Description of problem: * the arpwatch service seems to run unaffected in enforcing mode system_u:system_r:arpwatch_t:s0 arpwatch 1797 1 0 08:23 ? 00:00:00 /usr/sbin/arpwatch -u arpwatch -e root -s root (Arpwatch) Version-Release number of selected component (if applicable): arpwatch-2.1a15-43.fc29.x86_64 selinux-policy-3.14.2-40.fc29.noarch selinux-policy-devel-3.14.2-40.fc29.noarch selinux-policy-sandbox-3.14.2-40.fc29.noarch selinux-policy-targeted-3.14.2-40.fc29.noarch How reproducible: * always Steps to Reproduce: 1. get a Fedora 29 machine (targeted policy is active) 2. start the arpwatch service 3. search for SELinux denials Actual results: ---- type=PROCTITLE msg=audit(10/31/2018 08:24:19.994:270) : proctitle=/usr/sbin/arpwatch -u arpwatch -e root -s root (Arpwatch) type=PATH msg=audit(10/31/2018 08:24:19.994:270) : item=1 name=/bin/bash inode=16902641 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(10/31/2018 08:24:19.994:270) : item=0 name=/usr/sbin/sendmail inode=18621703 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sendmail_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(10/31/2018 08:24:19.994:270) : cwd=/var/lib/arpwatch type=SYSCALL msg=audit(10/31/2018 08:24:19.994:270) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x55d6a4dc7980 a1=0x7fff34f91d00 a2=0x7fff34f923a8 a3=0x1 items=2 ppid=1797 pid=1826 auid=unset uid=arpwatch gid=arpwatch euid=arpwatch suid=arpwatch fsuid=arpwatch egid=arpwatch sgid=arpwatch fsgid=arpwatch tty=(none) ses=unset comm=arpwatch exe=/usr/sbin/arpwatch subj=system_u:system_r:arpwatch_t:s0 key=(null) type=AVC msg=audit(10/31/2018 08:24:19.994:270) : avc: denied { execute } for pid=1826 comm=arpwatch name=bash dev="vda2" ino=16902641 scontext=system_u:system_r:arpwatch_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 ---- Expected results: * no SELinux denials
Sending e-mails is a part of core functionality of arpwatch. In newer fedoras, the esmtp package is installed which provides sendmail as a shell wrapper, therefore the permission to execute shell_exec_t for arpwatch_t is required. The arpwatch service runs as an unprivileged user, so granting this permission should not be considered as too excessive. https://github.com/fedora-selinux/selinux-policy-contrib/pull/74
https://github.com/fedora-selinux/selinux-policy-contrib/pull/75
selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.