Bug 1657327 - arpwatch service cannot send e-mails
Summary: arpwatch service cannot send e-mails
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1644568
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-07 16:28 UTC by Zdenek Pytela
Modified: 2019-01-18 02:14 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.14.2-47.fc29
Clone Of:
Environment:
Last Closed: 2019-01-18 02:14:07 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1644568 0 medium CLOSED the arpwatch service triggers SELinux denials 2021-02-22 00:41:40 UTC

Description Zdenek Pytela 2018-12-07 16:28:40 UTC 
Description of problem:
The arpwatch service cannot send e-mails about the changes in data file.

Version-Release number of selected component (if applicable):
arpwatch-2.1a15-43.fc29.x86_64
selinux-policy-targeted-3.14.2-42.fc29.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install arpwatch
2. Start the arpwatch service
3. Check for AVC denials

Actual results:
AVC denials appear in the log:
allow system_mail_t arpwatch_data_t:dir { add_name create read remove_name write };
allow system_mail_t arpwatch_data_t:file { create getattr link open read setattr unlink write };

Expected results:
No AVC denials

Additional info:
The esmtp package is the default sendmail provider in newer Fedoras.
Arpwatch starts sending e-mails once bz 1644568 is resolved or the arpwatch_t domain is in permissive mode.
Comment 1 Zdenek Pytela 2018-12-18 16:15:08 UTC 
Sending e-mails is a part of core functionality of arpwatch. In newer fedoras, the esmtp package is installed which provides the sendmail rpm-capability. The ~arpwatch directory is a data directory for the service with a specific context, therefore the daemon is unable to create the ~/.esmtp-queue directory for enqueueing e-mails. An equivalency rule cannot be used as /var/lib/arpwatch is the daemon working directory.

Pull request:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/76

Also note a rule like this may be required for all daemons with a specific home directory which send e-mails.

Requires bz 1644568 to be resolved so that the esmtp service can start.

Additionally, labeling for the directory needs to be put in place using one of these approaches:
1. patching the esmtp package so that it adjusts the directory context right after running mkdir
2. include /var/lib/arpwatch/.esmtp_queue with the correct label in the rpm package
3. add a file transition rule into the policy as well
4. suggest to run mkdir && restorecon as a workaround
Comment 2 Zdenek Pytela 2018-12-18 16:49:11 UTC 
Another pull request created:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/77

to add the file transition for /var/lib/arpwatch/.esmtp_queue (option 3 in the previous comment)
Comment 3 Lukas Vrabec 2019-01-14 16:56:19 UTC 
PR merged.
Comment 4 Fedora Update System 2019-01-16 16:16:51 UTC 
selinux-policy-3.14.2-47.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fe7af4a346
Comment 5 Fedora Update System 2019-01-17 02:11:24 UTC 
selinux-policy-3.14.2-47.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fe7af4a346
Comment 6 Fedora Update System 2019-01-18 02:14:07 UTC 
selinux-policy-3.14.2-47.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.