1545230 – certmonger is not allowed to use local MTA

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1545230 - certmonger is not allowed to use local MTA

Summary: certmonger is not allowed to use local MTA

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:	1588363
TreeView+	depends on / blocked

Reported:	2018-02-14 12:38 UTC by Thorsten Scherf
Modified:	2018-10-30 10:03 UTC (History)
CC List:	10 users (show)
Fixed In Version:	selinux-policy-3.13.1-203.el7
Doc Type:	Bug Fix
Doc Text:	Previously, an SELinux rule that allows the certmonger daemon to use local Mail Transfer Agent (MTA) was missing. As a consequence, certmonger was not able to send e-mails with SELinux in enforcing mode. With this update, the missing rule has been added to the SELinux system policy, and certmonger can now send e-mails with SELinux in enforcing mode.
Clone Of:
Clones:	1588363 (view as bug list)
Environment:
Last Closed:	2018-10-30 10:02:53 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
selinux denials (12.74 KB, text/x-vhdl) 2018-02-14 13:09 UTC, Thorsten Scherf	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3111	0	None	None	None	2018-10-30 10:03:21 UTC

Description Thorsten Scherf 2018-02-14 12:38:06 UTC

Description of problem:
Certmonger can be configured to send notifications about certificates that are going to expire soon either via syslog or mail. While the syslog-based configuration works without any problems, certmonger can not send emails with SELinux in enforcing mode.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-189.el7.noarch
certmonger-0.78.4-3.el7.x86_64

How reproducible:
- Configure certmonger to send notifications via email:

# grep -v '^#' /etc/certmonger/certmonger.conf 
[defaults]
notification_method = mail 
notification_destination = root

- Change system date so that a certificate that is tracked by certmonger is going to expire soon (e.g. 10 days before the actual expiration)

Steps to Reproduce:
1.
2.
3.

Actual results:
certmonger does not send an email alert because of SELinux AVC denials.

Expected results:
certmonger is supposed to send an email alert.

Additional info:
# grep AVC /var/log/audit/audit.log |audit2allow 

#============= certmonger_t ==============
allow certmonger_t etc_mail_t:dir getattr;
allow certmonger_t etc_mail_t:file { getattr open read };
allow certmonger_t fs_t:filesystem getattr;
allow certmonger_t mqueue_spool_t:dir { add_name getattr open read remove_name search write };
allow certmonger_t mqueue_spool_t:file { create getattr lock open read unlink write };
allow certmonger_t self:process setrlimit;
allow certmonger_t sendmail_exec_t:file { execute execute_no_trans open read };

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow certmonger_t smtp_port_t:tcp_socket name_connect;

Comment 1 Milos Malik 2018-02-14 12:54:03 UTC

Please attach SELinux denials too:

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Thank you

Comment 2 Thorsten Scherf 2018-02-14 13:09:18 UTC

Created attachment 1395899 [details]
selinux denials

Comment 3 Martin Kosek 2018-02-15 08:35:38 UTC

It would be good to fix this for both RHEL and Fedora. The certificate renewal is a challenging FreeIPA workflow and having ability to easily send notifications if the certificate renewal fails could save users from dealing with the situation when they miss it and certificates expire.

Comment 4 Milos Malik 2018-02-15 08:41:48 UTC

Do you need the bug fixed in RHEL-7.5?

Comment 5 Thorsten Scherf 2018-02-15 10:07:49 UTC

(In reply to Milos Malik from comment #4)
> Do you need the bug fixed in RHEL-7.5?

Ideally yes.

Comment 6 Martin Kosek 2018-02-15 10:34:34 UTC

(In reply to Milos Malik from comment #4)
> Do you need the bug fixed in RHEL-7.5?

It would be indeed good to having it fixed in RHEL-7.5. However, given it is not a new regression or a blocker for someone and given that RHEL-7.5 testing is in late testing stage, I will not push on it.

It would be good though for having it in some 7.5 Batch Update, so that RHEL-7.5 customers can start leveraging certmonger mail notifications before RHEL-7.6 comes.

Comment 7 Thorsten Scherf 2018-04-27 08:17:44 UTC

(In reply to Milos Malik from comment #4)
> Do you need the bug fixed in RHEL-7.5?

Now that RHEL-7.5 has been GA'ed, would it be feasible to release a 7.5 z-stream to resolve this issue also in the current release?

Comment 16 errata-xmlrpc 2018-10-30 10:02:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111

Note You need to log in before you can comment on or make changes to this bug.