| Summary: | AVC denial on sendmail spawned from logwatch cron job | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jerry James <loganjerry> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-06-10 03:08:41 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Did you notice any loss of functionality or any anomalies (besides the avc denial)? No, the logwatch email arrived in root's mailbox as usual. I had this happen on both of my Rawhide virtual machines, by the way. One is x86_64 and the other is i686. Silently deny attempts by logwatch_mail_t to use system_cronjob_t file descriptors: http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=0d6aa56fb38eaa8061de1a59d1023c50a1bfc779 |
Description of problem: I have logwatch installed on a virtual Rawhide machine. Today when the logwatch cron job ran, I got an AVC denial: Additional Information: Source Context system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 Target Context system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 Target Objects fd [ fd ] Source sendmail Source Path /usr/sbin/sendmail.sendmail Port <Unknown> Host jerry-fedora15.bluehost.com Source RPM Packages sendmail-8.14.5-1.fc16 Target RPM Packages Policy RPM selinux-policy-3.9.16-25.fc16 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name jerry-fedora15.bluehost.com Platform Linux jerry-fedora15.bluehost.com 2.6.39-1.fc16.x86_64 #1 SMP Sat May 21 02:34:01 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Tue 07 Jun 2011 10:07:04 AM MDT Last Seen Tue 07 Jun 2011 10:07:04 AM MDT Local ID 51566a47-c76a-4517-98a3-51eb86409fed Raw Audit Messages type=AVC msg=audit(1307462824.740:67): avc: denied { use } for pid=1917 comm="sendmail" path="pipe:[23907]" dev=pipefs ino=23907 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=fd type=AVC msg=audit(1307462824.740:67): avc: denied { use } for pid=1917 comm="sendmail" path="pipe:[23907]" dev=pipefs ino=23907 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=fd type=SYSCALL msg=audit(1307462824.740:67): arch=x86_64 syscall=execve success=yes exit=0 a0=2bbc1f0 a1=2bbc180 a2=2bbb6f0 a3=7fff9856e370 items=0 ppid=1864 pid=1917 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=2 comm=sendmail exe=/usr/sbin/sendmail.sendmail subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): logwatch-7.4.0-5.20110328svn50.fc16.noarch sendmail-8.14.5-1.fc16.x86_64 selinux-policy-3.9.16-25.fc16.noarch How reproducible: Once, so far. Steps to Reproduce: 1. Install logwatch 2. Wait for the daily cron job to run 3. Actual results: An AVC denial. Expected results: I'm not well-versed enough to tell whether this is logwatch / sendmail misbehaving, or whether this behavior should be allowed by SELinux. Additional info: