Bug 442209

Summary: SELinux is preventing sendmail (sendmail_t) "write" to mimedefang.sock SELinux is preventing sendmail (sendmail_t) "write" to mimedefang.sock (var_spool_t).
Product: [Fedora] Fedora Reporter: Bruce M. Kantor <bmkantor>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 8CC: dwalsh, redhat-bugzilla
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-17 22:03:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/var/log/audit/audit.log none

Description Bruce M. Kantor 2008-04-12 19:11:17 UTC 
Description of problem:

mimedefang 2.64
sendmail 8.14.2

SELinux is preventing sendmail (sendmail_t) "write" to mimedefang.sock
(var_spool_t).

Detailed Description:

SELinux is preventing sendmail (sendmail_t) "write" to mimedefang.sock
(var_spool_t). The SELinux type var_spool_t, is a generic type for all files in
the directory and very few processes (SELinux Domains) are allowed to write to
this SELinux type. This type of denial usual indicates a mislabeled file. By
default a file created in a directory has the gets the context of the parent
directory, but SELinux policy has rules about the creation of directories, that
say if a process running in one SELinux Domain (D1) creates a file in a
directory with a particular SELinux File Context (F1) the file gets a different
File Context (F2). The policy usually allows the SELinux Domain (D1) the ability
to write, unlink, and append on (F2). But if for some reason a file
(mimedefang.sock) was created with the wrong context, this domain will be
denied. The usual solution to this problem is to reset the file context on the
target file, restorecon -v 'mimedefang.sock'. If the file context does not
change from var_spool_t, then this is probably a bug in policy. Please file a
bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the
selinux-policy package. If it does change, you can try your application again to
see if it works. The file context could have been mislabeled by editing the file
or moving the file from a different directory, if the file keeps getting
mislabeled, check the init scripts to see if they are doing something to
mislabel the file.

Additional Information:

Source Context                system_u:system_r:sendmail_t:s0
Target Context                system_u:object_r:var_spool_t:s0
Target Objects                mimedefang.sock [ sock_file ]
Source                        sendmail
Source Path                   /usr/sbin/sendmail.sendmail
Port                          <Unknown>
Host                          fedora1.kantors.net
Source RPM Packages           sendmail-8.14.2-1.fc8
Target RPM Packages           
Policy RPM                    selinux-policy-3.0.8-95.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   mislabeled_file
Host Name                     fedora1.kantors.net
Platform                      Linux fedora1.kantors.net 2.6.24.4-64.fc8 #1 SMP
                              Sat Mar 29 09:54:46 EDT 2008 i686 i686
Alert Count                   2
First Seen                    Sat 12 Apr 2008 01:16:45 PM EDT
Last Seen                     Sat 12 Apr 2008 01:20:20 PM EDT
Local ID                      858e460f-6088-44fd-b120-9b13381c603e
Line Numbers                  

Raw Audit Messages            

host=fedora1.kantors.net type=AVC msg=audit(1208020820.312:798): avc:  denied  {
write } for  pid=24992 comm="sendmail" name="mimedefang.sock" dev=dm-0
ino=4751385 scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:object_r:var_spool_t:s0 tclass=sock_file

host=fedora1.kantors.net type=SYSCALL msg=audit(1208020820.312:798):
arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfcedb40 a2=b7f3a31c a3=0
items=0 ppid=24917 pid=24992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=51 sgid=51 fsgid=51 tty=(none) comm="sendmail"
exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null)
Comment 1 Robert Scheck 2008-04-12 21:17:27 UTC 
Reassigning to selinux-policy, as it has to be fixed there. Daniel, are you
able to take care about it? It is a mimedefang specific thing which is not yet
handled in the policy.
Comment 2 Daniel Walsh 2008-05-02 19:57:17 UTC 
*** Bug 442207 has been marked as a duplicate of this bug. ***
Comment 5 Josef Kubin 2008-05-15 22:40:53 UTC 
Hello Bruce, I'll need your assistance.
Download these packages and test mimedefang in permissive mode, and then send me
your AVC's please.
http://people.redhat.com/jkubin/selinux/F8/

1) rpm -U selinux-policy*
2) # setenforce 1; setenforce 0
3) # > /var/log/audit/audit.log
4) ... play with mimedefang & sendmail ...
5) attach your audit.log

Thank you!
Comment 6 Robert Scheck 2008-05-16 08:12:03 UTC 
Josef, did you write a mimedefang selinux policy?
Comment 7 Josef Kubin 2008-05-16 11:52:19 UTC 
Yes, I'm working on it. I need to test my policy ;-).
Comment 8 Robert Scheck 2008-05-16 11:59:00 UTC 
I'm also interested in testing it, but I've (mimedefang downstream) got Rawhide 
and would need either the src.rpm or a unified diff of the relevant policy.
Comment 9 Josef Kubin 2008-05-16 12:08:03 UTC 
I've just put it on my location http://people.redhat.com/jkubin/selinux/F8/
download it please. Thank you!
Comment 10 Bruce M. Kantor 2008-05-16 15:37:17 UTC 
I just tried to install the packages and received the following errors -

rpm -U /tmp/selinux/selinux-policy*
error: Failed dependencies:
        policycoreutils-newrole >= 2.0.23-1 is needed by
selinux-policy-mls-3.0.8-103.fc8.noarch
        setransd is needed by selinux-policy-mls-3.0.8-103.fc8.noarch

Please advise. Thanks.
Comment 11 Josef Kubin 2008-05-16 17:26:31 UTC 
Dependencies are easily solved by yum, but mls is unnecessary to install for my
purpose.

# ls
selinux-policy-3.0.8-103.fc8.noarch.rpm       
selinux-policy-mls-3.0.8-103.fc8.noarch.rpm
selinux-policy-devel-3.0.8-103.fc8.noarch.rpm 
selinux-policy-targeted-3.0.8-103.fc8.noarch.rpm

# yum -y install selinux-policy-*
Comment 12 Robert Scheck 2008-05-17 19:09:18 UTC 
/usr/local/bin/mimedefang -- gen_context(system_u:object_r:mimedefang_exec_t,s0)
is just broken. Please do a "yum install mimedefang -y && rpm -qvl mimedefang" 
first and have a look what pops up there in the file list.
Comment 13 Bruce M. Kantor 2008-05-19 19:14:45 UTC 
Created attachment 305999 [details]
/var/log/audit/audit.log

Josef, I applied the packages, and attached is a copy of
/var/log/audit/audit.log. Thanks.

Bruce
Comment 14 Daniel Walsh 2008-07-02 19:21:23 UTC 
Josef do you have the mimedefang policy?
Comment 15 Daniel Walsh 2008-09-08 20:53:32 UTC 
I put memdefang under spamd policy.  So it will run with spamd privs in Fedora 9 and 10.
Comment 16 Bruce M. Kantor 2008-09-09 03:10:53 UTC 
Daniel, will you be creating an updated spamd policy for Fedora 8?
Comment 17 Daniel Walsh 2008-09-09 12:25:12 UTC 
3.0.8-116.fc8 will have the fixes
Comment 18 Daniel Walsh 2008-09-09 15:58:53 UTC 
Fixed in selinux-policy-3.0.8-116.fc8
Comment 19 Tony Fu 2008-10-06 01:28:18 UTC 
User jkubin's account has been closed
Comment 20 Daniel Walsh 2008-11-17 22:03:29 UTC 
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.