Bug 714160

Summary: cannot send email via /usr/sbin/sendmail
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: dominick.grift, dwalsh, jskarvad, mcepl, mgrepl, mlichvar
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-07 14:28:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Matěj Cepl 2011-06-17 13:44:14 UTC 
Description of problem:
Even when trying a trivial sending of a file via /usr/sbin/sendmail I get kicked out (originally I was hit with this when running git-send-mail). There doesn't seem to be any SELinux issue, and everything seems to be in default state as per package. When I switch git-send-mail to use localhost via port 25, then the message is send without a problem.

bradford:~ $ cat xmpp-security.txt |/usr/sbin/sendmail -i mcepl
sendmail: fatal: chdir /var/spool/postfix: Permission denied
bradford:~ $ sudo ls -ldZ /var/spool/postfix
drwxr-xr-x. root root system_u:object_r:postfix_spool_t:s0 /var/spool/postfix
bradford:~ $ sudo ausearch -m AVC -ts recent
bradford:~ $ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
bradford:~ $ 

Alsp:

bradford:~# rpm -V postfix
5S.T.....  c /etc/postfix/access
5S.T.....  c /etc/postfix/header_checks
5S.T.....  c /etc/postfix/main.cf
5S.T.....  c /etc/postfix/master.cf
5S.T.....  c /etc/postfix/transport
5S.T.....  c /etc/postfix/virtual
bradford:~# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 4
default_destination_concurrency_limit = 200
default_destination_recipient_limit = 1000
html_directory = no
inet_interfaces = loopback-only
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.8.3/README_FILES
recipient_delimiter = +
relayhost = smtp.o2isp.cz
sample_directory = /usr/share/doc/postfix-2.8.3/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relayhost
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_sasl_security_options = 
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
bradford:~# 


Version-Release number of selected component (if applicable):
postfix-2.8.3-1.fc15.x86_64

How reproducible:
100%

Steps to Reproduce:
1.see above
2.
3.
  
Actual results:
mail is not send

Expected results:
it should be

Additional info:
Comment 1 Jaroslav Škarvada 2011-06-20 13:00:04 UTC 
It is working on default F15 install with unconfined_u user.

But it doesn't work with the staff_u user. It seems not to emit AVC in the enforcing mode. But I got the AVC in permissive mode by:

# setenforce 0
$ id -Z 
staff_u:staff_r:staff_t:s0-s0:c0.c1023
$ echo test | /usr/bin/sendmail -i jskarvad
# ausearch -m AVC -ts recent
---
type=SYSCALL msg=audit(1308573783.738:119): arch=c000003e syscall=5 success=yes exit=0 a0=0 a1=7fff7636af30 a2=7fff7636af30 a3=7fff7636ac80 items=0 ppid=3080 pid=3081 auid=502 uid=502 gid=503 euid=502 suid=502 fsuid=502 egid=90 sgid=90 fsgid=90 tty=tty2 ses=2 comm="postdrop" exe="/usr/sbin/postdrop" subj=staff_u:staff_r:postfix_postdrop_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1308573783.738:119): avc:  denied  { getattr } for  pid=3081 comm="postdrop" path="socket:[38850]" dev=sockfs ino=38850 scontext=staff_u:staff_r:postfix_postdrop_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Comment 2 Jaroslav Škarvada 2011-06-21 09:49:05 UTC 
CCed SELinux guys to get their opinion.
Comment 3 Daniel Walsh 2011-06-22 14:34:28 UTC 
I have no problem allowing this.  I am surprised it is happening.  Does bash create a unix_stream_socket for thipe from echo to sendmail?

If you put the  machine into permissive mode or postfix_postdrop_t into permissive mode, does it generate additional AVC messages?