Bug 199068 - mgetty fax reception problematic with selinux
mgetty fax reception problematic with selinux
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: mgetty (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Martin Nagy
bzcl34nup
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-07-16 18:31 EDT by Andreas Thienemann
Modified: 2016-07-26 19:46 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-06 12:07:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andreas Thienemann 2006-07-16 18:31:40 EDT
Reception of incoming faxes is problematic as long as selinux policies are being
enforced.
In addition to this, the new_fax script in /etc/mgetty+sendfax cannot be
executed as well:

07/16 23:41:18 yI1  start fax receiver...
07/16 23:41:18 yI1  fax_wait_for(OK)
07/16 23:41:22 yI1  transmission par.: '+FDCS:0,5,0,2,3,2,0,0'** found **
07/16 23:41:22 yI1  fax_get_pages: can't write to '/var/spool/fax/incoming':
Permission denied
07/16 23:41:22 yI1  fax_send: 'AT+FDR'
07/16 23:41:22 yI1  fax_wait_for(CONNECT)
07/16 23:41:22 yI1  fax_id: '+FTSI:"    +49 1234 5678"'
07/16 23:41:22 yI1  transmission par.: '+FDCS:0,5,0,2,0,2,0,0'** found **
07/16 23:41:25 yI1  fax_get_page_data: receiving
/tmp/fn4bab26eI1-49-7033-4007950.01...
07/16 23:41:32 yI1  fax_get_page_data: page end, bytes received: 17360
07/16 23:41:32 yI1  fax_wait_for(OK)
07/16 23:41:32 yI1  page status: +FPTS:1** found **
07/16 23:41:32 yI1  fax_send: 'AT+FDR'
07/16 23:41:32 yI1  fax_wait_for(CONNECT)
07/16 23:41:35 yI1  connection hangup: '+FHNG:0'** found **
07/16 23:41:35 yI1  fax_notify_mail: mailer exit status: 32512 (127)
07/16 23:41:35 yI1  system() failed: Permission denied
07/16 23:41:35 ##### fax dev=ttyI1, pid=2136, caller='35', name='', id='+49 1234
5678', +FHNG=000, pages=1/0, time=00:00:33

The audit log states:

type=AVC msg=audit(1153086082.315:51): avc:  denied  { search } for  pid=2136
comm="mgetty" name="spool" dev=md2 ino=1572905
scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:var_spool_t:s0
tclass=dir
type=SYSCALL msg=audit(1153086082.315:51): arch=40000003 syscall=33 success=no
exit=-13 a0=bfa62ac8 a1=2 a2=17 a3=805b776 items=1 pid=2136 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyI1 comm="mgetty"
exe="/sbin/mgetty" subj=system_u:system_r:getty_t:s0
type=CWD msg=audit(1153086082.315:51):  cwd="/"
type=PATH msg=audit(1153086082.315:51): item=0 name="/var/spool/fax/incoming"
obj=system_u:object_r:wtmp_t:s0
type=AVC msg=audit(1153086095.856:52): avc:  denied  { read } for  pid=2137
comm="mgetty" name="sh" dev=md2 ino=1212421
scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0
tclass=lnk_file
type=SYSCALL msg=audit(1153086095.856:52): arch=40000003 syscall=11 success=no
exit=-13 a0=4b4556 a1=bfa61d10 a2=bfa638e4 a3=400 items=1 pid=2137
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=ttyI1 comm="mgetty" exe="/sbin/mgetty" subj=system_u:system_r:getty_t:s0
type=CWD msg=audit(1153086095.856:52):  cwd="/"
type=PATH msg=audit(1153086095.856:52): item=0 name="/bin/sh" parent=0 dev=00:00
mode=00 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1153086095.860:53): avc:  denied  { getattr } for  pid=2136
comm="mgetty" name="[7592]" dev=pipefs ino=7592
scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0
tclass=fifo_file
type=SYSCALL msg=audit(1153086095.860:53): arch=40000003 syscall=197 success=no
exit=-13 a0=6 a1=bfa62694 a2=4ccff4 a3=954c858 items=0 pid=2136 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyI1 comm="mgetty"
exe="/sbin/mgetty" subj=system_u:system_r:getty_t:s0
type=AVC_PATH msg=audit(1153086095.860:53):  path="pipe:[7592]"
type=AVC msg=audit(1153086095.860:54): avc:  denied  { write } for  pid=2136
comm="mgetty" name="[7592]" dev=pipefs ino=7592
scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0
tclass=fifo_file
type=SYSCALL msg=audit(1153086095.860:54): arch=40000003 syscall=4 success=no
exit=-13 a0=6 a1=b7f14000 a2=20b a3=20b items=0 pid=2136 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyI1 comm="mgetty"
exe="/sbin/mgetty"
subj=system_u:system_r:getty_t:s0
type=AVC_PATH msg=audit(1153086095.860:54):  path="pipe:[7592]"
type=AVC msg=audit(1153086095.872:55): avc:  denied  { setpgid } for  pid=2138
comm="mgetty" scontext=system_u:system_r:getty_t:s0
tcontext=system_u:system_r:getty_t:s0 tclass=process
type=SYSCALL msg=audit(1153086095.872:55): arch=40000003 syscall=57 success=no
exit=-13 a0=0 a1=0 a2=954c858 a3=1 items=0 pid=2138 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyI1 comm="mgetty"
exe="/sbin/mgetty" subj=system_u:system_r:getty_t:s0
type=AVC msg=audit(1153086095.876:56): avc:  denied  { read } for  pid=2139
comm="mgetty" name="sh" dev=md2 ino=1212421
scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0
tclass=lnk_file
type=SYSCALL msg=audit(1153086095.876:56): arch=40000003 syscall=11 success=no
exit=-13 a0=4b4556 a1=bfa62e64 a2=954d8f0 a3=bfa62e84 items=1 pid=2139
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=ttyI1 comm="mgetty" exe="/sbin/mgetty" subj=system_u:system_r:getty_t:s0
type=CWD msg=audit(1153086095.876:56):  cwd="/"
type=PATH msg=audit(1153086095.876:56): item=0 name="/bin/sh" parent=0 dev=00:00
mode=00 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1153086160.724:57): avc:  denied  { search } for  pid=2140
comm="mgetty" name="spool" dev=md2 ino=1572905
scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:var_spool_t:s0
tclass=dir
Comment 2 Daniel Walsh 2006-09-18 15:05:49 EDT
Fixed in selinux-policy-2.3.14-4
Comment 3 Penelope Fudd 2006-12-24 17:16:00 EST
Problem occurs in FC6, selinux-policy-2.4.6-13.fc6:

Dec 24 14:11:24 kirk mgetty[30642]: cannot set controlling tty (ioctl):
Operation not permitted
Dec 24 14:11:33 kirk kernel: audit(1166998293.240:9): avc:  denied  { write }
for  pid=30642 comm="mgetty" name="incoming" dev=dm-0 ino=14189979
scontext=system_u:system_r:getty_t:s0 tcontext=user_u:object_r:var_spool_t:s0
tclass=dir
Dec 24 14:11:33 kirk mgetty[30642]: fax_get_pages: can't write to
'/var/spool/fax/incoming': Permission denied
Dec 24 14:13:34 kirk kernel: audit(1166998414.021:10): avc:  denied  { read }
for  pid=32142 comm="mgetty" name="sh" dev=dm-0 ino=14974981
scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0
tclass=lnk_file
Dec 24 14:13:34 kirk kernel: audit(1166998414.022:11): avc:  denied  { getattr }
for  pid=30642 comm="mgetty" name="[2303518]" dev=pipefs ino=2303518
scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0
tclass=fifo_file
Dec 24 14:13:34 kirk kernel: audit(1166998414.022:12): avc:  denied  { write }
for  pid=30642 comm="mgetty" name="[2303518]" dev=pipefs ino=2303518
scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0
tclass=fifo_file
Dec 24 14:13:34 kirk kernel: audit(1166998414.022:13): avc:  denied  { setpgid }
for  pid=32143 comm="mgetty" scontext=system_u:system_r:getty_t:s0
tcontext=system_u:system_r:getty_t:s0 tclass=process
Dec 24 14:13:34 kirk kernel: audit(1166998414.022:14): avc:  denied  { read }
for  pid=32144 comm="mgetty" name="sh" dev=dm-0 ino=14974981
scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0
tclass=lnk_file
Dec 24 14:13:34 kirk mgetty[30642]: fax dev=ttyS0, pid=30642, caller='none',
name='', id='', +FHNG=000, pages=4/0, time=00:02:10 
Dec 24 14:13:34 kirk mgetty[32143]: system() failed: Permission denied
Comment 4 Penelope Fudd 2006-12-24 17:19:49 EST
In addition, /var/spool/fax/incoming didn't exist until I created it just now. 
Am I missing a package?

Also, what command installs an updated selinux-policy?
Comment 5 Penelope Fudd 2006-12-24 18:34:32 EST
Amendment to previous comment:

I hadn't installed mgetty-sendfax yet, so /var/spool/fax/{incoming,outgoing}
hadn't been created.  That package has been installed now, then removed, then
installed again, in the hopes of resetting everything to what it should be. 
Didn't work.

This command updates the selinux attributes for an rpm package's files:
fixfiles -R mgetty-sendfax restore
Didn't fix anything here.

Additionally, /var/spool/fax/incoming should be created as part of the mgetty
rpm instead of mgetty+sendfax package, as mgetty can receive faxes without
'sendfax' being present.  Instead, mgetty will put the faxes in /tmp.
Comment 6 Daniel Walsh 2006-12-29 11:15:40 EST
If /var/spool/fax is used by mgetty package without sendfax, it should be
created and owned by mgetty package.  This will cause the labeling to happen
correctly.

restorecon -R -v /var/spool/

Should fix the labeling.

For other fixes you can use audit2allow -M mygetty -i /var/log/audit/audit.log
(or /var/log/messages)

To customize policy.
Comment 7 Bug Zapper 2008-04-03 23:19:03 EDT
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.

If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.
http://fedoraproject.org/wiki/LifeCycle/EOL

If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
the change.

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we are following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers
Comment 8 Bug Zapper 2008-05-06 12:07:34 EDT
This bug is open for a Fedora version that is no longer maintained and
will not be fixed by Fedora. Therefore we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen thus bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.