2208696 – SELinux is preventing smtpd from using the 'sys_chroot' capabilities.

Bug 2208696 - SELinux is preventing smtpd from using the 'sys_chroot' capabilities.

Summary: SELinux is preventing smtpd from using the 'sys_chroot' capabilities.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	38
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:deb41a66c1bb9f411051584efa2...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-05-20 01:02 UTC by Stuart D Gathman
Modified:	2023-10-17 04:25 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-38.17-1.fc38
Clone Of:
Environment:
Last Closed:	2023-06-18 01:30:01 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: description (1.83 KB, text/plain) 2023-05-20 01:02 UTC, Stuart D Gathman	no flags	Details
File: os_info (667 bytes, text/plain) 2023-05-20 01:02 UTC, Stuart D Gathman	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1701	0	None	open	Update sendmail policy module for opensmtpd	2023-05-23 15:32:19 UTC

Description Stuart D Gathman 2023-05-20 01:02:09 UTC

Description of problem:
systemctl start opensmtpd
SELinux is preventing smtpd from using the 'sys_chroot' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that smtpd should have the sys_chroot capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'smtpd' --raw | audit2allow -M my-smtpd
# semodule -X 300 -i my-smtpd.pp

Additional Information:
Source Context                system_u:system_r:sendmail_t:s0
Target Context                system_u:system_r:sendmail_t:s0
Target Objects                Unknown [ capability ]
Source                        smtpd
Source Path                   smtpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.12-1.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.12-1.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.2.15-300.fc38.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu May 11 17:37:39 UTC 2023
                              x86_64
Alert Count                   20
First Seen                    2023-05-04 14:02:13 EDT
Last Seen                     2023-05-19 20:41:56 EDT
Local ID                      506ac220-4ab9-4b29-baa9-67cd947dc102

Raw Audit Messages
type=AVC msg=audit(1684543316.755:729): avc:  denied  { sys_chroot } for  pid=326477 comm="smtpd" capability=18  scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=capability permissive=0


Hash: smtpd,sendmail_t,sendmail_t,capability,sys_chroot

Version-Release number of selected component:
selinux-policy-targeted-38.12-1.fc38.noarch

Additional info:
reporter:       libreport-2.17.10
reason:         SELinux is preventing smtpd from using the 'sys_chroot' capabilities.
package:        selinux-policy-targeted-38.12-1.fc38.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.2.15-300.fc38.x86_64
comment:        systemctl start opensmtpd
component:      selinux-policy

Comment 1 Stuart D Gathman 2023-05-20 01:02:12 UTC

Created attachment 1965814 [details]
File: description

Comment 2 Stuart D Gathman 2023-05-20 01:02:13 UTC

Created attachment 1965815 [details]
File: os_info

Comment 3 Stuart D Gathman 2023-05-20 01:20:03 UTC

Also needed to allow unlinking socket.  Note, this is opensmtpd, NOT sendmail.  The selinux policies seems to have been merged.
#============= sendmail_t ==============

#!!!! This avc is allowed in the current policy
allow sendmail_t self:capability { fowner sys_chroot };

#!!!! This avc is allowed in the current policy
allow sendmail_t var_run_t:sock_file create;
allow sendmail_t var_run_t:sock_file { setattr unlink };

Comment 4 Zdenek Pytela 2023-05-23 15:32:19 UTC

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/1701

Please check the scratchbuild
Checks -> Artifacts -> rpms.zip

if the update is sufficient.

Comment 5 Milos Malik 2023-05-31 07:57:03 UTC

Before installing the scratch build, the following SELinux denials appeared in enforcing mode:
----
type=PROCTITLE msg=audit(05/31/2023 03:53:55.969:802) : proctitle=smtpd: scheduler 
type=PATH msg=audit(05/31/2023 03:53:55.969:802) : item=0 name=/var/empty/smtpd inode=271613 dev=fc:02 mode=dir,711 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/31/2023 03:53:55.969:802) : cwd=/ 
type=SYSCALL msg=audit(05/31/2023 03:53:55.969:802) : arch=x86_64 syscall=chroot success=no exit=EPERM(Operation not permitted) a0=0x55ad0e8f88c4 a1=0x7 a2=0x55ad0e912620 a3=0x0 items=1 ppid=6830 pid=6836 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/sbin/smtpd subj=system_u:system_r:sendmail_t:s0 key=(null) 
type=AVC msg=audit(05/31/2023 03:53:55.969:802) : avc:  denied  { sys_chroot } for  pid=6836 comm=smtpd capability=sys_chroot  scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(05/31/2023 03:53:55.971:803) : proctitle=/usr/sbin/smtpd -x queue 
type=PATH msg=audit(05/31/2023 03:53:55.971:803) : item=0 name=/var/spool/smtpd/temporary inode=271619 dev=fc:02 mode=dir,000 ouid=smtpq ogid=root rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/31/2023 03:53:55.971:803) : cwd=/ 
type=SYSCALL msg=audit(05/31/2023 03:53:55.971:803) : arch=x86_64 syscall=chmod success=no exit=EPERM(Operation not permitted) a0=0x55fb3f07aacc a1=0700 a2=0x0 a3=0x0 items=1 ppid=6830 pid=6835 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/sbin/smtpd subj=system_u:system_r:sendmail_t:s0 key=(null) 
type=AVC msg=audit(05/31/2023 03:53:55.971:803) : avc:  denied  { fowner } for  pid=6835 comm=smtpd capability=fowner  scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(05/31/2023 03:53:55.972:804) : proctitle=/usr/sbin/smtpd -x pony 
type=PATH msg=audit(05/31/2023 03:53:55.972:804) : item=0 name=/var/empty/smtpd inode=271613 dev=fc:02 mode=dir,711 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/31/2023 03:53:55.972:804) : cwd=/ 
type=SYSCALL msg=audit(05/31/2023 03:53:55.972:804) : arch=x86_64 syscall=chroot success=no exit=EPERM(Operation not permitted) a0=0x557e9e0a38c4 a1=0x7f7caada0505 a2=0x0 a3=0x7f7caad85ac0 items=1 ppid=6830 pid=6834 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/sbin/smtpd subj=system_u:system_r:sendmail_t:s0 key=(null) 
type=AVC msg=audit(05/31/2023 03:53:55.972:804) : avc:  denied  { sys_chroot } for  pid=6834 comm=smtpd capability=sys_chroot  scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(05/31/2023 03:53:55.972:805) : proctitle=/usr/sbin/smtpd -x control 
type=PATH msg=audit(05/31/2023 03:53:55.972:805) : item=1 name=/var/run/smtpd.sock nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/31/2023 03:53:55.972:805) : item=0 name=/var/run/ inode=1 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/31/2023 03:53:55.972:805) : cwd=/ 
type=SOCKADDR msg=audit(05/31/2023 03:53:55.972:805) : saddr={ saddr_fam=local path=/var/run/smtpd.sock } 
type=SYSCALL msg=audit(05/31/2023 03:53:55.972:805) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xa a1=0x7ffcd0a07970 a2=0x6e a3=0x70 items=2 ppid=6830 pid=6832 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/sbin/smtpd subj=system_u:system_r:sendmail_t:s0 key=(null) 
type=AVC msg=audit(05/31/2023 03:53:55.972:805) : avc:  denied  { create } for  pid=6832 comm=smtpd name=smtpd.sock scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 
----

# rpm -qa selinux\* opensmtp\* | sort
opensmtpd-6.8.0p2-11.fc38.x86_64
selinux-policy-38.14-1.fc39.noarch
selinux-policy-devel-38.14-1.fc39.noarch
selinux-policy-targeted-38.14-1.fc39.noarch
#

Comment 6 Milos Malik 2023-05-31 08:00:13 UTC

Before installing the scratch build, the following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(05/31/2023 03:57:35.355:811) : proctitle=/usr/sbin/smtpd -x pony 
type=PATH msg=audit(05/31/2023 03:57:35.355:811) : item=0 name=/var/empty/smtpd inode=271613 dev=fc:02 mode=dir,711 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/31/2023 03:57:35.355:811) : cwd=/ 
type=SYSCALL msg=audit(05/31/2023 03:57:35.355:811) : arch=x86_64 syscall=chroot success=yes exit=0 a0=0x562b28cb48c4 a1=0x7fa81d9a0505 a2=0x0 a3=0x7fa81d985ac0 items=1 ppid=6866 pid=6870 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/sbin/smtpd subj=system_u:system_r:sendmail_t:s0 key=(null) 
type=AVC msg=audit(05/31/2023 03:57:35.355:811) : avc:  denied  { sys_chroot } for  pid=6870 comm=smtpd capability=sys_chroot  scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(05/31/2023 03:57:35.356:812) : proctitle=/usr/sbin/smtpd -x queue 
type=PATH msg=audit(05/31/2023 03:57:35.356:812) : item=0 name=/var/spool/smtpd/temporary inode=271620 dev=fc:02 mode=dir,000 ouid=smtpq ogid=root rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/31/2023 03:57:35.356:812) : cwd=/ 
type=SYSCALL msg=audit(05/31/2023 03:57:35.356:812) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x5576f4f2eacc a1=0700 a2=0x0 a3=0x0 items=1 ppid=6866 pid=6871 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/sbin/smtpd subj=system_u:system_r:sendmail_t:s0 key=(null) 
type=AVC msg=audit(05/31/2023 03:57:35.356:812) : avc:  denied  { fowner } for  pid=6871 comm=smtpd capability=fowner  scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(05/31/2023 03:57:35.356:813) : proctitle=/usr/sbin/smtpd -x control 
type=PATH msg=audit(05/31/2023 03:57:35.356:813) : item=1 name=/var/run/smtpd.sock inode=1521 dev=00:18 mode=socket,660 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/31/2023 03:57:35.356:813) : item=0 name=/var/run/ inode=1 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/31/2023 03:57:35.356:813) : cwd=/ 
type=SOCKADDR msg=audit(05/31/2023 03:57:35.356:813) : saddr={ saddr_fam=local path=/var/run/smtpd.sock } 
type=SYSCALL msg=audit(05/31/2023 03:57:35.356:813) : arch=x86_64 syscall=bind success=yes exit=0 a0=0xa a1=0x7ffeb680bd60 a2=0x6e a3=0x70 items=2 ppid=6866 pid=6868 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/sbin/smtpd subj=system_u:system_r:sendmail_t:s0 key=(null) 
type=AVC msg=audit(05/31/2023 03:57:35.356:813) : avc:  denied  { create } for  pid=6868 comm=smtpd name=smtpd.sock scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(05/31/2023 03:57:35.356:814) : proctitle=/usr/sbin/smtpd -x control 
type=PATH msg=audit(05/31/2023 03:57:35.356:814) : item=0 name=/var/run/smtpd.sock inode=1521 dev=00:18 mode=socket,660 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/31/2023 03:57:35.356:814) : cwd=/ 
type=SYSCALL msg=audit(05/31/2023 03:57:35.356:814) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x55c7e8f42e0d a1=0666 a2=0x6e a3=0x70 items=1 ppid=6866 pid=6868 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/sbin/smtpd subj=system_u:system_r:sendmail_t:s0 key=(null) 
type=AVC msg=audit(05/31/2023 03:57:35.356:814) : avc:  denied  { setattr } for  pid=6868 comm=smtpd name=smtpd.sock dev="tmpfs" ino=1521 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1 
----

# semanage fcontext -l | grep smtpd
/usr/bin/msmtpd                                    regular file       system_u:object_r:sendmail_exec_t:s0 
/usr/libexec/postfix/smtpd                         regular file       system_u:object_r:postfix_smtpd_exec_t:s0 
/usr/sbin/smtpd                                    regular file       system_u:object_r:sendmail_exec_t:s0 
/var/qmail/bin/qmail-smtpd                         regular file       system_u:object_r:qmail_smtpd_exec_t:s0 
/var/spool/smtpd(/.*)?                             all files          system_u:object_r:mail_spool_t:s0 
# matchpathcon /var/run/smtpd.sock
/var/run/smtpd.sock	system_u:object_r:var_run_t:s0
#

Comment 7 Zdenek Pytela 2023-05-31 11:19:51 UTC

PR updated to set default label for /var/run/smtpd.sock

Comment 9 Milos Malik 2023-06-02 13:29:39 UTC

I downloaded the rpms.zip file from the following page:
 * https://github.com/fedora-selinux/selinux-policy/pull/1701

and retested the scenario.

# rpm -qa selinux\* opensmtp\* | sort
opensmtpd-6.8.0p2-11.fc38.x86_64
selinux-policy-38.15-1.20230531_090952.399e32f.fc39.noarch
selinux-policy-devel-38.15-1.20230531_090952.399e32f.fc39.noarch
selinux-policy-targeted-38.15-1.20230531_090952.399e32f.fc39.noarch
#

The following SELinux denials appeared during my testing:
----
type=PROCTITLE msg=audit(06/02/2023 09:07:25.357:679) : proctitle=/usr/sbin/smtpd -x control 
type=PATH msg=audit(06/02/2023 09:07:25.357:679) : item=1 name=/var/run/smtpd.sock nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(06/02/2023 09:07:25.357:679) : item=0 name=/var/run/ inode=1 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/02/2023 09:07:25.357:679) : cwd=/ 
type=SOCKADDR msg=audit(06/02/2023 09:07:25.357:679) : saddr={ saddr_fam=local path=/var/run/smtpd.sock } 
type=SYSCALL msg=audit(06/02/2023 09:07:25.357:679) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xa a1=0x7ffce2d9e530 a2=0x6e a3=0x70 items=2 ppid=4382 pid=4389 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/sbin/smtpd subj=system_u:system_r:sendmail_t:s0 key=(null) 
type=AVC msg=audit(06/02/2023 09:07:25.357:679) : avc:  denied  { create } for  pid=4389 comm=smtpd name=smtpd.sock scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sendmail_var_run_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(06/02/2023 09:13:41.591:694) : proctitle=/usr/sbin/smtpd -x control 
type=PATH msg=audit(06/02/2023 09:13:41.591:694) : item=0 name=/var/run/smtpd.sock inode=1410 dev=00:18 mode=socket,660 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sendmail_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/02/2023 09:13:41.591:694) : cwd=/ 
type=SYSCALL msg=audit(06/02/2023 09:13:41.591:694) : arch=x86_64 syscall=chmod success=no exit=EACCES(Permission denied) a0=0x55f45ae44e0d a1=0666 a2=0x6e a3=0x70 items=1 ppid=7082 pid=7089 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/sbin/smtpd subj=system_u:system_r:sendmail_t:s0 key=(null) 
type=AVC msg=audit(06/02/2023 09:13:41.591:694) : avc:  denied  { setattr } for  pid=7089 comm=smtpd name=smtpd.sock dev="tmpfs" ino=1410 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sendmail_var_run_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(06/02/2023 09:13:41.595:695) : proctitle=/usr/sbin/smtpd -x control 
type=PATH msg=audit(06/02/2023 09:13:41.595:695) : item=1 name=/var/run/smtpd.sock inode=1410 dev=00:18 mode=socket,660 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sendmail_var_run_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(06/02/2023 09:13:41.595:695) : item=0 name=/var/run/ inode=1 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/02/2023 09:13:41.595:695) : cwd=/ 
type=SYSCALL msg=audit(06/02/2023 09:13:41.595:695) : arch=x86_64 syscall=unlink success=no exit=EACCES(Permission denied) a0=0x55f45ae44e0d a1=0x1b6 a2=0xffffffffffffff88 a3=0x70 items=2 ppid=7082 pid=7089 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/sbin/smtpd subj=system_u:system_r:sendmail_t:s0 key=(null) 
type=AVC msg=audit(06/02/2023 09:13:41.595:695) : avc:  denied  { unlink } for  pid=7089 comm=smtpd name=smtpd.sock dev="tmpfs" ino=1410 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sendmail_var_run_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(06/02/2023 09:13:46.432:700) : proctitle=/usr/sbin/smtpd -x control 
type=PATH msg=audit(06/02/2023 09:13:46.432:700) : item=0 name=/var/run/smtpd.sock inode=1410 dev=00:18 mode=socket,660 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sendmail_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/02/2023 09:13:46.432:700) : cwd=/ 
type=SOCKADDR msg=audit(06/02/2023 09:13:46.432:700) : saddr={ saddr_fam=local path=/var/run/smtpd.sock } 
type=SYSCALL msg=audit(06/02/2023 09:13:46.432:700) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xa a1=0x7ffe437eee60 a2=0x6e a3=0x70 items=1 ppid=7361 pid=7367 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/sbin/smtpd subj=system_u:system_r:sendmail_t:s0 key=(null) 
type=AVC msg=audit(06/02/2023 09:13:46.432:700) : avc:  denied  { write } for  pid=7367 comm=smtpd name=smtpd.sock dev="tmpfs" ino=1410 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sendmail_var_run_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(06/02/2023 09:13:46.435:701) : proctitle=/usr/sbin/smtpd -x control 
type=PATH msg=audit(06/02/2023 09:13:46.435:701) : item=1 name=/var/run/smtpd.sock inode=1410 dev=00:18 mode=socket,660 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sendmail_var_run_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(06/02/2023 09:13:46.435:701) : item=0 name=/var/run/ inode=1 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/02/2023 09:13:46.435:701) : cwd=/ 
type=SYSCALL msg=audit(06/02/2023 09:13:46.435:701) : arch=x86_64 syscall=unlink success=no exit=EACCES(Permission denied) a0=0x556b57aa6e0d a1=0x7ffe437eee60 a2=0xffffffffffffff88 a3=0x70 items=2 ppid=7361 pid=7367 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/sbin/smtpd subj=system_u:system_r:sendmail_t:s0 key=(null) 
type=AVC msg=audit(06/02/2023 09:13:46.435:701) : avc:  denied  { unlink } for  pid=7367 comm=smtpd name=smtpd.sock dev="tmpfs" ino=1410 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sendmail_var_run_t:s0 tclass=sock_file permissive=0 
----

Iteratively, I created a special policy module to fix them.

The scenario works successfully in enforcing mode after loading the following policy module:

# cat mypolicy.cil 
( allow sendmail_t sendmail_var_run_t ( sock_file ( create setattr unlink write )))
#

Comment 10 Zdenek Pytela 2023-06-02 15:05:16 UTC

PR has been updated; note scratchbuilding currently does not work (dnf packages clash in rawhide)

Comment 11 Fedora Update System 2023-06-15 20:24:45 UTC

FEDORA-2023-9050c32c92 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-9050c32c92

Comment 12 Fedora Update System 2023-06-16 04:35:06 UTC

FEDORA-2023-9050c32c92 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-9050c32c92`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-9050c32c92

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 13 Fedora Update System 2023-06-18 01:30:01 UTC

FEDORA-2023-9050c32c92 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 14 Red Hat Bugzilla 2023-10-17 04:25:02 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.