Bug 249370 - selinux strict policy clash with sendmail/procmail on default system
selinux strict policy clash with sendmail/procmail on default system
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict (Show other bugs)
rawhide
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-23 23:23 EDT by Douglas Campbell
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-24 08:41:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Douglas Campbell 2007-07-23 23:23:41 EDT
Description of problem:


Version-Release number of selected component (if applicable):
unknown component

How reproducible:
selinux with strict policy will let neither sendmail nor procmail access /root
directory


Steps to Reproduce:
1.  Install fc7 dvd with sendmail/procmail support enabled
2.  boot system
3   login as nonroot
4.  After a short while, setroubleshooter display pops up.

Actual results:
Logged messages:
  avc: denied { search } for comm="procmail" dev=dm-0 egid=0 euid=0
exe="/usr/bin/procmail" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="root"
pid=4125 scontext=system_u:system_r:procmail_t:s0 sgid=0
subj=system_u:system_r:procmail_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:default_t:s0 tty=(none) uid=0 

avc: denied { getattr } for comm="sendmail" dev=dm-0 egid=51 euid=51
exe="/usr/sbin/sendmail.sendmail" exit=-13 fsgid=51 fsuid=51 gid=51 items=0
name="root" path="/root" pid=3846 scontext=system_u:system_r:system_mail_t:s0
sgid=51 subj=system_u:system_r:system_mail_t:s0 suid=51 tclass=dir
tcontext=system_u:object_r:default_t:s0 tty=(none) uid=51 

The help message by setroubleshoot is also problematic -- the primary solution
requires a reboot, while the secondary solution is not offered:

If you want a confined domain to use these files you will probably need to
relabel the file/directory with chcon. In some cases it is just easier to
relabel the system, to relabel execute: "touch /.autorelabel; reboot"


Expected results:
No setroubleshoot display with default system.


Additional info:
Comment 1 Douglas Campbell 2007-07-23 23:25:02 EDT
uid 51 is smmsp.
Comment 2 Daniel Walsh 2007-07-24 08:41:56 EDT
Your root directory is mislabeled.

restorecon -R -v /root

Comment 3 Douglas Campbell 2007-07-24 12:32:38 EDT
But I didn't label my root directory.  Hence, this step should be done by F7
during install.  I therefore respectfully submit that this is still a bug.

I will apply the fix you have mentioned (which, as you may note from my initial
description, was not suggested by setroubleshoot).
Comment 4 Douglas Campbell 2007-07-24 12:35:34 EDT
But I didn't label my root directory.  Hence, this step should be done by F7
during install.  I therefore respectfully submit that this is still a bug.  If
you agree with me, please reopen this as a bug.

I will apply the fix you have mentioned (which, as you may note from my initial
description, was not suggested by setroubleshoot).

Note You need to log in before you can comment on or make changes to this bug.