1323224 – mailx fails when used with mail server other than Sendmail Inc sendmail or postfix

Bug 1323224 - mailx fails when used with mail server other than Sendmail Inc sendmail or postfix

Summary: mailx fails when used with mail server other than Sendmail Inc sendmail or po...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	25
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-04-01 15:15 UTC by Lukas Vrabec
Modified:	2017-11-01 16:39 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.13.1-181.fc25 selinux-policy-3.13.1-208.fc25 selinux-policy-3.13.1-225.20.fc25 selinux-policy-3.13.1-225.22.fc25 selinux-policy-3.13.1-225.23.fc25
Clone Of:	1162305
Environment:
Last Closed:	2017-11-01 16:39:44 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Lukas Vrabec 2016-04-01 15:15:19 UTC

+++ This bug was initially created as a clone of Bug #1162305 +++

Description of problem:
/bin/mailx is labeled sendmail_exec_t, and enters the sendmail_t domain on execution.  If /usr/sbin/sendmail does not have its own domain to transition to, and is not one of several products whose behavior is allowed by the sendmail_t policy, execution will fail.

Because mailx isn't SUID, there's virtually no value in transitioning to the sendmail_t domain on execution.  When Sendmail Inc sendmail or Postfix is used, the sendmail_t transition will occur on execution of their sendmail binary, and its behavior will be confined correctly.

That is, there is no benefit to labeling /sbin/mailx and no cost to not labeling it.

Could you please remove the sendmail_exec_t label on /sbin/mailx from policy, so that it is labeled bin_t?

How reproducible:
Always.

Steps to Reproduce:
1. Install Courier MTA (for example)
2. Install cron job that executes "mail" to send email

--- Additional comment from RHEL Product and Program Management on 2014-11-10 14:57:05 EST ---

Since this bug report was entered in bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Libor Miksik on 2015-03-11 11:20:56 EDT ---

Since the release flag was set to ? after the qa_ack and pm_ack flags were set to + (was likely set for the previous release), the qa_ack and pm_ack flags have been reset to ? by the bugbot (pm-rhel). This action ensures the proper review by Product Management.

--- Additional comment from Libor Miksik on 2015-11-04 00:34:42 EST ---

Since the release flag was set to ? after the qa_ack and pm_ack flags were set to + (was likely set for the previous release), the qa_ack and pm_ack flags have been reset to ? by the bugbot (pm-rhel). This action ensures the proper review by Product Management.

--- Additional comment from Miroslav Grepl on 2015-12-18 10:33:32 EST ---

Could you attach raw AVC messages?

Thank you.

--- Additional comment from Gordon Messmer on 2015-12-21 01:27:52 EST ---

I can, but they're not meaningful.  They document the problem with only one non-Sendmail Inc. sendmail binary, and in only one configuration.  Adding these will not remedy the problem completely.

type=USER_AVC msg=audit(1450678921.538:9380): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1450678921.613:9383): avc:  denied  { read } for  pid=8480 comm="submit" name="enablefiltering" dev="dm-1" ino=133928 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.613:9383): avc:  denied  { open } for  pid=8480 comm="submit" path="/etc/courier/enablefiltering" dev="dm-1" ino=133928 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.614:9384): avc:  denied  { getattr } for  pid=8480 comm="submit" path="/etc/courier/enablefiltering" dev="dm-1" ino=133928 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.615:9385): avc:  denied  { read } for  pid=8480 comm="submit" name="aliases.dat" dev="dm-1" ino=131119 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.615:9385): avc:  denied  { open } for  pid=8480 comm="submit" path="/etc/courier/aliases.dat" dev="dm-1" ino=131119 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.615:9386): avc:  denied  { getattr } for  pid=8480 comm="submit" path="/etc/courier/aliases.dat" dev="dm-1" ino=131119 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.615:9387): avc:  denied  { lock } for  pid=8480 comm="submit" path="/etc/courier/aliases.dat" dev="dm-1" ino=131119 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=file
type=AVC msg=audit(1450678921.615:9388): avc:  denied  { read } for  pid=8480 comm="submit" name="locals" dev="dm-1" ino=143725 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_etc_t:s0 tclass=lnk_file

--- Additional comment from Miroslav Grepl on 2016-01-04 04:32:24 EST ---

You are right, it makes sense.

--- Additional comment from Lukas Vrabec on 2016-03-11 11:13:52 EST ---

We have more troubles around labeling mailx. I'm going to test it. 

Thank you for reporting bug.

Comment 1 Jan Kurik 2016-07-26 04:37:42 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.

Comment 2 Fedora Update System 2016-08-12 15:57:31 UTC

selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-662487f8f1

Comment 3 Fedora Update System 2016-08-17 03:02:43 UTC

selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2017-08-14 15:22:38 UTC

selinux-policy-3.13.1-225.20.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-837f04c39a

Comment 5 Fedora Update System 2017-08-15 03:51:30 UTC

selinux-policy-3.13.1-225.20.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-837f04c39a

Comment 6 Fedora Update System 2017-08-27 06:22:28 UTC

selinux-policy-3.13.1-225.20.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2017-09-01 09:35:15 UTC

selinux-policy-3.13.1-225.22.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5d4f3635ee

Comment 8 Fedora Update System 2017-09-03 06:25:19 UTC

selinux-policy-3.13.1-225.22.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5d4f3635ee

Comment 9 Fedora Update System 2017-09-07 23:20:38 UTC

selinux-policy-3.13.1-225.22.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2017-10-10 12:01:05 UTC

selinux-policy-3.13.1-225.23.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4d00e4db6a

Comment 11 Fedora Update System 2017-10-11 04:22:34 UTC

selinux-policy-3.13.1-225.23.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4d00e4db6a

Comment 12 Fedora Update System 2017-11-01 16:39:44 UTC

selinux-policy-3.13.1-225.23.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.