Bug 1545230 - certmonger is not allowed to use local MTA
Summary: certmonger is not allowed to use local MTA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Mirek Jahoda
Depends On:
Blocks: 1588363
TreeView+ depends on / blocked
Reported: 2018-02-14 12:38 UTC by Thorsten Scherf
Modified: 2018-10-30 10:03 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-3.13.1-203.el7
Doc Type: Bug Fix
Doc Text:
Previously, an SELinux rule that allows the certmonger daemon to use local Mail Transfer Agent (MTA) was missing. As a consequence, certmonger was not able to send e-mails with SELinux in enforcing mode. With this update, the missing rule has been added to the SELinux system policy, and certmonger can now send e-mails with SELinux in enforcing mode.
Clone Of:
: 1588363 (view as bug list)
Last Closed: 2018-10-30 10:02:53 UTC
Target Upstream Version:

Attachments (Terms of Use)
selinux denials (12.74 KB, text/x-vhdl)
2018-02-14 13:09 UTC, Thorsten Scherf
no flags Details

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:03:21 UTC

Description Thorsten Scherf 2018-02-14 12:38:06 UTC
Description of problem:
Certmonger can be configured to send notifications about certificates that are going to expire soon either via syslog or mail. While the syslog-based configuration works without any problems, certmonger can not send emails with SELinux in enforcing mode.

Version-Release number of selected component (if applicable):

How reproducible:
- Configure certmonger to send notifications via email:

# grep -v '^#' /etc/certmonger/certmonger.conf 
notification_method = mail 
notification_destination = root

- Change system date so that a certificate that is tracked by certmonger is going to expire soon (e.g. 10 days before the actual expiration)

Steps to Reproduce:

Actual results:
certmonger does not send an email alert because of SELinux AVC denials.

Expected results:
certmonger is supposed to send an email alert.

Additional info:
# grep AVC /var/log/audit/audit.log |audit2allow 

#============= certmonger_t ==============
allow certmonger_t etc_mail_t:dir getattr;
allow certmonger_t etc_mail_t:file { getattr open read };
allow certmonger_t fs_t:filesystem getattr;
allow certmonger_t mqueue_spool_t:dir { add_name getattr open read remove_name search write };
allow certmonger_t mqueue_spool_t:file { create getattr lock open read unlink write };
allow certmonger_t self:process setrlimit;
allow certmonger_t sendmail_exec_t:file { execute execute_no_trans open read };

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow certmonger_t smtp_port_t:tcp_socket name_connect;

Comment 1 Milos Malik 2018-02-14 12:54:03 UTC
Please attach SELinux denials too:

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Thank you

Comment 2 Thorsten Scherf 2018-02-14 13:09:18 UTC
Created attachment 1395899 [details]
selinux denials

Comment 3 Martin Kosek 2018-02-15 08:35:38 UTC
It would be good to fix this for both RHEL and Fedora. The certificate renewal is a challenging FreeIPA workflow and having ability to easily send notifications if the certificate renewal fails could save users from dealing with the situation when they miss it and certificates expire.

Comment 4 Milos Malik 2018-02-15 08:41:48 UTC
Do you need the bug fixed in RHEL-7.5?

Comment 5 Thorsten Scherf 2018-02-15 10:07:49 UTC
(In reply to Milos Malik from comment #4)
> Do you need the bug fixed in RHEL-7.5?

Ideally yes.

Comment 6 Martin Kosek 2018-02-15 10:34:34 UTC
(In reply to Milos Malik from comment #4)
> Do you need the bug fixed in RHEL-7.5?

It would be indeed good to having it fixed in RHEL-7.5. However, given it is not a new regression or a blocker for someone and given that RHEL-7.5 testing is in late testing stage, I will not push on it.

It would be good though for having it in some 7.5 Batch Update, so that RHEL-7.5 customers can start leveraging certmonger mail notifications before RHEL-7.6 comes.

Comment 7 Thorsten Scherf 2018-04-27 08:17:44 UTC
(In reply to Milos Malik from comment #4)
> Do you need the bug fixed in RHEL-7.5?

Now that RHEL-7.5 has been GA'ed, would it be feasible to release a 7.5 z-stream to resolve this issue also in the current release?

Comment 16 errata-xmlrpc 2018-10-30 10:02:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.