Description of problem: This happens because I am using mail as part of the boot-up process to send an email to my admin. SELinux is preventing /usr/bin/mailx from 'write' accesses on the directory . This is happening because I am using mail in the boot up process to send a message to my admin. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that mailx should be allowed write access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mail /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:sendmail_t:s0 Target Context unconfined_u:object_r:etc_runtime_t:s0 Target Objects [ dir ] Source mail Source Path /usr/bin/mailx Port <Unknown> Host (removed) Source RPM Packages mailx-12.5-10.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-179.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.15.10-200.fc20.x86_64 #1 SMP Thu Aug 14 15:39:24 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-08-21 13:58:30 WST Last Seen 2014-08-21 13:58:30 WST Local ID 06d34a18-c9be-4def-9001-fdf430c0bc04 Raw Audit Messages type=AVC msg=audit(1408600710.990:602): avc: denied { write } for pid=2301 comm="mail" name="tmp" dev="sda2" ino=2752513 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir type=SYSCALL msg=audit(1408600710.990:602): arch=x86_64 syscall=open success=no exit=EACCES a0=1375680 a1=c2 a2=180 a3=0 items=0 ppid=2154 pid=2301 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=mail exe=/usr/bin/mailx subj=system_u:system_r:sendmail_t:s0 key=(null) Hash: mail,sendmail_t,etc_runtime_t,dir,write Additional info: reporter: libreport-2.2.3 hashmarkername: setroubleshoot kernel: 3.15.10-200.fc20.x86_64 type: libreport
Ok. What does # ls -dZ /tmp/
Here is the extract from the email I sent in reply to the request for further information. drwxrwxrwx. root root system_u:object_r:tmp_t:s0 /tmp This is what I have. Note I have taken off the "t" bit that used to be set on before but I am not sure if it is on any more.
find /etc -name tmp
As I expected there is no tmp directories under /etc (In reply to Daniel Walsh from comment #3) > find /etc -name tmp (In reply to Miroslav Grepl from comment #1) > Ok. What does > > # ls -dZ /tmp/ Here is the extract from the email I sent in reply to the request for further information. drwxrwxrwx. root root system_u:object_r:tmp_t:s0 /tmp This is what I have. Note I have taken off the "t" bit that used to be set on before but I am not sure if it is on any more.
Are you able to reproduce it? If yes, could you turn the full auditing on using # echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules # systemctl restart auditd re-create and # ausearch -m avc -ts recent Thank you.
here is the result: ---- time->Thu Sep 4 16:41:14 2014 type=PROCTITLE msg=audit(1409820074.015:577): proctitle=6D61696C002D730066637377696E3A2072632E6C6F63616C205265626F6F74205265706F72740062636B64617 type=PATH msg=audit(1409820074.015:577): item=1 name="/app/tmp/RsTb9Ji7" nametype=CREATE type=PATH msg=audit(1409820074.015:577): item=0 name="/app/tmp/" inode=2752513 dev=08:02 mode=040777 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:etc_runtime_t:s0 nametype=PARENT type=CWD msg=audit(1409820074.015:577): cwd="/app/win/obj" type=SYSCALL msg=audit(1409820074.015:577): arch=c000003e syscall=2 success=no exit=-13 a0=cbe680 a1=c2 a2=180 a3=0 items=2 ppid=1503 pid=1583 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mail" exe="/usr/bin/mailx" subj=system_u:system_r:sendmail_t:s0 key=(null) type=AVC msg=audit(1409820074.015:577): avc: denied { add_name } for pid=1583 comm="mail" name="RsTb9Ji7" scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=dir
Ok now we see /app/tmp/ needs labeling. What is a directory structure of /app?
/app is where I locate all my application area so I have /app/tmp /app/win /app/fcs /app/WP and others. I make it drwxrwxrwx on all the directories at that level. Why would SElinux complain at boot up when it is fine about it after boot up. I have no restrictions on it. /app/tmp is where I am holding the file I wish to mail out. I create it fine in my boot up procedure but mail fails to send it. Is mail restricted because it can write into /var/spool/mail/root which has is accessible only by root?
SELinux is a labeling system. You need to tell SELinux how to label your directories/files. So you need to find a label using # sesearch -A -s sendmail_t -c file -p write or you can read it also from "sendmail_selinux" man page which tells which files can be managed by sendmail. Then you need to setup this labeling for /app/tmp using semanage-fcontext. # semanage fcontext -a -t mail_spool_t "/app/tmp(/.*)?" for example.
Why does mailx fail when used as part of the rc boot up procedures but works fine when used after boot. I will make the changes recommended but I do not understand why it should behave differently?
I decided to use /tmp to hold this temporary file at bootup thus avoiding the problem.
I did this as sesearch is not installed natively on Fedora 20. I would have to install it etc.
(In reply to Luigi Cantoni from comment #10) > Why does mailx fail when used as part of the rc boot up procedures but works > fine when used after boot. > > I will make the changes recommended but I do not understand why it should > behave differently? This is about process labeling. During boot it is in a different process domain against if you execute it manually. You need to install setools-console. But sendmail_selinux.8 man page is enough.
selinux-policy-3.12.1-186.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-186.fc20
Package selinux-policy-3.12.1-186.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-186.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-11479/selinux-policy-3.12.1-186.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-187.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-187.fc20
selinux-policy-3.12.1-188.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-188.fc20
This message is a reminder that Fedora 20 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 20. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '20'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 20 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 20 changed to end-of-life (EOL) status on 2015-06-23. Fedora 20 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.