Bug 216324 - /usr/bin/uux can't access files in /var/{log,spool}/uucp (or its own binary) when run from postfix
/usr/bin/uux can't access files in /var/{log,spool}/uucp (or its own binary) ...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-19 05:17 EST by Nils Philippsen
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:14:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
te file (854 bytes, application/octet-stream)
2006-11-20 15:40 EST, Daniel Walsh
no flags Details
if file (1.34 KB, application/octet-stream)
2006-11-20 15:41 EST, Daniel Walsh
no flags Details
fc file (64 bytes, application/octet-stream)
2006-11-20 15:41 EST, Daniel Walsh
no flags Details

  None (edit)
Description Nils Philippsen 2006-11-19 05:17:09 EST
Description of problem:

When called by postfix to execute remotely queued UUCP commands, several actions
uux wants to do are denied by SELinux.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-2.4.3-2.fc6
uucp-1.07-12
postfix-2.3.3-2

How reproducible:

Reproducible (the alerts come regularly).

Steps to Reproduce:
1. Set up system as a UUCP node sending and receiving mail via UUCP (over TCP)
from an external server.
2. Get mail sent from outside.
  
Actual results:

With /usr/bin/uux being labelled as "-r-sr-xr-x uucp uucp
system_u:object_r:bin_t /usr/bin/uux", I get e.g.:

avc: denied { getattr } for comm='"uux"' dev='dm-0' egid='14' euid='10'
exe='"/usr/bin/uux"' exit='0' fsgid='14' fsuid='10' gid='14' items='0'
name='"Log"' path='"/var/log/uucp/Log"' pid='9856'
scontext=system_u:system_r:postfix_pipe_t:s0 sgid='14'
subj='system_u:system_r:postfix_pipe_t:s0' suid='10' tclass='file'
tcontext=system_u:object_r:uucpd_log_t:s0 tty='(none)' uid='10' 

avc: denied { append } for comm='"uux"' dev='dm-0' egid='14' euid='10'
exe='"/usr/bin/uux"' exit='4' fsgid='14' fsuid='10' gid='14' items='0'
name='"Log"' pid='9856' scontext=system_u:system_r:postfix_pipe_t:s0 sgid='14'
subj='system_u:system_r:postfix_pipe_t:s0' suid='10' tclass='file'
tcontext=system_u:object_r:uucpd_log_t:s0 tty='(none)' uid='10' 

avc: denied { unlink } for comm='"uux"' dev='dm-0' egid='14' euid='10'
exe='"/usr/bin/uux"' exit='0' fsgid='14' fsuid='10' gid='14' items='0'
name='"TMP00000001fe"' pid='510' scontext=system_u:system_r:postfix_pipe_t:s0
sgid='14' subj='system_u:system_r:postfix_pipe_t:s0' suid='10' tclass='file'
tcontext=system_u:object_r:uucpd_spool_t:s0 tty='(none)' uid='10'

avc: denied { getattr } for comm='"uux"' dev='dm-0' egid='14' euid='10'
exe='"/usr/bin/uux"' exit='0' fsgid='14' fsuid='10' gid='14' items='0'
name='"D.05SN"' path='"/var/spool/uucp/winz/D./D.05SN"' pid='510'
scontext=system_u:system_r:postfix_pipe_t:s0 sgid='14'
subj='system_u:system_r:postfix_pipe_t:s0' suid='10' tclass='file'
tcontext=system_u:object_r:uucpd_spool_t:s0 tty='(none)' uid='10' 

avc: denied { create } for comm='"uux"' dev='dm-0' egid='14' euid='10'
exe='"/usr/bin/uux"' exit='4' fsgid='14' fsuid='10' gid='14' items='0'
name='"D.05SN"' pid='510' scontext=system_u:system_r:postfix_pipe_t:s0 sgid='14'
subj='system_u:system_r:postfix_pipe_t:s0' suid='10' tclass='file'
tcontext=system_u:object_r:uucpd_spool_t:s0 tty='(none)' uid='10' 

avc: denied { lock } for comm='"uux"' dev='dm-0' egid='14' euid='10'
exe='"/usr/bin/uux"' exit='0' fsgid='14' fsuid='10' gid='14' items='0'
name='"SEQF"' path='"/var/spool/uucp/winz/SEQF"' pid='9858'
scontext=system_u:system_r:postfix_pipe_t:s0 sgid='14'
subj='system_u:system_r:postfix_pipe_t:s0' suid='10' tclass='file'
tcontext=system_u:object_r:uucpd_spool_t:s0 tty='(none)' uid='10' 

avc: denied { read, write } for comm='"uux"' dev='dm-0' egid='14' euid='10'
exe='"/usr/bin/uux"' exit='4' fsgid='14' fsuid='10' gid='14' items='0'
name='"SEQF"' pid='9858' scontext=system_u:system_r:postfix_pipe_t:s0 sgid='14'
subj='system_u:system_r:postfix_pipe_t:s0' suid='10' tclass='file'
tcontext=system_u:object_r:uucpd_spool_t:s0 tty='(none)' uid='10' 

avc: denied { search } for comm='"uux"' dev='dm-0' egid='14' euid='10'
exe='"/usr/bin/uux"' exit='0' fsgid='14' fsuid='10' gid='14' items='0'
name='"uucp"' pid='9858' scontext=system_u:system_r:postfix_pipe_t:s0 sgid='14'
subj='system_u:system_r:postfix_pipe_t:s0' suid='10' tclass='dir'
tcontext=system_u:object_r:uucpd_spool_t:s0 tty='(none)' uid='10' 

avc: denied { read } for comm='"uux"' dev='dm-2' egid='14' euid='10'
exe='"/usr/bin/uux"' exit='0' fsgid='14' fsuid='10' gid='14' items='0'
name='"uux"' path='"/usr/bin/uux"' pid='9856'
scontext=system_u:system_r:postfix_pipe_t:s0 sgid='14'
subj='system_u:system_r:postfix_pipe_t:s0' suid='10' tclass='file'
tcontext=system_u:object_r:bin_t:s0 tty='(none)' uid='10' 

and many more.

Expected results:

File ops on these files granted, no AVC alerts.

Additional info:
Comment 1 Daniel Walsh 2006-11-20 15:40:57 EST
Created attachment 141689 [details]
te file
Comment 2 Daniel Walsh 2006-11-20 15:41:20 EST
Created attachment 141690 [details]
if file
Comment 3 Daniel Walsh 2006-11-20 15:41:44 EST
Created attachment 141691 [details]
fc file
Comment 4 Daniel Walsh 2006-11-20 15:44:30 EST
I have built a policy for uux, I will add this to policy once it is working.

Could you extract the three attachments above into thier own directory

Then install selinux-policy-devel
And execute

make -f /usr/share/selinux/devel/Makefile
semodule -i uux.pp
restorecon /usr/bin/uux
setenforce 0
Run the test with postfix.

Send me the avc messages that are generated.
Comment 5 Daniel Walsh 2006-11-28 16:17:30 EST
Fixed in selinux-policy-2.4.5-3.fc6
Comment 6 Daniel Walsh 2007-08-22 10:14:09 EDT
Fixed in current release

Note You need to log in before you can comment on or make changes to this bug.