Bug 485426

Summary: sendmail leaks file descriptors which causes an SELinux AVC Denial in Mailman!
Product: [Fedora] Fedora Reporter: Derek Atkins <warlord>
Component: sendmailAssignee: Miroslav Lichvar <mlichvar>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: mlichvar, paul, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-12-15 14:41:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
libmilter socket close-on-exec patch
none
sendmail socket close-on-exec patch none

Description Derek Atkins 2009-02-13 15:17:51 UTC 
Description of problem:

I'm getting AVC Denials from SELinux when sendmail tries to execute mailman because the milter file descriptors are leaked (remain open) when sendmail forks to execute mailman.

According to Paul Howarth on the fedora-selinux-list:

> Do your milters exec other programs? There are a couple of sockets
> involved in the milter process (one in libmilter that shows up in the
> milter process itself, and one at the other end of the connection in
> sendmail) that don't have close-on-exec set, so their descriptors leak
> when they exec other programs, and that looks like what you're seeing
> here. I've submitted patches against 8.14.3 upstream many months ago
> but there hasn't been a new release since.


Version-Release number of selected component (if applicable):

sendmail-8.14.3-3.fc10.i386
selinux-policy-targeted-3.5.13-41.fc10.noarch

How reproducible:

100%

Steps to Reproduce:
1. setup sendmail to call a mailman list via:

  mailman:              "|/usr/lib/mailman/mail/mailman post mailman"

2. send mail (from another host) to this address
3. Look in the audit log.
  
Actual results:

Summary

SELinux is preventing mailman (mailman_mail_t) "read write" sendmail_t.

Detailed Description

SELinux denied access requested by mailman. It is not expected that this access is required by mailman and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. 

Allowing Access

You can generate a local policy module to allow this access - see FAQ
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report against this
package.

Additional Information
Source Context:  system_u:system_r:mailman_mail_t:s0
Target Context:  system_u:system_r:sendmail_t:s0
Target Objects:  socket [ unix_stream_socket ]
Source:  mailman
Source Path:  /usr/lib/mailman/mail/mailman
Port:  <Unknown>
Host:  <redacted>
Source RPM Packages:  mailman-2.1.11-3.fc10
Target RPM Packages:  
Policy RPM:  selinux-policy-3.5.13-41.fc10
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall
Host Name:  code.gnucash.org
Platform:  Linux code.gnucash.org 2.6.27.12-170.2.5.fc10.i686 #1 SMP Wed Jan 21 02:09:37 EST 2009 i686 athlon
Alert Count:  1
First Seen:  Sun 08 Feb 2009 11:28:40 AM EST
Last Seen:  Sun 08 Feb 2009 03:04:01 PM EST
Local ID:  606e93dc-55fc-4454-acfa-1081a87deb63
Line Numbers:  

Raw Audit Messages :

node=code.gnucash.org type=AVC msg=audit(1234123441.829:421): avc:
denied { read write } for pid=17455 comm="mailman"
path="socket:[105075]" dev=sockfs ino=105075
scontext=system_u:system_r:mailman_mail_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket

node=code.gnucash.org type=AVC msg=audit(1234123441.829:421): avc:
denied { read write } for pid=17455 comm="mailman"
path="socket:[105077]" dev=sockfs ino=105077
scontext=system_u:system_r:mailman_mail_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket

node=code.gnucash.org type=AVC msg=audit(1234123441.829:421): avc:
denied { read write } for pid=17455 comm="mailman"
path="socket:[105079]" dev=sockfs ino=105079
scontext=system_u:system_r:mailman_mail_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket

node=code.gnucash.org type=SYSCALL msg=audit(1234123441.829:421):
arch=40000003 syscall=11 success=yes exit=0 a0=8d42e38 a1=8d42f20
a2=8d42508 a3=0 items=0 ppid=17454 pid=17455 auid=4294967295 uid=8
gid=12 euid=8 suid=8 fsuid=8 egid=41 sgid=41 fsgid=41 tty=(none)
ses=4294967295 comm="mailman" exe="/usr/lib/mailman/mail/mailman"
subj=system_u:system_r:mailman_mail_t:s0 key=(null)


Expected results:

Sendmail shouldn't leak sockets, so there shouldn't be any AVC denials.

Additional info:

see the thread on the fedora-selinux-list:

  https://www.redhat.com/archives/fedora-selinux-list/2009-February/msg00060.html
Comment 1 Paul Howarth 2009-02-13 15:38:41 UTC 
Created attachment 331837 [details]
libmilter socket close-on-exec patch

This patch sets close-on-exec for the milter/MTA socket at the libmilter end, preventing the milter socket descriptor leaking into child processes of the milter.

I submitted this upstream on 18th June 2008.
Comment 2 Paul Howarth 2009-02-13 15:41:39 UTC 
Created attachment 331838 [details]
sendmail socket close-on-exec patch

This patch sets close-on-exec for the milter/MTA socket at the sendmail end,
preventing the milter socket descriptor leaking into the local delivery process (this is probably the source of Derek's AVCs).

I submitted this upstream on 22nd September 2008.
Comment 3 Bug Zapper 2009-11-18 11:06:10 UTC 
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 4 Paul Howarth 2009-11-18 11:30:57 UTC 
This remains unfixed in Rawhide.
Comment 5 Miroslav Lichvar 2009-12-15 14:41:54 UTC 
Included in sendmail-8.14.3-9.fc13. Thanks for the patches.