2183432 – SELinux is preventing sendmail from open access on the file /proc/sys/net/ipv6/conf/all/disable_ipv6.

Bug 2183432 - SELinux is preventing sendmail from open access on the file /proc/sys/net/ipv6/conf/all/disable_ipv6.

Summary: SELinux is preventing sendmail from open access on the file /proc/sys/net/ipv...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	38
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-03-31 05:50 UTC by hannes
Modified:	2024-04-25 19:44 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-38.10-1.fc38
Clone Of:
Environment:
Last Closed:	2023-04-15 02:06:53 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1633	0	None	open	Allow logwatch_mail_t read network sysctls	2023-03-31 11:13:17 UTC

Description hannes 2023-03-31 05:50:19 UTC

This happened already multiple times for different folders, but always with sendmail. This is an fedora38 system, which I upgraded from 37.

SELinux is preventing sendmail from open access on the file /proc/sys/net/ipv6/conf/all/disable_ipv6.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sendmail should be allowed open access on the disable_ipv6 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sendmail' --raw | audit2allow -M my-sendmail
# semodule -X 300 -i my-sendmail.pp

Additional Information:
Source Context                system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023
Target Context                system_u:object_r:sysctl_net_t:s0
Target Objects                /proc/sys/net/ipv6/conf/all/disable_ipv6 [ file ]
Source                        sendmail
Source Path                   sendmail
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.9-1.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.9-1.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux newcaprica 6.2.8-300.fc38.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Wed Mar 22 19:29:30 UTC 2023
                              x86_64
Alert Count                   1
First Seen                    2023-03-30 18:07:02 CEST
Last Seen                     2023-03-30 18:07:02 CEST
Local ID                      a524d94d-c508-4a43-81e9-dc9acdf0394a

Raw Audit Messages
type=AVC msg=audit(1680192422.976:513): avc:  denied  { open } for  pid=9788 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=33052 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0


Hash: sendmail,logwatch_mail_t,sysctl_net_t,file,open

Comment 1 Zdenek Pytela 2023-03-31 11:13:17 UTC

Hi,

Has it happened for different SELinux domains, i. e. other than logwatch_mail_t in the 
scontext=system_u:system_r:logwatch_mail_t:...
record?

Comment 2 hannes 2023-04-01 17:10:13 UTC

No, I don't think so. Unfortunately, I deleted all the old reports.

Comment 3 hannes 2023-04-04 20:03:39 UTC

Thank you for the quick fix, at least upstream :-)

Comment 4 Fedora Update System 2023-04-05 08:39:13 UTC

FEDORA-2023-9e48ecef73 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-9e48ecef73

Comment 5 Fedora Update System 2023-04-06 01:48:06 UTC

FEDORA-2023-9e48ecef73 has been pushed to the Fedora 38 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-9e48ecef73

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2023-04-15 02:06:53 UTC

FEDORA-2023-9e48ecef73 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 7 Milos Malik 2024-04-25 19:44:34 UTC

Test coverage for this bug exists in a form of PR:
 * https://src.fedoraproject.org/tests/selinux/pull-request/496

The PR waits for a review.

Note You need to log in before you can comment on or make changes to this bug.