168027 – smtp to sendmail from network prevented when setenforce=1

Bug 168027 - smtp to sendmail from network prevented when setenforce=1

Summary: smtp to sendmail from network prevented when setenforce=1

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	rawhide
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-09-11 01:46 UTC by Steve Kramer
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-09-24 16:42:59 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Steve Kramer 2005-09-11 01:46:14 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

Description of problem:
This is running as a SELinux targeted policy.
When setenforce is 0, I can sendmail from an Outlook 2K client on the network using SSL on port 25.  When setenforce is set to 1, it is prevented.  The Outlook client keeps on presenting the User Name/Password dialog box, and the maillog shows:
[w.x.y.z]: did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Resetting SELinux to permissive, the smtp succeeds.

The audit.log show no record for the failure.

I'm using sendmail-8.13.4-2 (actually, everything is up-to-date via yum today).

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.25.4-10.1

How reproducible:
Always

Steps to Reproduce:
1.Set up sendmail to accept SSL smtp on port 25 from an Outlook 2K client.
2.setenforce 1
3.Send mail to FC4 server via Outlook 2K
  

Actual Results:  The mail session fails - outlook keeps on asking for user/password, and sendmail (in maillog) says MAIL/EXPN/VRFY/ETRN was not issued.

Expected Results:  The mail should have gone through as it does with setenforce=0.

Additional info:

Workaround:
# setenforce Permissive

Comment 1 Daniel Walsh 2005-09-21 18:39:30 UTC

What avc messages are you seeing in /var/log/messages or /var/log/audit/audit.log?

Dan

Comment 2 Steve Kramer 2005-09-21 19:30:19 UTC

There are no entries in either /var/log/messages or /var/log/audit/audit.log .
--steve

Comment 3 Daniel Walsh 2005-09-22 14:07:32 UTC

Can you ps -eZ | grep sendmail


Do you have policy sources installed?

If yes could you do a 

cd /etc/selinux/targeted/src/policy
make enabledaudit; make load

Then see if there are any avc messages?

Comment 4 Steve Kramer 2005-09-24 16:42:59 UTC

Here's the data, but after the elapsed time, and yum updates, the sendmail
problem went away.  You can close this bug.

#
# ps -eZ|grep sendmail
system_u:system_r:kernel_t       3352 ?        00:00:00 sendmail-milter
system_u:system_r:kernel_t       3367 ?        00:00:00 sendmail
system_u:system_r:kernel_t       3373 ?        00:00:00 sendmail
#
# make enableaudit; make load
grep -v dontaudit policy.conf > policy.audit
mv policy.audit policy.conf
Compiling policy ...
/usr/bin/checkpolicy  -o /etc/selinux/targeted/policy/policy.19 policy.conf
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
security:  3 users, 6 roles, 872 types, 101 bools
security:  55 classes, 203038 rules
/usr/bin/checkpolicy:  policy configuration loaded
/usr/bin/checkpolicy:  writing binary representation (version 19) to
/etc/selinux/targeted/policy/policy.19
Loading Policy ...
/usr/sbin/load_policy /etc/selinux/targeted/policy/policy.19
touch tmp/load
install -m 644 tmp/system.users /etc/selinux/targeted/users/system.users
install -m 644 tmp/customizable_types
/etc/selinux/targeted/contexts/customizable_types 
install -m 644 tmp/port_types /etc/selinux/targeted/contexts/port_types 
Installing file contexts files...
install -m 644 file_contexts/homedir_template
/etc/selinux/targeted/contexts/files/homedir_template
install -m 644 file_contexts/file_contexts
/etc/selinux/targeted/contexts/files/file_contexts
#

Here are avc messages from /var/log/messages:
Sep 24 12:26:44 bastion kernel: security:  9 users, 6 roles, 872 types, 101 bools
Sep 24 12:26:44 bastion kernel: security:  55 classes, 203038 rules
Sep 24 12:26:44 bastion dbus: avc:  received policyload notice (seqno=8)
Sep 24 12:26:44 bastion dbus: avc:  0 AV entries and 0/512 buckets used, longest
chain length 0
Sep 24 12:26:44 bastion dbus: avc:  received policyload notice (seqno=8)
Sep 24 12:26:44 bastion dbus: avc:  1 AV entries and 1/512 buckets used, longest
chain length 1
Sep 24 12:26:44 bastion dbus: avc:  received policyload notice (seqno=8)
Sep 24 12:26:44 bastion dbus: avc:  0 AV entries and 0/512 buckets used, longest
chain length 0
Sep 24 12:26:44 bastion dbus: avc:  received policyload notice (seqno=8)
Sep 24 12:26:44 bastion dbus: avc:  0 AV entries and 0/512 buckets used, longest
chain length 0
Sep 24 12:26:44 bastion dbus: avc:  received policyload notice (seqno=8)
Sep 24 12:26:44 bastion dbus: avc:  0 AV entries and 0/512 buckets used, longest
chain length 0

From /var/log/audit/audit.log:
type=SYSCALL msg=audit(1127579204.347:13258799): arch=40000003 syscall=4
success=yes exit=5801251 a0=4 a1=b7286008 a2=588523 a3=bfae0fbc items=0
pid=30546 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="load_policy" exe="/usr/sbin/load_policy"

Note You need to log in before you can comment on or make changes to this bug.