug 405291
| Summary: | SELinux shortcomings for sockets used by milters and SASL | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Glen Turner <glen.turner> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 8 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Current | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-01-30 19:06:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Actually SELinux does generate warnings. audit2allow reports
#============= sendmail_t ==============
allow sendmail_t saslauthd_var_run_t:dir { write search };
allow sendmail_t spamd_var_run_t:dir { search getattr };
allow sendmail_t var_run_t:sock_file getattr;
And now that sendmail can read the /var/run/saslauthd directory we additionally need
#============= sendmail_t ==============
allow sendmail_t saslauthd_var_run_t:dir { write search };
allow sendmail_t saslauthd_var_run_t:sock_file write;
allow sendmail_t spamd_var_run_t:dir { search getattr };
allow sendmail_t var_run_t:sock_file getattr;
The final set of SELinux policies which allow SMTP AUTH to work are
#============= sendmail_t ==============
allow sendmail_t saslauthd_t:unix_stream_socket connectto;
allow sendmail_t saslauthd_var_run_t:dir { write search };
allow sendmail_t saslauthd_var_run_t:sock_file write;
allow sendmail_t var_run_t:sock_file getattr;
The final set of SELinux policies which allow SMTP AUTH, Spamassassin milter and
ClamAV milter.
#============= sendmail_t ==============
allow sendmail_t initrc_t:unix_stream_socket connectto;
allow sendmail_t saslauthd_t:unix_stream_socket connectto;
allow sendmail_t saslauthd_var_run_t:dir { write search };
allow sendmail_t saslauthd_var_run_t:sock_file write;
allow sendmail_t spamd_var_run_t:dir { search getattr };
allow sendmail_t spamd_var_run_t:sock_file { write getattr };
allow sendmail_t var_run_t:sock_file { write getattr };
#============= system_mail_t ==============
allow system_mail_t security_t:filesystem getattr;
allow system_mail_t spamd_var_run_t:dir { search getattr };
allow system_mail_t var_run_t:sock_file getattr;
Considering that SELinux enforcing and sendmail are recommended system
configurations I'd say this shows a distinct lack of system testing.
Altered component to selinux-policy-targeted libselinux-2.0.43-1.fc8 libselinux-devel-2.0.43-1.fc8 selinux-policy-3.0.8-56.fc8 selinux-policy-targeted-3.0.8-56.fc8 libselinux-python-2.0.43-1.fc8 checkpolicy-2.0.4-1.fc8 policycoreutils-2.0.31-15.fc8 Thanks for the analysys. I believe I have encorporated all your changes into selinux-policy-3.0.8-63.fc8 Thanks Dan. I won't be in a position to test selinux-policy-3.0.8-63.fc8 until Wednesday (South Australia time). Bulk closing a old selinux policy bugs that were in the modified state. If the bug is still not fixed. Please reopen. |
Description of problem: To enhance security Sendmail inspects the ownership and permissions of many files, including Unix-domain sockets. Sockets are used extensively to augment Sendmail with spam filtering, virus checking and authentication. spamass-milter uses /var/run/spamass-milter/spamass-milter.sock clamav-milter should use /var/run/clamav-milter/clamav.sock (use is actually inconsistent, Bugzilla has a bug about that) cyrus-sasl uses /var/run/saslauthd/mux Sendmail checks that files and their paths have safe ownership and permissions. These checks fail for all of the above sockets, disabling those services. A typical error message on "service sendmail start" is /etc/mail/sendmail.cf: line 1785: Xspamassassin: local socket name /var/run/spamass-milter/spamass-milter.sock unsafe: Permission denied Authsasld does not generate an error. An error occurs silently when sendmail attempts to validate a SMTP AUTH request. The AUTH fails immediately, without giving the opportunity to provide a password. Debug logging on saslauthd shows no connection from sendmail. No SELinux audit records are produced. Version-Release number of selected component (if applicable): sendmail-8.14.1-4.2.fc8 sendmail-cf-8.14.1-4.2.fc8 cyrus-sasl-plain-2.1.22-7 cyrus-sasl-2.1.22-7 cyrus-sasl-lib-2.1.22-7 clamav-milter-0.91.2-3.fc8 clamav-filesystem-0.91.2-3.fc8 clamav-server-sysv-0.91.2-3.fc8 clamav-0.91.2-3.fc8 clamav-data-0.91.2-3.fc8 clamav-server-0.91.2-3.fc8 clamav-milter-sysv-0.91.2-3.fc8 clamav-update-0.91.2-3.fc8 clamav-lib-0.91.2-3.fc8 spamassassin-3.2.3-2.fc8 spamass-milter-0.3.1-5.fc8 How reproducible: sendmail.mc contains in part define(`confAUTH_OPTIONS', `A p y')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl define(`confCACERT', `/etc/pki/tls/certs/server-chain.crt')dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl define(`confCLIENT_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl define(`confCLIENT_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl FEATURE(delay_checks)dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6') INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav-milter/clamav.sock, F=, T=S:4m;R:4m')dnl INPUT_MAIL_FILTER(`spamassassin', `S=unix:/var/run/spamass-milter/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name}, {if_addr}')dnl define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}')dnl define(`confMILTER_MACROS_ENVRCPT',confMILTER_MACROS_ENVRCPT`,r, v, Z')dnl define(`confINPUT_MAIL_FILTERS', `clamav,spamassassin') There should be a DontBlameSendmail option to ignore the permissions and ownership of the socket and its path, but I can't find it.