Bug 798226

Summary:	AVC when reporting via `reporter-mailx'
Product:	Red Hat Enterprise Linux 6	Reporter:	Michal Nowak <mnowak>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED NOTABUG	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	6.3	CC:	dwalsh, mmalik, ohudlick
Target Milestone:	rc	Keywords:	Reopened
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-03-07 11:28:30 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Michal Nowak 2012-02-28 11:37:42 UTC

Description of problem:

type=ANOM_ABEND msg=audit(1330428319.006:52715): auid=0 uid=0 gid=0 ses=133 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=13969 comm="sleep" sig=11

type=AVC msg=audit(1330428324.466:52716): avc:  denied  { rlimitinh } for  pid=14036 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=process

type=AVC msg=audit(1330428324.466:52716): avc:  denied  { siginh } for  pid=14036 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=process

type=AVC msg=audit(1330428324.466:52716): avc:  denied  { noatsecure } for  pid=14036 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=process

type=SYSCALL msg=audit(1330428324.466:52716): arch=c000003e syscall=59 success=yes exit=0 a0=7fe486ab0dc0 a1=7fff7bfb3470 a2=7fe484b5b200 a3=7fff7bfb30e0 items=0 ppid=14032 pid=14036 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)


I think it's because of:   reporter-mailx -v -d $crash_PATH -c mailx.conf

# cat mailx.conf 
EmailFrom = abrt@localhost
EmailTo = root@localhost
Subject = [abrt] crash

Version-Release number of selected component (if applicable):

libreport-2.0.9-1.el6.x86_64
abrt-2.0.8-1.el6.x86_64
selinux-policy-3.7.19-137.el6.noarch

How reproducible:

always

Comment 2 Miroslav Grepl 2012-02-28 13:25:08 UTC

Could you test it in permissive module with disabled dontaudit rules?

Comment 3 Milos Malik 2012-02-28 13:36:13 UTC

Those AVCs appeared on a machine with disabled dontaudit rules, didn't they ?

# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
# rpm -qa selinux-policy\*
selinux-policy-3.7.19-137.el6.noarch
selinux-policy-targeted-3.7.19-137.el6.noarch
selinux-policy-minimum-3.7.19-137.el6.noarch
selinux-policy-mls-3.7.19-137.el6.noarch
selinux-policy-doc-3.7.19-137.el6.noarch
# sesearch -s sendmail_t -t procmail_t -c process --all
ERROR: Cannot get avrules: Neverallow rules requested but not available
Found 2 semantic av rules:
   allow sendmail_t procmail_t : process { transition sigchld } ; 
   dontaudit sendmail_t procmail_t : process { noatsecure siginh rlimitinh } ; 

#

Comment 4 Michal Nowak 2012-02-28 13:58:20 UTC

(In reply to comment #2)
> Could you test it in permissive module with disabled dontaudit rules?

Yes, if you tell me how do I disable dontaudit rules in permissive mode.

(In reply to comment #3)
> Those AVCs appeared on a machine with disabled dontaudit rules, didn't they ?

Don't remember changing anything on that Beaker box.

Comment 5 Milos Malik 2012-02-28 14:04:44 UTC

Following command enables dontaudit rules again.

# semodule -B

I believe that AVCs shown in comment#0 will not appear again.

Comment 6 Michal Nowak 2012-02-28 15:28:58 UTC

After `setenforce 0; semodule -B` it's gone. Unfortunately I can't reproduce it after restart and `setenforce 1`; however I am not certain we care at all.

Comment 7 Daniel Walsh 2012-02-28 16:40:11 UTC

THose AVC's are dontaudited.

Comment 8 Miroslav Grepl 2012-02-28 17:05:20 UTC

Ok, lets clean up it.

I thought this was not working and you needed to turn off dontaudit rules.

Comment 9 Michal Nowak 2012-02-29 15:23:52 UTC

I was wrong. After:

# setenforce 0
# semodule -B

I got:

type=AVC msg=audit(1330528571.018:51700): avc:  denied  { rlimitinh } for  pid=27020 comm="load_policy" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tclass=process

type=AVC msg=audit(1330528571.018:51700): avc:  denied  { siginh } for  pid=27020 comm="load_policy" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tclass=process

type=AVC msg=audit(1330528571.018:51700): avc:  denied  { noatsecure } for  pid=27020 comm="load_policy" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tclass=process

Is that expected?

After:

# setenforce 1
# semodule -B

It was clean.

Comment 10 Miroslav Grepl 2012-03-07 11:28:30 UTC

I believe you see this avc msgs with semodule -DB. If I am wrong, please reopen the bug.