Bug 741940

Summary: SELinux is preventing /usr/sbin/sendmail.sendmail from using the 'net_admin' capabilities.
Product: [Fedora] Fedora Reporter: Jeff Layton <jlayton>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 15CC: dominick.grift, dwalsh, eparis, mgrepl, steved
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:07f2c0ef83667af87399fff762215ba375800cdabec8e912c7fd2f7c8872bbb5
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-07 19:21:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
output from ausearch -m avc none

Description Jeff Layton 2011-09-28 14:40:17 UTC 
SELinux is preventing /usr/sbin/sendmail.sendmail from using the 'net_admin' capabilities.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that sendmail.sendmail should have the net_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sendmail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:sendmail_t:s0
Target Context                system_u:system_r:sendmail_t:s0
Target Objects                Unknown [ capability ]
Source                        sendmail
Source Path                   /usr/sbin/sendmail.sendmail
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           sendmail-8.14.5-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-38.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.40.4-5.fc15.x86_64 #1 SMP Tue Aug 30 14:38:32
                              UTC 2011 x86_64 x86_64
Alert Count                   9
First Seen                    Tue 27 Sep 2011 05:51:13 PM EDT
Last Seen                     Wed 28 Sep 2011 10:35:34 AM EDT
Local ID                      2bd50cbf-f66d-4903-a33b-f9b43d72c2da

Raw Audit Messages
type=AVC msg=audit(1317220534.902:64): avc:  denied  { net_admin } for  pid=2040 comm="sendmail" capability=12  scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=capability


type=AVC msg=audit(1317220534.902:64): avc:  denied  { sys_module } for  pid=2040 comm="sendmail" capability=16  scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=capability


type=SYSCALL msg=audit(1317220534.902:64): arch=x86_64 syscall=ioctl success=no exit=ENODEV a0=4 a1=8933 a2=7fff52158a20 a3=b items=0 ppid=1 pid=2040 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm=sendmail exe=/usr/sbin/sendmail.sendmail subj=system_u:system_r:sendmail_t:s0 key=(null)

Hash: sendmail,sendmail_t,sendmail_t,capability,net_admin

audit2allow

#============= sendmail_t ==============
allow sendmail_t self:capability { net_admin sys_module };

audit2allow -R

#============= sendmail_t ==============
allow sendmail_t self:capability { net_admin sys_module };
Comment 1 Daniel Walsh 2011-09-28 15:22:04 UTC 
Are you using some kind of bizarro sendmail command?
Comment 2 Jeff Layton 2011-09-28 15:34:02 UTC 
Nope. Pretty much freshly installed f15 machine. I don't believe I even sent any mail at that time. I'll note though that there was a wireless hiccup when the last event of it occurred:

Sep 28 10:35:36 corrin NetworkManager[965]: <info> Activation (wlan0) Stage 2 of 5 (Device Configure) complete.
Sep 28 10:35:36 corrin NetworkManager[965]: <info> Config: set interface ap_scan to 1
Sep 28 10:35:36 corrin dbus: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Sep 28 10:35:36 corrin NetworkManager[965]: <info> (wlan0): supplicant interface state: disconnected -> scanning
Sep 28 10:35:39 corrin setroubleshoot: SELinux is preventing /usr/sbin/sendmail.sendmail from using the net_admin capability. For complete SELinux messages. run sealert -l 2bd50cbf-f66d-4903-a33b-f9b43d72c2da
Sep 28 10:35:39 corrin setroubleshoot: SELinux is preventing /usr/sbin/sendmail.sendmail from using the net_admin capability. For complete SELinux messages. run sealert -l 2bd50cbf-f66d-4903-a33b-f9b43d72c2da
Sep 28 10:35:39 corrin NetworkManager[965]: <info> (wlan0): supplicant interface state: scanning -> associating
Sep 28 10:35:39 corrin NetworkManager[965]: <info> (wlan0): supplicant interface state: associating -> 4-way handshake
Sep 28 10:35:39 corrin NetworkManager[965]: <info> (wlan0): supplicant interface state: 4-way handshake -> completed

Maybe some NetworkManager goop?
Comment 3 Jeff Layton 2011-09-28 15:38:38 UTC 
Yeah -- /etc/NetworkManager/dispatcher.d/10-sendmail:

#!/bin/sh

case "$2" in
        up|down|vpn-up|vpn-down)
                /sbin/service sendmail reload || :
                ;;
esac
Comment 4 Daniel Walsh 2011-09-28 15:46:42 UTC 
Well these AVC's would indicate sendmail is attempting to modify the network devices and loading kernel modules.


Can you execute ausearch -m avc

TO make sure setroubleshoot did not drop anything.
Comment 5 Eric Paris 2011-09-28 16:09:58 UTC 
this is the same sys_module crap that everythings gets   :-(
Comment 6 Jeff Layton 2011-09-28 16:11:36 UTC 
Created attachment 525360 [details]
output from ausearch -m avc

This is my laptop, btw -- I'm not even running sendmail at all :-/.

Here's the ausearch output.
Comment 7 Daniel Walsh 2011-09-28 19:36:10 UTC 
THat does it I am just going to add

dontaudit domain self:capability sys_module;

And be done with it.

But is the net_admin now in the same boat?
Comment 8 Fedora End Of Life 2012-08-07 19:21:30 UTC 
This message is a notice that Fedora 15 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 15. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that
we were unable to fix it before Fedora 15 reached end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora, you are encouraged to click on
"Clone This Bug" (top right of this page) and open it against that
version of Fedora.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

The process we are following is described here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping