Bug 510107
Summary: | setroubleshoot: SELinux is preventing the sendmail from using potentially mislabeled files /etc/postfix (postfix_etc_t). | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Nicolas Mailhot <nicolas.mailhot> | ||||
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | rawhide | CC: | dwalsh, jkubin, mgrepl | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | setroubleshoot_trace_hash:037d87576639c04e3861b3d262ccac8446885941148b9bcbb72f87549418d99b | ||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-10-20 21:53:54 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Nicolas Mailhot
2009-07-07 17:49:35 UTC
selinux is preventing postfix's sendmail emulation to read its own (postfix) files What is the label on /usr/sbin/sendmail.postfix If you turn on the boolean httpd_can_sendmail does it work? # ls -Z /usr/sbin/sendmail lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /usr/sbin/sendmail -> /etc/alternatives/mta # ls -Z /etc/alternatives/mta lrwxrwxrwx. root root system_u:object_r:etc_t:s0 /etc/alternatives/mta -> /usr/sbin/sendmail.postfix # ls -Z /usr/sbin/sendmail.postfix -rwxr-xr-x. root root system_u:object_r:sendmail_exec_t:s0 /usr/sbin/sendmail.postfix with setroubleshoot it seems to work. So I guess it was just terrible setroubleshoot analysis PS why do httpd_can_sendmail exist but not httpd_can_mail_services (as in imap/s, pop3/s, smtp/s, submission, as needed by webmails, without opening every possible port to apache?) can_sendmail allows the httpd_t to connect to all mail ports and to transition to system_mail_t, so I guess this would work in either case. The analysys is only as good as the code written for it, since httpd is able to execute all execuables, it is allowed to run sendmail.postfix without transition. So the only thing we got from the kernel was that httpd_t tried to read postfix_etc_t. I guess we could look at the target and figure out that comm="sendmail" so httpd is probably trying to send mail. I am writing a new plugin for Rawhide, that would catch this. I will attach it to this bug report. Created attachment 350853 [details]
httpd_can_sendmail.py plugin
cp this file to /usr/share/setroubleshoot/plugins
Then run
sealert -a /var/log/audit/audit.log
And you should get a better analysys.
(In reply to comment #5) > can_sendmail allows the httpd_t to connect to all mail ports and to transition > to system_mail_t, so I guess this would work in either case. ok, this is much more than just accessing sendmail, I guess I was fooled by the boolean name > The analysys is only as good as the code written for it, since httpd is able to > execute all execuables, it is allowed to run sendmail.postfix without > transition. So the only thing we got from the kernel was that httpd_t tried to > read postfix_etc_t. I guess we could look at the target and figure out that > comm="sendmail" so httpd is probably trying to send mail. > > I am writing a new plugin for Rawhide, that would catch this. I will attach it > to this bug report. # sealert -a /var/log/audit/audit.log 100% donefound 8 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- Traceback (most recent call last): File "/usr/bin/sealert", line 860, in on_analyzer_state_change self.output_results() File "/usr/bin/sealert", line 879, in output_results print siginfo.format_text() File "/usr/lib64/python2.6/site-packages/setroubleshoot/signature.py", line 46 6, in format_text text += html_to_text('<h1>'+_("Summary")+':</h1>'+summary) UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 16: ordinal not in range(128) [root@arekh nim]# sealert -a /var/log/audit/audit.log 100% donefound 8 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- Traceback (most recent call last): File "/usr/bin/sealert", line 860, in on_analyzer_state_change self.output_results() File "/usr/bin/sealert", line 879, in output_results print siginfo.format_text() File "/usr/lib64/python2.6/site-packages/setroubleshoot/signature.py", line 466, in format_text text += html_to_text('<h1>'+_("Summary")+':</h1>'+summary) UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 16: ordinal not in range(128) (In reply to comment #7) > (In reply to comment #5) > > can_sendmail allows the httpd_t to connect to all mail ports and to transition > > to system_mail_t, so I guess this would work in either case. > > ok, this is much more than just accessing sendmail, I guess I was fooled by the > boolean name I guess this advice is misleading too then SELinux is preventing the http daemon from connecting to network port 993 SELinux has denied the http daemon from connecting to 993. An httpd script is trying to do a network connect to a remote port. If you did not setup httpd to network connections, this could signal a intrusion attempt. If you want httpd to connect to network ports you need to turn on the httpd_can_network_network_connect boolean: "setsebool -P httpd_can_network_connect=1" setsebool -P httpd_can_network_connect=1 sendmail plugin has been added to rawhide. |