Bug 510107
| Summary: | setroubleshoot: SELinux is preventing the sendmail from using potentially mislabeled files /etc/postfix (postfix_etc_t). | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nicolas Mailhot <nicolas.mailhot> | ||||
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | rawhide | CC: | dwalsh, jkubin, mgrepl | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | setroubleshoot_trace_hash:037d87576639c04e3861b3d262ccac8446885941148b9bcbb72f87549418d99b | ||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2009-10-20 21:53:54 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
selinux is preventing postfix's sendmail emulation to read its own (postfix) files What is the label on /usr/sbin/sendmail.postfix If you turn on the boolean httpd_can_sendmail does it work? # ls -Z /usr/sbin/sendmail lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /usr/sbin/sendmail -> /etc/alternatives/mta # ls -Z /etc/alternatives/mta lrwxrwxrwx. root root system_u:object_r:etc_t:s0 /etc/alternatives/mta -> /usr/sbin/sendmail.postfix # ls -Z /usr/sbin/sendmail.postfix -rwxr-xr-x. root root system_u:object_r:sendmail_exec_t:s0 /usr/sbin/sendmail.postfix with setroubleshoot it seems to work. So I guess it was just terrible setroubleshoot analysis PS why do httpd_can_sendmail exist but not httpd_can_mail_services (as in imap/s, pop3/s, smtp/s, submission, as needed by webmails, without opening every possible port to apache?) can_sendmail allows the httpd_t to connect to all mail ports and to transition to system_mail_t, so I guess this would work in either case. The analysys is only as good as the code written for it, since httpd is able to execute all execuables, it is allowed to run sendmail.postfix without transition. So the only thing we got from the kernel was that httpd_t tried to read postfix_etc_t. I guess we could look at the target and figure out that comm="sendmail" so httpd is probably trying to send mail. I am writing a new plugin for Rawhide, that would catch this. I will attach it to this bug report. Created attachment 350853 [details]
httpd_can_sendmail.py plugin
cp this file to /usr/share/setroubleshoot/plugins
Then run
sealert -a /var/log/audit/audit.log
And you should get a better analysys.
(In reply to comment #5) > can_sendmail allows the httpd_t to connect to all mail ports and to transition > to system_mail_t, so I guess this would work in either case. ok, this is much more than just accessing sendmail, I guess I was fooled by the boolean name > The analysys is only as good as the code written for it, since httpd is able to > execute all execuables, it is allowed to run sendmail.postfix without > transition. So the only thing we got from the kernel was that httpd_t tried to > read postfix_etc_t. I guess we could look at the target and figure out that > comm="sendmail" so httpd is probably trying to send mail. > > I am writing a new plugin for Rawhide, that would catch this. I will attach it > to this bug report. # sealert -a /var/log/audit/audit.log 100% donefound 8 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- Traceback (most recent call last): File "/usr/bin/sealert", line 860, in on_analyzer_state_change self.output_results() File "/usr/bin/sealert", line 879, in output_results print siginfo.format_text() File "/usr/lib64/python2.6/site-packages/setroubleshoot/signature.py", line 46 6, in format_text text += html_to_text('<h1>'+_("Summary")+':</h1>'+summary) UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 16: ordinal not in range(128) [root@arekh nim]# sealert -a /var/log/audit/audit.log 100% donefound 8 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- Traceback (most recent call last): File "/usr/bin/sealert", line 860, in on_analyzer_state_change self.output_results() File "/usr/bin/sealert", line 879, in output_results print siginfo.format_text() File "/usr/lib64/python2.6/site-packages/setroubleshoot/signature.py", line 466, in format_text text += html_to_text('<h1>'+_("Summary")+':</h1>'+summary) UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 16: ordinal not in range(128) (In reply to comment #7) > (In reply to comment #5) > > can_sendmail allows the httpd_t to connect to all mail ports and to transition > > to system_mail_t, so I guess this would work in either case. > > ok, this is much more than just accessing sendmail, I guess I was fooled by the > boolean name I guess this advice is misleading too then SELinux is preventing the http daemon from connecting to network port 993 SELinux has denied the http daemon from connecting to 993. An httpd script is trying to do a network connect to a remote port. If you did not setup httpd to network connections, this could signal a intrusion attempt. If you want httpd to connect to network ports you need to turn on the httpd_can_network_network_connect boolean: "setsebool -P httpd_can_network_connect=1" setsebool -P httpd_can_network_connect=1 sendmail plugin has been added to rawhide. |
The following was filed automatically by setroubleshoot: Résumé: SELinux is preventing the sendmail from using potentially mislabeled files /etc/postfix (postfix_etc_t). Description détaillée: SELinux has denied the sendmail access to potentially mislabeled files /etc/postfix. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Autoriser l'accès: If you want to change the file context of /etc/postfix so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t '/etc/postfix'. You can look at the httpd_selinux man page for additional information. Informations complémentaires: Contexte source system_u:system_r:httpd_t:s0 Contexte cible system_u:object_r:postfix_etc_t:s0 Objets du contexte /etc/postfix [ dir ] source sendmail Chemin de la source /usr/sbin/sendmail.postfix Port <Inconnu> Hôte (removed) Paquetages RPM source postfix-2.6.2-1.fc12 Paquetages RPM cible postfix-2.6.2-1.fc12 Politique RPM selinux-policy-3.6.20-2.fc12 Selinux activé True Type de politique targeted MLS activé True Mode strict Enforcing Nom du plugin httpd_bad_labels Nom de l'hôte (removed) Plateforme Linux (removed) 2.6.31-0.38.rc1.git7.bko13551.fc12.x86_64 #1 SMP Sun Jul 5 14:27:52 EDT 2009 x86_64 x86_64 Compteur d'alertes 1 Première alerte mar. 07 juil. 2009 14:51:59 CEST Dernière alerte mar. 07 juil. 2009 14:51:59 CEST ID local c6477be7-16a1-496c-8034-6c1bc2a61fea Numéros des lignes Messages d'audit bruts node=(removed) type=AVC msg=audit(1246971119.879:36512): avc: denied { search } for pid=29322 comm="sendmail" name="postfix" dev=dm-3 ino=65645 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1246971119.879:36512): arch=c000003e syscall=2 success=no exit=-13 a0=7f912fc40670 a1=0 a2=0 a3=7fff0d36fee0 items=0 ppid=11032 pid=29322 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:httpd_t:s0 key=(null) audit2allow suggests: #============= httpd_t ============== allow httpd_t postfix_etc_t:dir search;