Bug 796711

Summary: selinux denial for mailx when used in cron (& screen)
Product: Red Hat Enterprise Linux 6 Reporter: Richard Marko <rmarko>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Michal Trunecka <mtruneck>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2CC: dominick.grift, dwalsh, ebenes, jberan, ksrot, mgrepl, mmalik, mtruneck, rmarko
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-138.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 796710 Environment:
Last Closed: 2012-06-20 12:31:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 796710    
Bug Blocks:    
Attachments:
Description Flags
ausearch output none

Description Richard Marko 2012-02-23 14:33:23 UTC 
Created attachment 565313 [details]
ausearch output

+++ This bug was initially created as a clone of Bug #796710 +++

This happens during our automated test suite run initiated via cron.

Command is 'mailx -H -u root'

Output of 'ausearch -m avc -ts recent' attached.
Comment 3 Karel Srot 2012-03-08 08:33:44 UTC 
Hi Richard, 
what is the purpose of that command? Are you redirecting the output to a file? Probably not, right?

If I understand it properly, just the execution of mentioned command via cron is producing AVC, is that correct?
Comment 4 Richard Marko 2012-03-08 12:52:27 UTC 
(In reply to comment #3)
> Hi Richard, 
> what is the purpose of that command? Are you redirecting the output to a file?
> Probably not, right?

The output is redirected to tail -n1 > mail.out

> 
> If I understand it properly, just the execution of mentioned command via cron
> is producing AVC, is that correct?

Yes, that's correct. In case of screen, avc is produced. In case of cron, it's most probably caught by a noaudit rule.
Comment 7 Michal Trunecka 2012-03-22 12:59:38 UTC 
The bug should be fixed now, but we aren't able to reproduce the bug even with older selinux-policy. Richard, could you please install newer selinux-policy and confirm the bug is really fixed. (the newest version is 3.7.19-143 and can be downloaded from here: http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ )
Comment 9 errata-xmlrpc 2012-06-20 12:31:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html