Bug 1045375 - SELinux is preventing /usr/bin/mailx from 'append' accesses on the file /var/lib/rkhunter/rkhcronlog.Vh1zTNeQ2T.
Summary: SELinux is preventing /usr/bin/mailx from 'append' accesses on the file /var/...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:7a37c5c13023bcae7095d0a902d...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-12-20 09:50 UTC by Michal Nowak
Modified: 2014-01-16 22:33 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-01-16 22:33:01 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Michal Nowak 2013-12-20 09:50:52 UTC 
Description of problem:
SELinux is preventing /usr/bin/mailx from 'append' accesses on the file /var/lib/rkhunter/rkhcronlog.Vh1zTNeQ2T.

*****  Plugin restorecon (93.9 confidence) suggests   ************************

If you want to fix the label. 
/var/lib/rkhunter/rkhcronlog.Vh1zTNeQ2T default label should be var_lib_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/lib/rkhunter/rkhcronlog.Vh1zTNeQ2T

*****  Plugin leaks (6.10 confidence) suggests   *****************************

If you want to ignore mailx trying to append access the rkhcronlog.Vh1zTNeQ2T file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/bin/mailx /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (1.43 confidence) suggests   **************************

If you believe that mailx should be allowed append access on the rkhcronlog.Vh1zTNeQ2T file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:system_mail_t:s0-s0:c0.c1023
Target Context                system_u:object_r:cron_var_lib_t:s0
Target Objects                /var/lib/rkhunter/rkhcronlog.Vh1zTNeQ2T [ file ]
Source                        mail
Source Path                   /usr/bin/mailx
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           mailx-12.5-10.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-106.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.11.10-301.fc20.x86_64 #1 SMP Thu
                              Dec 5 14:01:17 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-12-20 10:36:56 CET
Last Seen                     2013-12-20 10:36:56 CET
Local ID                      ac2b44dd-32cd-47e2-8d45-5bcd4aff56ea

Raw Audit Messages
type=AVC msg=audit(1387532216.307:163): avc:  denied  { append } for  pid=16342 comm="mail" path="/var/lib/rkhunter/rkhcronlog.Vh1zTNeQ2T" dev="dm-2" ino=2621723 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file


type=SYSCALL msg=audit(1387532216.307:163): arch=x86_64 syscall=execve success=yes exit=0 a0=27cec00 a1=27572b0 a2=2423a60 a3=8 items=0 ppid=1067 pid=16342 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=(none) comm=mail exe=/usr/bin/mailx subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)

Hash: mail,system_mail_t,cron_var_lib_t,file,append

Additional info:
reporter:       libreport-2.1.10
hashmarkername: setroubleshoot
kernel:         3.11.10-301.fc20.x86_64
type:           libreport

Potential duplicate: bug 659651
Comment 1 Daniel Walsh 2014-01-02 23:04:58 UTC 
We need to add a label for rkhunter and then all domains append to it, and allow cron to create it.

rkhunter_var_lib_t.
Comment 2 Miroslav Grepl 2014-01-06 12:49:57 UTC 
AFAIK there was a fix in rkhunter pkg.
Comment 3 Kevin Fenzi 2014-01-06 19:30:19 UTC 
The "fix" is to NOT use the MAIL-ON-WARNING option. 

Orig reporter: are you using that setting? If it's not set does it work as expected?

ie,

MAIL-ON-WARNING=""
Comment 4 Michal Nowak 2014-01-06 20:26:37 UTC 
(In reply to Kevin Fenzi from comment #3)
> The "fix" is to NOT use the MAIL-ON-WARNING option. 

However /etc/rkhunter.conf says: "# NOTE: This option [i.e. MAIL-ON-WARNING] should be present in the configuration file."

> Orig reporter: are you using that setting? If it's not set does it work as
> expected?

I did in the time of the AVC. However, I stopped since that and it "works" as expected, thought I am not alarmed when rkhunter finds something..
Comment 5 Kevin Fenzi 2014-01-06 21:30:59 UTC 
(In reply to Michal Nowak from comment #4)
> (In reply to Kevin Fenzi from comment #3)
> > The "fix" is to NOT use the MAIL-ON-WARNING option. 
> 
> However /etc/rkhunter.conf says: "# NOTE: This option [i.e. MAIL-ON-WARNING]
> should be present in the configuration file."

Yeah, thats why I said: 

MAIL-ON-WARNING=""

> 
> > Orig reporter: are you using that setting? If it's not set does it work as
> > expected?
> 
> I did in the time of the AVC. However, I stopped since that and it "works"
> as expected, thought I am not alarmed when rkhunter finds something..

Hopefully upstream will drop this option entirely in the next version... ;(
Comment 6 Michal Nowak 2014-01-16 21:53:08 UTC 
(In reply to Kevin Fenzi from comment #5)
> Yeah, thats why I said: 
> 
> MAIL-ON-WARNING=""

That seems to work for me, thanks.
Comment 7 Kevin Fenzi 2014-01-16 22:33:01 UTC 
I'll try again to get upstream to drop this option entirely. 

It's already defaulted to "" in our config.
Note You need to log in before you can comment on or make changes to this bug.