Bug 628866
| Summary: | init script searches cwd which can cause SELinux denials | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Milos Malik <mmalik> |
| Component: | spamassassin | Assignee: | Jakub Jelen <jjelen> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | qe-baseos-daemons |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 6.0 | CC: | mgrepl, ovasik, plautrba, psabata, pvrabec, tlavigne |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-07-27 08:38:16 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 836169, 1070830, 1159820 | ||
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative. This is caused by Net::DNS module which defaults behaviour is to read /etc/resolv.conf, $HOME/resolv.conf and ./.resolv.conf even if config_file is specified in new method. Last 2 files shouldn't be read by default since it's possible security issue - user can drop .resolv.conf pointing to malicious dns server. Workaround for ./.resolv.conf would be to change directory to / right at the beginning of spamd. However there is still $HOME/resolv.conf issue left but selinux doesn't complain about it. I created bug for Net::DNS upstream, but I'm not sure if it's bug for them or how they will handle it. It might be better to fix it in spamassassin as you proposed. At least for now. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative. It is possible to fix it as in comment #5 and earlier: diff --git a/spamd/redhat-rc-script.sh b/spamd/redhat-rc-script.sh index dfe09db..05a07f3 100755 --- a/spamd/redhat-rc-script.sh +++ b/spamd/redhat-rc-script.sh @@ -41,6 +41,7 @@ case "$1" in [ -x /sbin/portrelease ] && /sbin/portrelease spamd &>/dev/null || : # Start daemon. echo -n $"Starting $prog: " + cd / daemon $NICELEVEL spamd $SPAMDOPTIONS -r $SPAMD_PID RETVAL=$? echo Moving to rhel-6.8 (as it was lying forgotten here). CPAN upstream bug is fixed now, but I don't think we can bet on its update, so preferred fix will be the above mentioned one. Left for consideration is the possible regression that the different working directory can cause. When Red Hat shipped 6.8 on May 10, 2016 RHEL 6 entered Production Phase 2. https://access.redhat.com/support/policy/updates/errata#Production_2_Phase That means only "Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released". Additionally, this issue has been resolved in Red Hat Enterprise Linux 7 which is still in Production Phase 1. Please consider upgrading to RHEL 7 where less than critical bugs, hardware enablement and feature requests can be addressed. Please re-open this Bugzilla if it is production impacting and critical for the customer and provide a thorough business justification. |
Description of problem: Some administrators don't use "service" command when managing a service. They still do it this way: /etc/init.d/SERVICE start /etc/init.d/SERVICE restart /etc/init.d/SERVICE stop This procedure can cause SELinux denials when an administrator issues the command in unusual location (usual location is for example / or /root , selinux-policy is aware of usual locations and SELinux denials are dontaudited). I would like to ask to fix the init script in such a way that it does not search for programs in current working directory. Version-Release number of selected component (if applicable): spamassassin-3.3.1-2.el6.i686 selinux-policy-3.7.19-42.el6.noarch selinux-policy-doc-3.7.19-42.el6.noarch selinux-policy-minimum-3.7.19-42.el6.noarch selinux-policy-mls-3.7.19-42.el6.noarch selinux-policy-targeted-3.7.19-42.el6.noarch How reproducible: always Steps to Reproduce: # cd /var/log/audit # /etc/init.d/spamassassin start Starting spamd: [ OK ] # /etc/init.d/spamassassin stop Stopping spamd: [ OK ] # ausearch -m avc -ts recent ---- time->Tue Aug 31 10:27:46 2010 type=SYSCALL msg=audit(1283243266.323:155): arch=40000003 syscall=195 success=no exit=-13 a0=8325e28 a1=82fc0c0 a2=6fdff4 a3=82fc008 items=0 ppid=4237 pid=4238 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="spamd" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamd_t:s0 key=(null) type=AVC msg=audit(1283243266.323:155): avc: denied { search } for pid=4238 comm="spamd" name="audit" dev=dm-0 ino=9973 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir ---- Actual results: an AVC appears Expected results: no AVC appears Additional info: