Bug 472831

Summary: (staff_u) mailx not allowed to send mail for and by staff_u user and SELinux AVC denial
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: postfixAssignee: Miroslav Lichvar <mlichvar>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dmitry, dwalsh, mcepl, mlichvar, twoerner, varekova
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-20 11:45:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matěj Cepl 2008-11-24 22:24:35 UTC 
Description of problem:
[matej@viklef ~]$ echo test | mail -s test $LOGNAME
[matej@viklef ~]$ send-mail: fatal: chdir /var/spool/postfix: Permission denied

[matej@viklef ~]$ 

Note that

[matej@viklef ~]$ id -Z
staff_u:staff_r:staff_t:SystemLow-SystemHigh
[matej@viklef ~]$ 

When I send mail as root it goes through, but then when I try to read I get AVC denial after leaving mailx:

[matej@viklef ~]$ mail
Heirloom Mail version 12.4 7/29/08.  Type ? for help.
"/var/spool/mail/matej": 1 message
>   1 root                  Mon Nov 24 23:20  19/595   "test"
& 1
Message  1:
From root  Mon Nov 24 23:20:06 2008
Return-Path: <root>
X-Original-To: root
Delivered-To: root
Date: Mon, 24 Nov 2008 23:20:06 +0100
To: root
Subject: test
User-Agent: Heirloom mailx 12.4 7/29/08
Content-Type: text/plain; charset=us-ascii
From: root (root)
Status: RO

test

& q
Held 1 message in /var/spool/mail/matej
[matej@viklef ~]$ 

and AVC denial happens:


Souhrn:

SELinux is preventing mail (staff_t) "write" to ./mail (mail_spool_t).

Podrobný popis:

SELinux denied access requested by mail. It is not expected that this access is
required by mail and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./mail,

restorecon -v './mail'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:SystemLow-SystemHigh
Kontext cíle                 system_u:object_r:mail_spool_t
Objekty cíle                 ./mail [ dir ]
Zdroj                         mail
Cesta zdroje                  /bin/mailx
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          mailx-12.4-1.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-20.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov
                              18 20:12:41 EST 2008 i686 i686
Počet upozornění           4
Poprvé viděno               Po 24. listopad 2008, 23:20:32 CET
Naposledy viděno             Po 24. listopad 2008, 23:21:58 CET
Místní ID                   5f32417e-9811-4922-ae09-f7f50e39dc62
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1227565318.23:200): avc:  denied  { write } for  pid=5498 comm="mail" name="mail" dev=dm-0 ino=1274251 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir

node=viklef type=SYSCALL msg=audit(1227565318.23:200): arch=40000003 syscall=33 success=no exit=-13 a0=bf8153d0 a1=7 a2=80a26a0 a3=bf8153d0 items=0 ppid=5436 pid=5498 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="mail" exe="/bin/mailx" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):
see above + using postfix
postfix-2.5.5-2.fc10.i386

How reproducible:
100%

Steps to Reproduce:
1.send email to staff_u user (you have to do it as root, because staff_u is not able to send mail with mailx)
2. open mail command and read the message
3. quit mailx
  
Actual results:
AVC denial

Expected results:
nothing bad

Additional info:
Comment 1 Dmitry Butskoy 2008-11-25 11:55:19 UTC 
Now the executable is /bin/mailx (according to LSB), and all another aliases (including /bin/mail, /usr/bin/Mail etc) are symlinks to it. Before F10, the executable was /bin/mail .

I've found that "selinux-policy" sources still use old "/bin/mail". Perhaps it should be changed to /bin/mailx instead? (I'm not a guru in SELinux for now...)

If so, change the component to "selinux-policy" package.
Comment 2 Daniel Walsh 2008-11-25 13:48:07 UTC 
Does mailx really need to write to /var/spool/mail?

How does it do this if you are not in the mail group?
Comment 3 Dmitry Butskoy 2008-11-25 14:16:01 UTC 
For comment #2 :

> Does mailx really need to write to /var/spool/mail?

Do not need to create files/subdirs normally, but either writes/truncates already created files (/var/spool/mail/foo in mailbox format) or works with files in subdirectory (/var/spool/mail/foo/{cur,new,tmp} in Maildir/ format).


Regarding the "mail" group: historically (?), /bin/mail was:

-rwxr-sr-x 1 root mail 77468 Mar  5  2007 /bin/mail

ie. had group "mail" and setgid bit. Later, the setgid bit was dropped
(at a time when all such bits was massively dropped). At the switch to new mailx implementation, I've dropped "mail" group as well, since without setgid it does not take any sence.
Comment 4 Daniel Walsh 2008-11-25 15:16:50 UTC 
But this avc indicates the mail program running as staff_t is trying to write to the directory /var/spool/mail which indicates it is trying to create a file?  

I will give it the priv, but not sure what it is doing.

Also need to write files in /var/spool/mqueue

Fixed in selinux-policy-3.5.13-25.fc10
Comment 5 Bug Zapper 2008-11-26 05:53:25 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 6 Matěj Cepl 2009-01-27 21:44:09 UTC 
Actually, yes it seems to work now. At least when trying

echo test |mail -s test matej@localhost

I see no AVC denial and message actually gets delivered.

Thanks.
Comment 7 Matěj Cepl 2009-04-20 10:54:43 UTC 
Hmm, when setting SELinux into Enforcing mode (and mailx-12.4-2.fc11.x86_64, 
postfix-2.5.6-3.fc11.x86_64, selinux-policy-targeted-3.6.12-4.fc11.noarch) I get no AVC denial (sealert -b is empty), but error and no mail sent:

[matej@viklef ~]$ echo 'http://vimeo.com/4063439' |mail mcepl
[matej@viklef ~]$ send-mail: fatal: chdir /var/spool/postfix: Permission denied

When switching SELinux into Permissive mode I get a lot of SELinux AVC denials in postdrop (I use postfix as my mail server on localhost).

This is what audit2allow thinks:

[root@viklef ~]# ausearch -m AVC -ts today |grep post|audit2allow 


#============= staff_t ==============
allow staff_t postfix_public_t:fifo_file { write open };
allow staff_t postfix_spool_maildrop_t:dir { write remove_name add_name };
allow staff_t postfix_spool_maildrop_t:file { rename write setattr read create open };
[root@viklef ~]# 

---------------------------------------------------------

Souhrn:

SELinux is preventing postdrop (staff_t) "remove_name" postfix_spool_maildrop_t.

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux denied access requested by postdrop. It is not expected that this access
is required by postdrop and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:postfix_spool_maildrop_t:s0
Objekty cíle                 139216.12063 [ dir ]
Zdroj                         postdrop
Cesta zdroje                  /usr/sbin/postdrop
Port                          <Neznámé>
Počítač                    viklef.ceplovi.cz
RPM balíčky zdroje          postfix-2.5.6-3.fc11
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.12-4.fc11
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     catchall
Název počítače            viklef.ceplovi.cz
Platforma                     Linux viklef.ceplovi.cz 2.6.29.1-70.fc11.x86_64 #1
                              SMP Mon Apr 13 14:16:25 EDT 2009 x86_64 x86_64
Počet upozornění           2
Poprvé viděno               Po 20. duben 2009, 12:45:16 CEST
Naposledy viděno             Po 20. duben 2009, 12:45:16 CEST
Místní ID                   a6eb9a6c-6a6a-4826-868c-61c1d5625a60
Čísla řádků              

Původní zprávy auditu      

node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.143:983): avc:  denied  { remove_name } for  pid=12063 comm="postdrop" name="139216.12063" dev=dm-5 ino=39293 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir

node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.143:983): avc:  denied  { rename } for  pid=12063 comm="postdrop" name="139216.12063" dev=dm-5 ino=39293 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:postfix_spool_maildrop_t:s0 tclass=file

node=viklef.ceplovi.cz type=SYSCALL msg=audit(1240224316.143:983): arch=c000003e syscall=82 success=yes exit=0 a0=7fcb26c0c860 a1=7fcb26c07ca0 a2=44 a3=7fff2d87eef0 items=0 ppid=12062 pid=12063 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=90 sgid=90 fsgid=90 tty=pts0 ses=2 comm="postdrop" exe="/usr/sbin/postdrop" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)


----------------------


Souhrn:

SELinux is preventing postdrop (staff_t) "setattr" postfix_spool_maildrop_t.

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux denied access requested by postdrop. It is not expected that this access
is required by postdrop and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Kontext cíle                 staff_u:object_r:postfix_spool_maildrop_t:s0
Objekty cíle                 230C9997D [ file ]
Zdroj                         postdrop
Cesta zdroje                  /usr/sbin/postdrop
Port                          <Neznámé>
Počítač                    viklef.ceplovi.cz
RPM balíčky zdroje          postfix-2.5.6-3.fc11
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.12-4.fc11
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     catchall
Název počítače            viklef.ceplovi.cz
Platforma                     Linux viklef.ceplovi.cz 2.6.29.1-70.fc11.x86_64 #1
                              SMP Mon Apr 13 14:16:25 EDT 2009 x86_64 x86_64
Počet upozornění           1
Poprvé viděno               Po 20. duben 2009, 12:45:16 CEST
Naposledy viděno             Po 20. duben 2009, 12:45:16 CEST
Místní ID                   ce7704b0-b35f-415f-bdb1-cf9823948120
Čísla řádků              

Původní zprávy auditu      

node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.154:984): avc:  denied  { setattr } for  pid=12063 comm="postdrop" name="230C9997D" dev=dm-5 ino=39293 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:postfix_spool_maildrop_t:s0 tclass=file

node=viklef.ceplovi.cz type=SYSCALL msg=audit(1240224316.154:984): arch=c000003e syscall=91 success=yes exit=0 a0=4 a1=1e4 a2=137 a3=7fff2d87ef70 items=0 ppid=12062 pid=12063 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=90 sgid=90 fsgid=90 tty=pts0 ses=2 comm="postdrop" exe="/usr/sbin/postdrop" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)


-------------------------


Souhrn:

SELinux is preventing postdrop (staff_t) "write" postfix_public_t.

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux denied access requested by postdrop. It is not expected that this access
is required by postdrop and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:postfix_public_t:s0
Objekty cíle                 pickup [ fifo_file ]
Zdroj                         postdrop
Cesta zdroje                  /usr/sbin/postdrop
Port                          <Neznámé>
Počítač                    viklef.ceplovi.cz
RPM balíčky zdroje          postfix-2.5.6-3.fc11
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.12-4.fc11
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     catchall
Název počítače            viklef.ceplovi.cz
Platforma                     Linux viklef.ceplovi.cz 2.6.29.1-70.fc11.x86_64 #1
                              SMP Mon Apr 13 14:16:25 EDT 2009 x86_64 x86_64
Počet upozornění           2
Poprvé viděno               Po 20. duben 2009, 12:45:16 CEST
Naposledy viděno             Po 20. duben 2009, 12:45:16 CEST
Místní ID                   0158c974-01f1-4466-8d99-e9f6d3987dad
Čísla řádků              

Původní zprávy auditu      

node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.591:985): avc:  denied  { write } for  pid=12063 comm="postdrop" name="pickup" dev=dm-5 ino=38619 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:postfix_public_t:s0 tclass=fifo_file

node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.591:985): avc:  denied  { open } for  pid=12063 comm="postdrop" name="pickup" dev=dm-5 ino=38619 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:postfix_public_t:s0 tclass=fifo_file

node=viklef.ceplovi.cz type=SYSCALL msg=audit(1240224316.591:985): arch=c000003e syscall=2 success=yes exit=4 a0=7fcb26c07bb0 a1=801 a2=0 a3=11 items=0 ppid=12062 pid=12063 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=90 sgid=90 fsgid=90 tty=pts0 ses=2 comm="postdrop" exe="/usr/sbin/postdrop" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)


-------------------


Souhrn:

SELinux is preventing postdrop (staff_t) "write" postfix_spool_maildrop_t.

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux denied access requested by postdrop. It is not expected that this access
is required by postdrop and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:postfix_spool_maildrop_t:s0
Objekty cíle                 maildrop [ dir ]
Zdroj                         postdrop
Cesta zdroje                  /usr/sbin/postdrop
Port                          <Neznámé>
Počítač                    viklef.ceplovi.cz
RPM balíčky zdroje          postfix-2.5.6-3.fc11
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.12-4.fc11
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     catchall
Název počítače            viklef.ceplovi.cz
Platforma                     Linux viklef.ceplovi.cz 2.6.29.1-70.fc11.x86_64 #1
                              SMP Mon Apr 13 14:16:25 EDT 2009 x86_64 x86_64
Počet upozornění           4
Poprvé viděno               Po 20. duben 2009, 12:45:16 CEST
Naposledy viděno             Po 20. duben 2009, 12:45:16 CEST
Místní ID                   07f1d8fd-4f55-4525-9dd2-2ee1cd13c8aa
Čísla řádků              

Původní zprávy auditu      

node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.139:982): avc:  denied  { write } for  pid=12063 comm="postdrop" name="maildrop" dev=dm-5 ino=701 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir

node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.139:982): avc:  denied  { add_name } for  pid=12063 comm="postdrop" name="139216.12063" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir

node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.139:982): avc:  denied  { create } for  pid=12063 comm="postdrop" name="139216.12063" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:postfix_spool_maildrop_t:s0 tclass=file

node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.139:982): avc:  denied  { read write open } for  pid=12063 comm="postdrop" name="139216.12063" dev=dm-5 ino=39293 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:postfix_spool_maildrop_t:s0 tclass=file

node=viklef.ceplovi.cz type=SYSCALL msg=audit(1240224316.139:982): arch=c000003e syscall=2 success=no exit=104374232 a0=7fcb26c0c860 a1=c2 a2=1a4 a3=74 items=0 ppid=12062 pid=12063 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=90 sgid=90 fsgid=90 tty=pts0 ses=2 comm="postdrop" exe="/usr/sbin/postdrop" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
Comment 8 Daniel Walsh 2009-04-20 11:45:48 UTC 
Added ability to run postdrop to confined users

Fixed in selinux-policy-3.6.12-9.fc11.noarch