+++ This bug was initially created as a clone of Bug #1162305 +++ Description of problem: /bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution. If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail. Because mailx isn't SUID, there's virtually no value in transitioning to the sendmail_t domain on execution. When Sendmail Inc sendmail or Postfix is used, the sendmail_t transition will occur on execution of their sendmail binary, and its behavior will be confined correctly. That is, there is no benefit to labeling /sbin/mailx and no cost to not labeling it. Could you please remove the sendmail_exec_t label on /sbin/mailx from policy, so that it is labeled bin_t? How reproducible: Always. Steps to Reproduce: 1. Install Courier MTA (for example) 2. Install cron job that executes "mail" to send email --- Additional comment from RHEL Product and Program Management on 2014-11-10 14:57:05 EST --- Since this bug report was entered in bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release. --- Additional comment from Libor Miksik on 2015-03-11 11:20:56 EDT --- Since the release flag was set to ? after the qa_ack and pm_ack flags were set to + (was likely set for the previous release), the qa_ack and pm_ack flags have been reset to ? by the bugbot (pm-rhel). This action ensures the proper review by Product Management. --- Additional comment from Libor Miksik on 2015-11-04 00:34:42 EST --- Since the release flag was set to ? after the qa_ack and pm_ack flags were set to + (was likely set for the previous release), the qa_ack and pm_ack flags have been reset to ? by the bugbot (pm-rhel). This action ensures the proper review by Product Management. --- Additional comment from Miroslav Grepl on 2015-12-18 10:33:32 EST --- Could you attach raw AVC messages? Thank you. --- Additional comment from Gordon Messmer on 2015-12-21 01:27:52 EST --- I can, but they're not meaningful. They document the problem with only one non-Sendmail Inc. sendmail binary, and in only one configuration. Adding these will not remedy the problem completely. type=USER_AVC msg=audit(1450678921.538:9380): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1450678921.613:9383): avc: denied { read } for pid=8480 comm="submit" name="enablefiltering" dev="dm-1" ino=133928 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_etc_t:s0 tclass=file type=AVC msg=audit(1450678921.613:9383): avc: denied { open } for pid=8480 comm="submit" path="/etc/courier/enablefiltering" dev="dm-1" ino=133928 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_etc_t:s0 tclass=file type=AVC msg=audit(1450678921.614:9384): avc: denied { getattr } for pid=8480 comm="submit" path="/etc/courier/enablefiltering" dev="dm-1" ino=133928 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_etc_t:s0 tclass=file type=AVC msg=audit(1450678921.615:9385): avc: denied { read } for pid=8480 comm="submit" name="aliases.dat" dev="dm-1" ino=131119 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=file type=AVC msg=audit(1450678921.615:9385): avc: denied { open } for pid=8480 comm="submit" path="/etc/courier/aliases.dat" dev="dm-1" ino=131119 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=file type=AVC msg=audit(1450678921.615:9386): avc: denied { getattr } for pid=8480 comm="submit" path="/etc/courier/aliases.dat" dev="dm-1" ino=131119 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=file type=AVC msg=audit(1450678921.615:9387): avc: denied { lock } for pid=8480 comm="submit" path="/etc/courier/aliases.dat" dev="dm-1" ino=131119 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=file type=AVC msg=audit(1450678921.615:9388): avc: denied { read } for pid=8480 comm="submit" name="locals" dev="dm-1" ino=143725 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=lnk_file --- Additional comment from Miroslav Grepl on 2016-01-04 04:32:24 EST --- You are right, it makes sense. --- Additional comment from Lukas Vrabec on 2016-03-11 11:13:52 EST --- We have more troubles around labeling mailx. I'm going to test it. Thank you for reporting bug.
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle. Changing version to '25'.
selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-662487f8f1
selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.13.1-225.20.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-837f04c39a
selinux-policy-3.13.1-225.20.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-837f04c39a
selinux-policy-3.13.1-225.20.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.13.1-225.22.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5d4f3635ee
selinux-policy-3.13.1-225.22.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5d4f3635ee
selinux-policy-3.13.1-225.22.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.13.1-225.23.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4d00e4db6a
selinux-policy-3.13.1-225.23.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4d00e4db6a
selinux-policy-3.13.1-225.23.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.