| Summary: | AVC denied for write for sendmail_t in dovecot_deliver_tmp_t | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Robert Scheck <redhat-bugzilla> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Michal Trunecka <mtruneck> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.2 | CC: | benglish, cpelland, dwalsh, ebenes, mmalik, mtruneck, robert.scheck, ssekidde |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-208.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-11-21 10:09:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 960054 | ||
|
Description
Robert Scheck
2012-01-13 17:30:21 UTC
Robert, could you paste AVC msgs? Thank you. Oops, sorry! Of course:
type=AVC msg=audit(1326132038.522:35678): avc: denied { write } for pid=16890 comm="sendmail" path=2F746D702F646F7665636F742E6C64612E65356564396337323234383434633265202864656C6574656429 dev=vda1 ino=413575 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:dovecot_deliver_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1326132038.522:35678): arch=c000003e syscall=59 success=yes exit=0 a0=8fdb08 a1=8fdb20 a2=946130 a3=10 items=0 ppid=16889 pid=16890 auid=0 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=100 sgid=100 fsgid=100 tty=(none) ses=2428 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=unconfined_u:system_r:sendmail_t:s0 key=(null)
Is anything actually being blocked here. This looks like dovecot is simply redirecting stdout to a file in /tmp? I think we can just dontaudit this. 43c317ec4406302a19c249e025117db98bc647c9 NO! Do not dontaudit this! This AVC denied is the "quota reached" bounce. This must be allowed. Or you make it a SELinux boolean. But never dontaudit it! Ok so sendmail is actually going to write data to a file owned by dovecot? After comment #7, I re-checked our setup and yes, the "quota reached" bounces work even if this is dontaudit rather allow. And I can't see any difference in the resulting e-mails and logs. So no, I don't have any idea, why /usr/sbin/sendmail.postfix wants to write to that file. I'm even now questioning if it should be really allowed to write... Maybe the Dovecot guys can clarify that, I've set "quota_full_tempfail = no" in /etc/dovecot/conf.d/15-lda.conf and tried to deliver a mail via dovecot-lda to a box which reached quota (requires some additional configuration). I am guessing that it is either a leaked file descriptor or stdout is being set to this file and then sendmail is being executed. Since this access check is being called when sendmail is being executed it is definitely one or the other.
type=SYSCALL msg=audit(01/09/2012 13:00:38.522:35678) : arch=x86_64 syscall=execve success=yes exit=0 a0=8fdb08 a1=8fdb20 a2=946130 a3=10 items=0 ppid=16889 pid=16890 auid=root uid=unknown(500) gid=users euid=unknown(500) suid=unknown(500) fsuid=unknown(500) egid=users sgid=users fsgid=users tty=(none) ses=2428 comm=sendmail exe=/usr/sbin/sendmail.postfix subj=unconfined_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(01/09/2012 13:00:38.522:35678) : avc: denied { write } for pid=16890 comm=sendmail path=/tmp/dovecot.lda.e5ed9c7224844c2e (deleted) dev=vda1 ino=413575 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:dovecot_deliver_tmp_t:s0 tclass=file
THis is what the translated AVC looks like. syscall=exec, and the file is /tmp/doevecot.lda...
Fixed in selinux-policy-3.7.19-135.el6 The bug should be fixed now, but we aren't able to reproduce the bug even with older selinux-policy. Robert, could you please install the current selinux-policy and confirm the bug is really fixed? (the newest version is 3.7.19-143 and can be downloaded from here: http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ ) Yes, seems to work as expected (you need to configure dovecot accordingly for bounce behaviour if quota is reached - and dovecot-lda) for us. Thank you. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html Not fixed as per selinux-policy-targeted-3.7.19-155.el6_3.14.noarch:
type=AVC msg=audit(1360596937.025:30494): avc: denied { write } for pid=17618 comm="sendmail" path=2F746D702F646F7665636F742E6C64612E34303435633738396665633966643963202864656C6574656429 dev=vda1 ino=402356 scontext=system_u:system_r:
sendmail_t:s0 tcontext=system_u:object_r:dovecot_deliver_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1360596937.025:30494): arch=c000003e syscall=59 success=yes exit=0 a0=193bed8 a1=193bef0 a2=1977e80 a3=7fffa9d42480 items=0 ppid=17616 pid=17618 auid=4294967295 uid=1664 gid=100 euid=1664 suid=1664 fsuid=1664 egid
=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:sendmail_t:s0 key=(null)
[root@tux ~]# doveconf -n
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-279.22.1.el6.x86_64 x86_64 Red Hat Enterprise Linux Server release 6.3 (Santiago) ext4
auth_mechanisms = plain login
auth_verbose = yes
auth_worker_max_count = 100
disable_plaintext_auth = no
hostname = mail.example.net
listen = 192.0.2.222
mail_location = mdbox:/home/%u
mail_plugins = " quota"
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date
mdbox_rotate_interval = 1 weeks
mdbox_rotate_size = 10 M
passdb {
driver = pam
}
plugin {
quota = dict:user::file:/home/%u/dovecot-quota
quota_rule = *:storage=500M
quota_rule2 = Trash:storage=+50M
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_max_script_size = 1M
}
postmaster_address = postmaster
protocols = imap pop3 lmtp sieve
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
group = root
mode = 0666
user = root
}
}
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
inet_listener sieve_deprecated {
port = 2000
}
}
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
ssl_cert = </etc/pki/tls/certs/*.example.net_cert.pem.dovecot
ssl_key = </etc/pki/tls/private/*.example.net_key.pem
userdb {
args = username_format=%u /etc/dovecot/users
driver = passwd-file
}
protocol lda {
mail_plugins = " quota quota sieve"
}
protocol imap {
imap_client_workarounds = delay-newmail
imap_logout_format = bytes=%i/%o
mail_max_userip_connections = 10
mail_plugins = " quota imap_quota"
}
protocol sieve {
managesieve_logout_format = bytes=%i/%o
}
protocol pop3 {
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
pop3_logout_format = bytes=%i/%o, del=%d/%m, size=%s
}
[root@tux ~]#
This looks like it is still broken. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html |