Description of problem: The arpwatch service cannot send e-mails about the changes in data file. Version-Release number of selected component (if applicable): arpwatch-2.1a15-43.fc29.x86_64 selinux-policy-targeted-3.14.2-42.fc29.noarch How reproducible: Always Steps to Reproduce: 1. Install arpwatch 2. Start the arpwatch service 3. Check for AVC denials Actual results: AVC denials appear in the log: allow system_mail_t arpwatch_data_t:dir { add_name create read remove_name write }; allow system_mail_t arpwatch_data_t:file { create getattr link open read setattr unlink write }; Expected results: No AVC denials Additional info: The esmtp package is the default sendmail provider in newer Fedoras. Arpwatch starts sending e-mails once bz 1644568 is resolved or the arpwatch_t domain is in permissive mode.
Sending e-mails is a part of core functionality of arpwatch. In newer fedoras, the esmtp package is installed which provides the sendmail rpm-capability. The ~arpwatch directory is a data directory for the service with a specific context, therefore the daemon is unable to create the ~/.esmtp-queue directory for enqueueing e-mails. An equivalency rule cannot be used as /var/lib/arpwatch is the daemon working directory. Pull request: https://github.com/fedora-selinux/selinux-policy-contrib/pull/76 Also note a rule like this may be required for all daemons with a specific home directory which send e-mails. Requires bz 1644568 to be resolved so that the esmtp service can start. Additionally, labeling for the directory needs to be put in place using one of these approaches: 1. patching the esmtp package so that it adjusts the directory context right after running mkdir 2. include /var/lib/arpwatch/.esmtp_queue with the correct label in the rpm package 3. add a file transition rule into the policy as well 4. suggest to run mkdir && restorecon as a workaround
Another pull request created: https://github.com/fedora-selinux/selinux-policy-contrib/pull/77 to add the file transition for /var/lib/arpwatch/.esmtp_queue (option 3 in the previous comment)
PR merged.
selinux-policy-3.14.2-47.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fe7af4a346
selinux-policy-3.14.2-47.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fe7af4a346
selinux-policy-3.14.2-47.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.