DescriptionNicolas Mailhot
2013-03-10 07:44:52 UTC
Postfix hits the same AVC as sendmail, but abrtd insists in filling it against sendmail not postfix
+++ This bug was initially created as a clone of Bug #673384 +++
SELinux is preventing /usr/sbin/sendmail.sendmail from 'read' accesses on the directory /home/dummy.
***** Plugin catchall (50.5 confidence) suggests ***************************
If you believe that sendmail.sendmail should be allowed read access on the dummy directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep newaliases /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
***** Plugin leaks (50.5 confidence) suggests ******************************
If you want to ignore sendmail.sendmail trying to read access the dummy directory, because you believe it should not need this access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/sbin/sendmail.sendmail /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:user_home_dir_t:s0
Target Objects /home/dummy [ dir ]
Source newaliases
Source Path /usr/sbin/sendmail.sendmail
Port <Unknown>
Host (removed)
Source RPM Packages sendmail-8.14.4-19.fc15
Target RPM Packages
Policy RPM selinux-policy-3.9.13-4.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 2.6.38-0.rc2.git0.1.fc15.i686.PAE
#1 SMP Sat Jan 22 19:11:02 UTC 2011 i686 i686
Alert Count 1
First Seen Thu 27 Jan 2011 04:03:40 PM MST
Last Seen Thu 27 Jan 2011 04:03:40 PM MST
Local ID f43bca5c-a6d5-4335-abf4-cce61893c56b
Raw Audit Messages
type=AVC msg=audit(1296169420.833:86): avc: denied { read } for pid=2818 comm="newaliases" path="/home/dummy" dev=dm-0 ino=125684 scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1296169420.833:86): avc: denied { read } for pid=2818 comm="newaliases" path="/home/dummy" dev=dm-0 ino=125684 scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1296169420.833:86): arch=i386 syscall=execve success=yes exit=0 a0=942cd68 a1=942ce00 a2=942b8a8 a3=942ce00 items=0 ppid=2817 pid=2818 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=486 sgid=486 fsgid=486 tty=pts0 ses=1 comm=newaliases exe=/usr/sbin/sendmail.sendmail subj=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
Hash: newaliases,system_mail_t,user_home_dir_t,dir,read
audit2allow
#============= system_mail_t ==============
allow system_mail_t user_home_dir_t:dir read;
audit2allow -R
#============= system_mail_t ==============
allow system_mail_t user_home_dir_t:dir read;
--- Additional comment from Miroslav Grepl on 2011-01-31 04:25:28 EST ---
Looks like something what we want to dontaudit.
How did you get this?
--- Additional comment from Eric Blake on 2011-01-31 12:52:27 EST ---
(In reply to comment #1)
> Looks like something what we want to dontaudit.
>
> How did you get this?
I first noticed it after incrementally upgrading to the latest rawhide; although I'm not sure if I could reliably reproduce it. If it helps, I now have:
sendmail-8.14.4-19.fc15.i686
installed on 2011-01-15; the previous version was 8.14.4-17.fc15.i686.
--- Additional comment from Daniel Walsh on 2011-02-01 17:15:42 EST ---
Any reason sendmail would be listing the contents of /home/dummy?
--- Additional comment from Martin Holec on 2012-10-25 10:27:12 EDT ---
Reproducible on F18 with:
selinux-policy-3.11.1-43.fc18.noarch
sendmail-8.14.5-15.fc18.x86_64
(In reply to comment #3)
> Any reason sendmail would be listing the contents of /home/dummy?
Same question, moving to sendmail developers.
--- Additional comment from Jaroslav Škarvada on 2012-10-25 10:45:57 EDT ---
Hmm, strange. I cannot reproduce, nor find it in the code. Wouldn't be possible, there is such include in your aliases?
--- Additional comment from Eric Blake on 2012-10-25 19:04:34 EDT ---
I have not reproduced this issue in ages - perhaps Martin can give more details since he has a more recent experience with the message.
--- Additional comment from Nicolas Mailhot on 2012-12-03 13:00:57 EST ---
Is it a bug or a policy problem?
Package: (null)
Architecture: x86_64
OS Release: Fedora release 19 (Rawhide)
--- Additional comment from Jaroslav Škarvada on 2012-12-03 13:09:41 EST ---
(In reply to comment #7)
> Is it a bug or a policy problem?
>
> Package: (null)
> Architecture: x86_64
> OS Release: Fedora release 19 (Rawhide)
Do you have reproducer?
Otherwise I am going to close this. It maybe caused by custom aliases.
--- Additional comment from Nicolas Mailhot on 2012-12-03 14:53:16 EST ---
drat, I don't know why sealert decided to duplicate this, my avc is
type=SYSCALL msg=audit(1354556349.393:17052): arch=c000003e syscall=59 success=yes exit=0 a0=9f9a90 a1=9f8f00 a2=9f7e50 a3=0 items=0 ppid=9247 pid=9248 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=pts0 comm="newaliases" exe="/usr/sbin/sendmail.postfix" subj=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1354556349.393:17052): avc: denied { read } for pid=9248 comm="newaliases" path="/home/nim" dev="dm-1" ino=12 scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1354556349.393:17052): avc: denied { read } for pid=9248 comm="newaliases" path="/home/nim" dev="dm-1" ino=12 scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
so obviously a postfix not sendmail avc
--- Additional comment from Nicolas Mailhot on 2012-12-03 14:55:38 EST ---
(occurred just after a yum update, but the only mail-related thing in the yum transaction was a dovecot upgrade)
--- Additional comment from Jaroslav Škarvada on 2012-12-03 16:14:38 EST ---
Could you provide output of:
# postconf alias_database
And content of the file from its output? (e.g. /etc/aliases)
Are you able to reproduce by running:
# newaliases
?
--- Additional comment from Jaroslav Škarvada on 2012-12-04 11:12:35 EST ---
I retried on my systems but I wasn't able to reproduce.
--- Additional comment from Daniel Walsh on 2012-12-06 16:08:39 EST ---
ime->Thu Dec 6 06:29:29 2012
type=PATH msg=audit(1354793369.935:5376): item=1 name=(null) inode=1843751 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
type=PATH msg=audit(1354793369.935:5376): item=0 name="/usr/bin/newaliases" inode=1851334 dev=fd:00 mode=0102755 ouid=0 ogid=51 rdev=00:00 obj=system_u:object_r:sendmail_exec_t:s0
type=CWD msg=audit(1354793369.935:5376): cwd="/"
type=EXECVE msg=audit(1354793369.935:5376): argc=1 a0="/usr/bin/newaliases"
type=SYSCALL msg=audit(1354793369.935:5376): arch=c000003e syscall=59 success=yes exit=0 a0=2698590 a1=2697ae0 a2=2697050 a3=7fff83572040 items=2 ppid=4272 pid=4273 auid=3267 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 ses=3 tty=pts0 comm="newaliases" exe="/usr/sbin/sendmail.sendmail" subj=staff_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1354793369.935:5376): avc: denied { read } for pid=4273 comm="newaliases" path="/home/dwalsh" dev="dm-2" ino=131073 scontext=staff_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_dir_t:s0 tclass=dir
I got this on my F18 box.
--- Additional comment from Daniel Walsh on 2012-12-06 16:15:27 EST ---
Both of these are leaks. Where a process has a open read descriptor on the homedir.
--- Additional comment from Daniel Walsh on 2012-12-06 16:17:26 EST ---
Fixed in selinux-policy-3.11.1-61.fc18.noarch
Added dontaudit.
--- Additional comment from Jaroslav Škarvada on 2012-12-06 16:39:13 EST ---
(In reply to comment #14)
> Both of these are leaks. Where a process has a open read descriptor on the
> homedir.
Thanks for the info and workaround in the policy. I will dig into this in my spare time. Is there any reproducer? Just running newaliases? I wasn't able to reproduce.
--- Additional comment from Daniel Walsh on 2012-12-06 17:09:17 EST ---
No I believe this is caused by newalias being run either by the system or as part of a yum transaction.
--- Additional comment from Martin Holec on 2013-01-24 10:01:36 EST ---
Upgrade from clean installed F18 to F19 Rawhide.
Package: (null)
Architecture: x86_64
OS Release: Fedora release 19 (Rawhide)
--- Additional comment from Dan Mashal on 2013-03-07 23:24:18 EST ---
Description of problem:
yum update on rawhide
Additional info:
hashmarkername: setroubleshoot
kernel: 3.9.0-0.rc0.git14.1.fc19.x86_64
type: libreport
--- Additional comment from Dan Mashal on 2013-03-07 23:27:02 EST ---
This is where this happens:
Updating : setup-2.8.66-1.fc19.noarch 57/422
warning: /etc/shadow created as /etc/shadow.rpmnew
I see there is a new selinux policy. I will try again with it.
Comment 1Fedora End Of Life
2013-04-03 18:16:44 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.
(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)
More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 2Jaroslav Škarvada
2013-05-24 12:28:55 UTC
*** This bug has been marked as a duplicate of bug 919801 ***