Description of problem: SELinux is preventing /usr/bin/mailx from append access on the file /var/lib/rkhunter/rkhcronlog.ixxU0mXKwy. Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023 Target Context system_u:object_r:cron_var_lib_t:s0 Target Objects /var/lib/rkhunter/rkhcronlog.ixxU0mXKwy [ file ] Source mail Source Path /usr/bin/mailx Port <Unknown> Host zappa.gregorie.lan Source RPM Packages mailx-12.5-10.fc20.i686 Target RPM Packages Policy RPM selinux-policy-3.12.1-119.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name zappa.gregorie.lan Platform Linux zappa.gregorie.lan 3.12.8-300.fc20.i686+PAE #1 SMP Thu Jan 16 01:19:09 UTC 2014 i686 i686 Alert Count 1 First Seen 2014-01-26 03:38:25 GMT Last Seen 2014-01-26 03:38:25 GMT Local ID b459c160-6180-4989-9474-924e91345421 Raw Audit Messages type=AVC msg=audit(1390707505.956:527): avc: denied { append } for pid=10369 comm="mail" path="/var/lib/rkhunter/rkhcronlog.ixxU0mXKwy" dev="sda3" ino=805345 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1390707505.956:527): arch=i386 syscall=execve success=yes exit=0 a0=8672728 a1=8679980 a2=845aa08 a3=8679980 items=0 ppid=1796 pid=10369 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=13 tty=(none) comm=mail exe=/usr/bin/mailx subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) Hash: mail,system_mail_t,cron_var_lib_t,file,append How reproducible: Happens when rkhunter is run by the standard daily cron job and mailx is attempting to mail the report to to root. Steps to Reproduce: 1. Install rkhunter 2. run 'rkhunter -propupdt 3. wait for the overnight cron job to run. Actual results: Got the SElinux exception and report shown above Expected results: The rkhunter report should have been mailed to root. Additional info: I'm reporting this problem as requested and have applied the suggested mitigation: grep mail /var/log/audit/audit.log | audit2allow -M mypol semodule -i mypol.pp I am using rkhunter 1.4.0
commit cdb98b9accbe3226f32fa103fcad4507c23399e5 Author: Miroslav Grepl <mgrepl> Date: Mon Jan 27 11:20:55 2014 +0100 Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package commit bbe928accc281e2d81afcf018d830532dd93d526 Author: Miroslav Grepl <mgrepl> Date: Mon Jan 27 11:22:14 2014 +0100 Allow domains to append rkhunterl lib files. #1057982
This problem has just recurred, this time for sendmail.postfix and of course for a different file name, /var/lib/rkhunter/rkhcronlog.1x1rLcFyVq , since these names are obviously being autogenerated to be unique. Additional Information: Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023 Target Context system_u:object_r:cron_var_lib_t:s0 Target Objects /var/lib/rkhunter/rkhcronlog.1x1rLcFyVq [ file ] Source sendmail Source Path /usr/sbin/sendmail.postfix Port <Unknown> Host zappa.gregorie.lan Source RPM Packages postfix-2.10.2-3.fc20.i686 Target RPM Packages Policy RPM selinux-policy-3.12.1-119.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name zappa.gregorie.lan Platform Linux zappa.gregorie.lan 3.12.8-300.fc20.i686+PAE #1 SMP Thu Jan 16 01:19:09 UTC 2014 i686 i686 Alert Count 1 First Seen 2014-01-27 12:15:57 GMT Last Seen 2014-01-27 12:15:57 GMT Local ID 605cc95c-1d07-42eb-8b3b-8b5e84ba03a1 Raw Audit Messages type=AVC msg=audit(1390824957.803:540): avc: denied { getattr } for pid=14986 comm="sendmail" path="/var/lib/rkhunter/rkhcronlog.1x1rLcFyVq" dev="sda3" ino=791209 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1390824957.803:540): arch=i386 syscall=fstat64 success=no exit=EACCES a0=1 a1=bfbb258c a2=b6e6a000 a3=bfbb258c items=0 ppid=1 pid=14986 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=8 tty=(none) comm=sendmail exe=/usr/sbin/sendmail.postfix subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) Hash: sendmail,system_mail_t,cron_var_lib_t,file,getattr Once again I've implemented the suggested workround: # grep sendmail /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp which has apparently worked, but I have some questions: 1) did if work correctly, i.e. has it been added to the previous version of mypol.pp or did it merely overwrite it? 2) If it overwrote the previous version of mypol.pp, which looks likely, how can I create and install a combined policy module. 3) As this problem is caused by accessing a temporary file with a unique name, should the generated policy module be globbed and if so, how can this be done? I'd appreciate a pointer to any documents that cover the writing of policy modules.
selinux-policy-3.12.1-121.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-121.fc20
Package selinux-policy-3.12.1-121.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-121.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-1700/selinux-policy-3.12.1-121.fc20 then log in and leave karma (feedback).
Sequence: All done as root. 1) I installed the testing version of selinux-policy-3.12.1-121.fc20 as requested and then ran 'semodule -r mypol' to remove my temporary patch, followed by 'semodule -l' to check that it had gone: it had. 2) Then I ran 'yum repolist --disablerepo=updates-testing' since I didn't want any other testing packages to be picked up in subsequent updates. 3) Some time later cron ran the daily rkhunter job, which failed in exactly the same way as described when I raised this bug. 4) I've subsequently run yum update --enablerepo=updates-testing selinux-policy-3.12.1-121.fc20 again to check that the new testing policy was still in place: it was. I also again disabled the updates-testing repos. *** After applying selinux-policy-3.12.1-121.fc20 I noticed that selinux objected to Firefox using the jdk symlink in one of my users, /home/java/jdk, which points to the Oracle Java JDK that I'm currently using. This has never happened before I installed selinux-policy-3.12.1-121.fc20 but was easily fixed by running '/sbin/restorecon -v /home/java/sdk' as suggested in the SElinux exception report.
How does it look with selinux-policy-3.12.1-122.fc20? What does # ls -dZ /var/lib/rkhunter
# yum update --enablerepo=updates-testing selinux-policy-3.12.1-122.fc20 Loaded plugins: langpacks, refresh-packagekit atrpms | 3.0 kB 00:00 rpmfusion-free-updates | 3.3 kB 00:00 rpmfusion-nonfree-updates | 3.3 kB 00:00 updates/20/i386/metalink | 27 kB 00:00 updates-testing/20/i386/metalink | 23 kB 00:00 No Match for argument: selinux-policy-3.12.1-122.fc20 No package selinux-policy-3.12.1-122.fc20 available. No packages marked for update # ...so no joy with selinux-policy-3.12.1-122.fc20 $ sudo ls -dZ /var/lib/rkhunter [sudo] password for kiwi: drwxr-xr-x. root root system_u:object_r:rkhunter_var_lib_t:s0 /var/lib/rkhunter
Package selinux-policy-3.12.1-122.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-122.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-1700/selinux-policy-3.12.1-122.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-122.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.