Bug 448378

Summary: Targeted policy lets sendmail.postfix eat inbound UUCP mails
Product: [Fedora] Fedora Reporter: Nils Philippsen <nphilipp>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: 9CC: mmaslano, rvokal, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-17 22:04:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nils Philippsen 2008-05-26 10:52:56 UTC 
Description of problem:
SSIA, if SELinux is enforcing targeted policy, it prevents sendmail.postfix from
reading UUCP spool files which causes it to deliver mails with empty headers and
bodies (and removes the UUCP spool file in question, thus causing data loss).
Note that the uucico in question is run once a minute from cron and I've quickly
switched over to permissive mode in order not to lose more mail.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.3.1-51.fc9.noarch
postfix-2.5.1-2.fc9.x86_64
uucp-1.07-17.fc9.x86_64
cronie-1.0-5.fc9.x86_64

Actual results:

--- 8< --- Alert 1 of 4 ---
Summary:

SELinux is preventing sendmail (system_mail_t) "read" to
/var/spool/uucp/winz/D./D.winzN2S35 (uucpd_spool_t).

Detailed Description:

SELinux denied access requested by sendmail. It is not expected that this access
is required by sendmail and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/spool/uucp/winz/D./D.winzN2S35,

restorecon -v '/var/spool/uucp/winz/D./D.winzN2S35'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:system_mail_t:s0-s0:c0.c1023
Target Context                system_u:object_r:uucpd_spool_t:s0
Target Objects                /var/spool/uucp/winz/D./D.winzN2S35 [ file ]
Source                        sendmail
Source Path                   /usr/sbin/sendmail.postfix
Port                          <Unknown>
Host                          wombat
Source RPM Packages           postfix-2.5.1-2.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-51.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     wombat
Platform                      Linux wombat 2.6.25.4-30.fc9.x86_64 #1 SMP Wed May
                              21 17:34:18 EDT 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 26 May 2008 12:42:06 PM CEST
Last Seen                     Mon 26 May 2008 12:42:06 PM CEST
Local ID                      2af28e82-5647-410c-8c56-f83364fc4ab0
Line Numbers                  

Raw Audit Messages            

host=wombat type=AVC msg=audit(1211798526.819:214): avc:  denied  { read } for 
pid=6217 comm="sendmail" path="/var/spool/uucp/winz/D./D.winzN2S35" dev=dm-3
ino=360465 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:uucpd_spool_t:s0 tclass=file

host=wombat type=AVC msg=audit(1211798526.819:214): avc:  denied  { write } for
 pid=6217 comm="sendmail" path="/var/spool/uucp/.Temp/TM.7x1.00" dev=dm-3
ino=360501 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:uucpd_spool_t:s0 tclass=file

host=wombat type=SYSCALL msg=audit(1211798526.819:214): arch=c000003e syscall=59
success=yes exit=0 a0=2577490 a1=2575120 a2=2577820 a3=7fff329f1120 items=0
ppid=6215 pid=6217 auid=0 uid=10 gid=14 euid=10 suid=10 fsuid=10 egid=14 sgid=14
fsgid=14 tty=(none) ses=19 comm="sendmail" exe="/usr/sbin/sendmail.postfix"
subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
--- >8 ---

--- 8< --- Alert 2 of 4 ---
Summary:

SELinux is preventing postqueue (postfix_postqueue_t) "getattr" to pipe
(crond_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by postqueue. It is not expected that this
access is required by postqueue and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:postfix_postqueue_t:s0-s0:c0.c10
                              23
Target Context                system_u:system_r:crond_t:s0-s0:c0.c1023
Target Objects                pipe [ fifo_file ]
Source                        postqueue
Source Path                   /usr/sbin/postqueue
Port                          <Unknown>
Host                          wombat
Source RPM Packages           postfix-2.5.1-2.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-51.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     wombat
Platform                      Linux wombat 2.6.25.4-30.fc9.x86_64 #1 SMP Wed May
                              21 17:34:18 EDT 2008 x86_64 x86_64
Alert Count                   4
First Seen                    Mon 26 May 2008 12:43:07 PM CEST
Last Seen                     Mon 26 May 2008 12:49:01 PM CEST
Local ID                      39383a6c-eaf4-4c7a-bb04-85098224707e
Line Numbers                  

Raw Audit Messages            

host=wombat type=AVC msg=audit(1211798941.888:290): avc:  denied  { getattr }
for  pid=6782 comm="postqueue" path="pipe:[69614]" dev=pipefs ino=69614
scontext=system_u:system_r:postfix_postqueue_t:s0-s0:c0.c1023
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file

host=wombat type=SYSCALL msg=audit(1211798941.888:290): arch=c000003e syscall=5
success=yes exit=0 a0=0 a1=7fff10192990 a2=7fff10192990 a3=7fff10192710 items=0
ppid=6778 pid=6782 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=90 sgid=90
fsgid=90 tty=(none) ses=26 comm="postqueue" exe="/usr/sbin/postqueue"
subj=system_u:system_r:postfix_postqueue_t:s0-s0:c0.c1023 key=(null)
--- >8 ---

--- 8< --- Alert 3 of 4 ---
Summary:

SELinux is preventing postqueue (postfix_postqueue_t) "read" to pipe (crond_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by postqueue. It is not expected that this
access is required by postqueue and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:postfix_postqueue_t:s0-s0:c0.c10
                              23
Target Context                system_u:system_r:crond_t:s0-s0:c0.c1023
Target Objects                pipe [ fifo_file ]
Source                        postqueue
Source Path                   /usr/sbin/postqueue
Port                          <Unknown>
Host                          wombat
Source RPM Packages           postfix-2.5.1-2.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-51.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     wombat
Platform                      Linux wombat 2.6.25.4-30.fc9.x86_64 #1 SMP Wed May
                              21 17:34:18 EDT 2008 x86_64 x86_64
Alert Count                   10
First Seen                    Mon 26 May 2008 12:40:01 PM CEST
Last Seen                     Mon 26 May 2008 12:49:01 PM CEST
Local ID                      829c8305-39fb-49bf-98bd-b25ae5851071
Line Numbers                  

Raw Audit Messages            

host=wombat type=AVC msg=audit(1211798941.872:289): avc:  denied  { read } for 
pid=6782 comm="postqueue" path="pipe:[69614]" dev=pipefs ino=69614
scontext=system_u:system_r:postfix_postqueue_t:s0-s0:c0.c1023
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file

host=wombat type=AVC msg=audit(1211798941.872:289): avc:  denied  { write } for
 pid=6782 comm="postqueue" path="pipe:[69615]" dev=pipefs ino=69615
scontext=system_u:system_r:postfix_postqueue_t:s0-s0:c0.c1023
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file

host=wombat type=SYSCALL msg=audit(1211798941.872:289): arch=c000003e syscall=59
success=yes exit=0 a0=7fdb11f9c1f0 a1=7fdb11f9c180 a2=7fdb11f9baf0
a3=7fff17e7c610 items=0 ppid=6778 pid=6782 auid=0 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=90 sgid=90 fsgid=90 tty=(none) ses=26 comm="postqueue"
exe="/usr/sbin/postqueue"
subj=system_u:system_r:postfix_postqueue_t:s0-s0:c0.c1023 key=(null)
--- >8 ---

--- 8< --- Alert 4 of 4 ---
Summary:

SELinux is preventing run-mail-queue. (postfix_postqueue_t) "sigchld" to <Unknown>
(system_crond_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by run-mail-queue.. It is not expected that this
access is required by run-mail-queue. and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:postfix_postqueue_t:s0-s0:c0.c10
                              23
Target Context                system_u:system_r:system_crond_t:s0-s0:c0.c1023
Target Objects                None [ process ]
Source                        run-mail-queue.
Source Path                   /bin/bash
Port                          <Unknown>
Host                          wombat
Source RPM Packages           bash-3.2-22.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-51.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     wombat
Platform                      Linux wombat 2.6.25.4-30.fc9.x86_64 #1 SMP Wed May
                              21 17:34:18 EDT 2008 x86_64 x86_64
Alert Count                   30
First Seen                    Mon 26 May 2008 12:40:01 PM CEST
Last Seen                     Mon 26 May 2008 12:51:01 PM CEST
Local ID                      aac62db1-9511-40c9-829b-a19183fd3ab0
Line Numbers                  

Raw Audit Messages            

host=wombat type=AVC msg=audit(1211799061.326:310): avc:  denied  { sigchld }
for  pid=6824 comm="run-mail-queue."
scontext=system_u:system_r:postfix_postqueue_t:s0-s0:c0.c1023
tcontext=system_u:system_r:system_crond_t:s0-s0:c0.c1023 tclass=process

host=wombat type=SYSCALL msg=audit(1211799061.326:310): arch=c000003e syscall=61
success=yes exit=6828 a0=ffffffffffffffff a1=7fff43c8d094 a2=0 a3=0 items=0
ppid=6822 pid=6824 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=29 comm="run-mail-queue." exe="/bin/bash"
subj=system_u:system_r:system_crond_t:s0-s0:c0.c1023 key=(null)
--- >8 ---

Expected results:
No alerts, mail gets through untampered.
Comment 1 Daniel Walsh 2008-05-27 18:27:50 UTC 
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-56.fc9
Comment 2 Nils Philippsen 2008-05-28 07:28:51 UTC 
Just for the record, here's the output of audit2allow. There's one rule in
between for ppp, I don't know how that's relevant, I didn't notice it up to know
but you might want to know.

#============= postfix_postdrop_t ==============
allow postfix_postdrop_t uucpd_spool_t:file { write getattr };

#============= postfix_postqueue_t ==============
allow postfix_postqueue_t crond_t:fifo_file { read write getattr };
allow postfix_postqueue_t system_crond_t:process sigchld;

#============= pppd_t ==============
allow pppd_t initrc_t:process signal;

#============= system_mail_t ==============
allow system_mail_t uucpd_spool_t:file { read write getattr };

#============= uux_t ==============
allow uux_t anon_inodefs_t:file { read write };
Comment 3 Daniel Walsh 2008-05-28 10:10:10 UTC 
allow pppd_t initrc_t:process signal;


What process is running as initrc_t?
Comment 4 Nils Philippsen 2008-05-28 12:43:45 UTC 
Hmm, the most likely culprit is the NoIP client (http://www.no-ip.com) which
updates my IP address with their DynDNS service. As I've packaged this locally,
you can just forget about it ;-).
Comment 5 Daniel Walsh 2008-11-17 22:04:14 UTC 
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.