Bug 1666004 - SELinux policy prevents mailman working with exim
Summary: SELinux policy prevents mailman working with exim
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-14 16:07 UTC by David Anderson
Modified: 2019-08-18 01:56 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.14.2-64.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-18 01:56:36 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description David Anderson 2019-01-14 16:07:17 UTC
The details were reported in https://bugzilla.redhat.com/show_bug.cgi?id=1450693 which got automatically closed when Fedora 27 was EOL-ed. The problem is unchanged in Fedora 29.

The same problem still exists in RHEL / CentOS 7.

Currently the work-around is to run your mailer daemon (exim, in my case) unconfined by SELinux.

Here are some example AVCs (which weren't included in the F27 report):

type=AVC msg=audit(1547476466.962:20785635): avc:  denied  { execute } for  pid=3180 comm="exim" name="mailman" dev="sda" ino=2690167 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1547476466.962:20785635): avc:  denied  { execute_no_trans } for  pid=3180 comm="exim" path="/usr/lib/mailman/mail/mailman" dev="sda" ino=2690167 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file

Comment 1 David Anderson 2019-03-13 17:54:16 UTC
Anything further I can do to help with this? Not being able to confine exim, a large daemon with several historical root holes, is not good.

Comment 2 Zdenek Pytela 2019-03-13 20:46:05 UTC
Hi David,

Thank you for reporting the issue and providing the reference to the previous bugzilla. We will investigate on it and get back to you.

Comment 3 David Anderson 2019-04-11 13:37:46 UTC
As described in the prior report, the root problem seems to be simple: there are two rules that apply to /usr/lib/mailman/mail/mailman, and they are applied in the wrong order (irrelevant lines snipped):

# semanage fcontext -l |grep /usr/lib/mailman
/usr/lib/mailman.*/mail/mailman                    regular file       system_u:object_r:mailman_mail_exec_t:s0 
/usr/lib/mailman/bin(/.*)?                         all files          system_u:object_r:bin_t:s0 

This can be worked-around locally - a new rule manually added will take final precedence:

# semanage fcontext -a -t mailman_mail_exec_t /usr/lib/mailman/mail/mailman
# restorecon /usr/lib/mailman/mail/mailman
# ls -Z /usr/lib/mailman/mail/mailman
-rwxr-sr-x. root mailman system_u:object_r:mailman_mail_exec_t:s0 /usr/lib/mailman/mail/mailman

Comment 4 David Anderson 2019-04-11 13:38:37 UTC
I've performed the work-around in https://bugzilla.redhat.com/show_bug.cgi?id=1666004#c3 and verified that mail now successfully enters mailman from exim (over SMTP), without any AVCs.

Comment 6 Zdenek Pytela 2019-06-14 12:33:46 UTC
David,

Thank you for reporting the issue and for the investigation. It really turns out there two clashing rules with regexp, just a small correction for the paths:

/usr/lib/mailman/mail(/.*)?                        all files          system_u:object_r:bin_t:s0
/usr/lib/mailman.*/mail/mailman                    regular file       system_u:object_r:mailman_mail_exec_t:s0

I've created a PR to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/115

Comment 7 Lukas Vrabec 2019-06-14 14:56:14 UTC
commit cd224374bb8af1cea70d86f9594b9213f23bba03 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date:   Fri Jun 14 13:58:42 2019 +0200

    Create explicit fc rule for mailman executable BZ(1666004)

Comment 8 Fedora Update System 2019-06-18 11:33:08 UTC
FEDORA-2019-096a80ef39 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-096a80ef39

Comment 9 Fedora Update System 2019-06-19 04:13:58 UTC
selinux-policy-3.14.2-61.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-096a80ef39

Comment 10 Fedora Update System 2019-07-10 12:47:29 UTC
FEDORA-2019-2eec328cc1 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-2eec328cc1

Comment 11 Fedora Update System 2019-07-11 03:10:55 UTC
selinux-policy-3.14.2-62.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-2eec328cc1

Comment 12 Fedora Update System 2019-07-19 08:08:46 UTC
FEDORA-2019-8071724c9b has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-8071724c9b

Comment 13 Fedora Update System 2019-07-20 03:41:52 UTC
selinux-policy-3.14.2-63.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8071724c9b

Comment 14 Fedora Update System 2019-08-02 07:50:17 UTC
FEDORA-2019-b51794f502 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-b51794f502

Comment 15 Fedora Update System 2019-08-03 02:02:19 UTC
selinux-policy-3.14.2-64.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-b51794f502

Comment 16 Fedora Update System 2019-08-18 01:56:36 UTC
selinux-policy-3.14.2-64.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.