Bug 1644568 - the arpwatch service triggers SELinux denials
Summary: the arpwatch service triggers SELinux denials
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1657327
TreeView+ depends on / blocked
 
Reported: 2018-10-31 07:42 UTC by Milos Malik
Modified: 2019-01-17 02:16 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.14.2-46.fc29
Clone Of:
Environment:
Last Closed: 2019-01-17 02:16:23 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Milos Malik 2018-10-31 07:42:18 UTC
Description of problem:
 * the arpwatch service seems to run unaffected in enforcing mode

system_u:system_r:arpwatch_t:s0 arpwatch  1797     1  0 08:23 ?        00:00:00 /usr/sbin/arpwatch -u arpwatch -e root -s root (Arpwatch)

Version-Release number of selected component (if applicable):
arpwatch-2.1a15-43.fc29.x86_64
selinux-policy-3.14.2-40.fc29.noarch
selinux-policy-devel-3.14.2-40.fc29.noarch
selinux-policy-sandbox-3.14.2-40.fc29.noarch
selinux-policy-targeted-3.14.2-40.fc29.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 29 machine (targeted policy is active)
2. start the arpwatch service
3. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(10/31/2018 08:24:19.994:270) : proctitle=/usr/sbin/arpwatch -u arpwatch -e root -s root (Arpwatch) 
type=PATH msg=audit(10/31/2018 08:24:19.994:270) : item=1 name=/bin/bash inode=16902641 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(10/31/2018 08:24:19.994:270) : item=0 name=/usr/sbin/sendmail inode=18621703 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sendmail_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(10/31/2018 08:24:19.994:270) : cwd=/var/lib/arpwatch 
type=SYSCALL msg=audit(10/31/2018 08:24:19.994:270) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x55d6a4dc7980 a1=0x7fff34f91d00 a2=0x7fff34f923a8 a3=0x1 items=2 ppid=1797 pid=1826 auid=unset uid=arpwatch gid=arpwatch euid=arpwatch suid=arpwatch fsuid=arpwatch egid=arpwatch sgid=arpwatch fsgid=arpwatch tty=(none) ses=unset comm=arpwatch exe=/usr/sbin/arpwatch subj=system_u:system_r:arpwatch_t:s0 key=(null) 
type=AVC msg=audit(10/31/2018 08:24:19.994:270) : avc:  denied  { execute } for  pid=1826 comm=arpwatch name=bash dev="vda2" ino=16902641 scontext=system_u:system_r:arpwatch_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 
----

Expected results:
 * no SELinux denials

Comment 1 Zdenek Pytela 2018-12-07 16:17:36 UTC
Sending e-mails is a part of core functionality of arpwatch. In newer fedoras, the esmtp package is installed which provides sendmail as a shell wrapper, therefore the permission to execute shell_exec_t for arpwatch_t is required.

The arpwatch service runs as an unprivileged user, so granting this permission should not be considered as too excessive.

https://github.com/fedora-selinux/selinux-policy-contrib/pull/74

Comment 3 Fedora Update System 2019-01-13 15:44:38 UTC
selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61

Comment 4 Fedora Update System 2019-01-14 03:02:55 UTC
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61

Comment 5 Fedora Update System 2019-01-17 02:16:23 UTC
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.