Bug 472831
Summary: | (staff_u) mailx not allowed to send mail for and by staff_u user and SELinux AVC denial | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> |
Component: | postfix | Assignee: | Miroslav Lichvar <mlichvar> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | dmitry, dwalsh, mcepl, mlichvar, twoerner, varekova |
Target Milestone: | --- | Keywords: | SELinux |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-04-20 11:45:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Matěj Cepl
2008-11-24 22:24:35 UTC
Now the executable is /bin/mailx (according to LSB), and all another aliases (including /bin/mail, /usr/bin/Mail etc) are symlinks to it. Before F10, the executable was /bin/mail . I've found that "selinux-policy" sources still use old "/bin/mail". Perhaps it should be changed to /bin/mailx instead? (I'm not a guru in SELinux for now...) If so, change the component to "selinux-policy" package. Does mailx really need to write to /var/spool/mail? How does it do this if you are not in the mail group? For comment #2 : > Does mailx really need to write to /var/spool/mail? Do not need to create files/subdirs normally, but either writes/truncates already created files (/var/spool/mail/foo in mailbox format) or works with files in subdirectory (/var/spool/mail/foo/{cur,new,tmp} in Maildir/ format). Regarding the "mail" group: historically (?), /bin/mail was: -rwxr-sr-x 1 root mail 77468 Mar 5 2007 /bin/mail ie. had group "mail" and setgid bit. Later, the setgid bit was dropped (at a time when all such bits was massively dropped). At the switch to new mailx implementation, I've dropped "mail" group as well, since without setgid it does not take any sence. But this avc indicates the mail program running as staff_t is trying to write to the directory /var/spool/mail which indicates it is trying to create a file? I will give it the priv, but not sure what it is doing. Also need to write files in /var/spool/mqueue Fixed in selinux-policy-3.5.13-25.fc10 This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle. Changing version to '10'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Actually, yes it seems to work now. At least when trying echo test |mail -s test matej@localhost I see no AVC denial and message actually gets delivered. Thanks. Hmm, when setting SELinux into Enforcing mode (and mailx-12.4-2.fc11.x86_64, postfix-2.5.6-3.fc11.x86_64, selinux-policy-targeted-3.6.12-4.fc11.noarch) I get no AVC denial (sealert -b is empty), but error and no mail sent: [matej@viklef ~]$ echo 'http://vimeo.com/4063439' |mail mcepl [matej@viklef ~]$ send-mail: fatal: chdir /var/spool/postfix: Permission denied When switching SELinux into Permissive mode I get a lot of SELinux AVC denials in postdrop (I use postfix as my mail server on localhost). This is what audit2allow thinks: [root@viklef ~]# ausearch -m AVC -ts today |grep post|audit2allow #============= staff_t ============== allow staff_t postfix_public_t:fifo_file { write open }; allow staff_t postfix_spool_maildrop_t:dir { write remove_name add_name }; allow staff_t postfix_spool_maildrop_t:file { rename write setattr read create open }; [root@viklef ~]# --------------------------------------------------------- Souhrn: SELinux is preventing postdrop (staff_t) "remove_name" postfix_spool_maildrop_t. Podrobný popis: [SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena kvůli uvolněnému režimu.] SELinux denied access requested by postdrop. It is not expected that this access is required by postdrop and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_t:s0-s0:c0.c1023 Kontext cíle system_u:object_r:postfix_spool_maildrop_t:s0 Objekty cíle 139216.12063 [ dir ] Zdroj postdrop Cesta zdroje /usr/sbin/postdrop Port <Neznámé> Počítač viklef.ceplovi.cz RPM balíčky zdroje postfix-2.5.6-3.fc11 RPM balíčky cíle RPM politiky selinux-policy-3.6.12-4.fc11 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Permissive Název zásuvného modulu catchall Název počítače viklef.ceplovi.cz Platforma Linux viklef.ceplovi.cz 2.6.29.1-70.fc11.x86_64 #1 SMP Mon Apr 13 14:16:25 EDT 2009 x86_64 x86_64 Počet upozornění 2 Poprvé viděno Po 20. duben 2009, 12:45:16 CEST Naposledy viděno Po 20. duben 2009, 12:45:16 CEST Místní ID a6eb9a6c-6a6a-4826-868c-61c1d5625a60 Čísla řádků Původní zprávy auditu node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.143:983): avc: denied { remove_name } for pid=12063 comm="postdrop" name="139216.12063" dev=dm-5 ino=39293 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.143:983): avc: denied { rename } for pid=12063 comm="postdrop" name="139216.12063" dev=dm-5 ino=39293 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:postfix_spool_maildrop_t:s0 tclass=file node=viklef.ceplovi.cz type=SYSCALL msg=audit(1240224316.143:983): arch=c000003e syscall=82 success=yes exit=0 a0=7fcb26c0c860 a1=7fcb26c07ca0 a2=44 a3=7fff2d87eef0 items=0 ppid=12062 pid=12063 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=90 sgid=90 fsgid=90 tty=pts0 ses=2 comm="postdrop" exe="/usr/sbin/postdrop" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) ---------------------- Souhrn: SELinux is preventing postdrop (staff_t) "setattr" postfix_spool_maildrop_t. Podrobný popis: [SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena kvůli uvolněnému režimu.] SELinux denied access requested by postdrop. It is not expected that this access is required by postdrop and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_t:s0-s0:c0.c1023 Kontext cíle staff_u:object_r:postfix_spool_maildrop_t:s0 Objekty cíle 230C9997D [ file ] Zdroj postdrop Cesta zdroje /usr/sbin/postdrop Port <Neznámé> Počítač viklef.ceplovi.cz RPM balíčky zdroje postfix-2.5.6-3.fc11 RPM balíčky cíle RPM politiky selinux-policy-3.6.12-4.fc11 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Permissive Název zásuvného modulu catchall Název počítače viklef.ceplovi.cz Platforma Linux viklef.ceplovi.cz 2.6.29.1-70.fc11.x86_64 #1 SMP Mon Apr 13 14:16:25 EDT 2009 x86_64 x86_64 Počet upozornění 1 Poprvé viděno Po 20. duben 2009, 12:45:16 CEST Naposledy viděno Po 20. duben 2009, 12:45:16 CEST Místní ID ce7704b0-b35f-415f-bdb1-cf9823948120 Čísla řádků Původní zprávy auditu node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.154:984): avc: denied { setattr } for pid=12063 comm="postdrop" name="230C9997D" dev=dm-5 ino=39293 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:postfix_spool_maildrop_t:s0 tclass=file node=viklef.ceplovi.cz type=SYSCALL msg=audit(1240224316.154:984): arch=c000003e syscall=91 success=yes exit=0 a0=4 a1=1e4 a2=137 a3=7fff2d87ef70 items=0 ppid=12062 pid=12063 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=90 sgid=90 fsgid=90 tty=pts0 ses=2 comm="postdrop" exe="/usr/sbin/postdrop" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) ------------------------- Souhrn: SELinux is preventing postdrop (staff_t) "write" postfix_public_t. Podrobný popis: [SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena kvůli uvolněnému režimu.] SELinux denied access requested by postdrop. It is not expected that this access is required by postdrop and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_t:s0-s0:c0.c1023 Kontext cíle system_u:object_r:postfix_public_t:s0 Objekty cíle pickup [ fifo_file ] Zdroj postdrop Cesta zdroje /usr/sbin/postdrop Port <Neznámé> Počítač viklef.ceplovi.cz RPM balíčky zdroje postfix-2.5.6-3.fc11 RPM balíčky cíle RPM politiky selinux-policy-3.6.12-4.fc11 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Permissive Název zásuvného modulu catchall Název počítače viklef.ceplovi.cz Platforma Linux viklef.ceplovi.cz 2.6.29.1-70.fc11.x86_64 #1 SMP Mon Apr 13 14:16:25 EDT 2009 x86_64 x86_64 Počet upozornění 2 Poprvé viděno Po 20. duben 2009, 12:45:16 CEST Naposledy viděno Po 20. duben 2009, 12:45:16 CEST Místní ID 0158c974-01f1-4466-8d99-e9f6d3987dad Čísla řádků Původní zprávy auditu node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.591:985): avc: denied { write } for pid=12063 comm="postdrop" name="pickup" dev=dm-5 ino=38619 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:postfix_public_t:s0 tclass=fifo_file node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.591:985): avc: denied { open } for pid=12063 comm="postdrop" name="pickup" dev=dm-5 ino=38619 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:postfix_public_t:s0 tclass=fifo_file node=viklef.ceplovi.cz type=SYSCALL msg=audit(1240224316.591:985): arch=c000003e syscall=2 success=yes exit=4 a0=7fcb26c07bb0 a1=801 a2=0 a3=11 items=0 ppid=12062 pid=12063 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=90 sgid=90 fsgid=90 tty=pts0 ses=2 comm="postdrop" exe="/usr/sbin/postdrop" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) ------------------- Souhrn: SELinux is preventing postdrop (staff_t) "write" postfix_spool_maildrop_t. Podrobný popis: [SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena kvůli uvolněnému režimu.] SELinux denied access requested by postdrop. It is not expected that this access is required by postdrop and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_t:s0-s0:c0.c1023 Kontext cíle system_u:object_r:postfix_spool_maildrop_t:s0 Objekty cíle maildrop [ dir ] Zdroj postdrop Cesta zdroje /usr/sbin/postdrop Port <Neznámé> Počítač viklef.ceplovi.cz RPM balíčky zdroje postfix-2.5.6-3.fc11 RPM balíčky cíle RPM politiky selinux-policy-3.6.12-4.fc11 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Permissive Název zásuvného modulu catchall Název počítače viklef.ceplovi.cz Platforma Linux viklef.ceplovi.cz 2.6.29.1-70.fc11.x86_64 #1 SMP Mon Apr 13 14:16:25 EDT 2009 x86_64 x86_64 Počet upozornění 4 Poprvé viděno Po 20. duben 2009, 12:45:16 CEST Naposledy viděno Po 20. duben 2009, 12:45:16 CEST Místní ID 07f1d8fd-4f55-4525-9dd2-2ee1cd13c8aa Čísla řádků Původní zprávy auditu node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.139:982): avc: denied { write } for pid=12063 comm="postdrop" name="maildrop" dev=dm-5 ino=701 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.139:982): avc: denied { add_name } for pid=12063 comm="postdrop" name="139216.12063" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.139:982): avc: denied { create } for pid=12063 comm="postdrop" name="139216.12063" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:postfix_spool_maildrop_t:s0 tclass=file node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.139:982): avc: denied { read write open } for pid=12063 comm="postdrop" name="139216.12063" dev=dm-5 ino=39293 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:postfix_spool_maildrop_t:s0 tclass=file node=viklef.ceplovi.cz type=SYSCALL msg=audit(1240224316.139:982): arch=c000003e syscall=2 success=no exit=104374232 a0=7fcb26c0c860 a1=c2 a2=1a4 a3=74 items=0 ppid=12062 pid=12063 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=90 sgid=90 fsgid=90 tty=pts0 ses=2 comm="postdrop" exe="/usr/sbin/postdrop" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) Added ability to run postdrop to confined users Fixed in selinux-policy-3.6.12-9.fc11.noarch |