249370 – selinux strict policy clash with sendmail/procmail on default system

Bug 249370 - selinux strict policy clash with sendmail/procmail on default system

Summary: selinux strict policy clash with sendmail/procmail on default system

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-strict
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-07-24 03:23 UTC by Douglas Campbell
Modified:	2007-11-30 22:12 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-07-24 12:41:56 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Douglas Campbell 2007-07-24 03:23:41 UTC

Description of problem:


Version-Release number of selected component (if applicable):
unknown component

How reproducible:
selinux with strict policy will let neither sendmail nor procmail access /root
directory


Steps to Reproduce:
1.  Install fc7 dvd with sendmail/procmail support enabled
2.  boot system
3   login as nonroot
4.  After a short while, setroubleshooter display pops up.

Actual results:
Logged messages:
  avc: denied { search } for comm="procmail" dev=dm-0 egid=0 euid=0
exe="/usr/bin/procmail" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="root"
pid=4125 scontext=system_u:system_r:procmail_t:s0 sgid=0
subj=system_u:system_r:procmail_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:default_t:s0 tty=(none) uid=0 

avc: denied { getattr } for comm="sendmail" dev=dm-0 egid=51 euid=51
exe="/usr/sbin/sendmail.sendmail" exit=-13 fsgid=51 fsuid=51 gid=51 items=0
name="root" path="/root" pid=3846 scontext=system_u:system_r:system_mail_t:s0
sgid=51 subj=system_u:system_r:system_mail_t:s0 suid=51 tclass=dir
tcontext=system_u:object_r:default_t:s0 tty=(none) uid=51 

The help message by setroubleshoot is also problematic -- the primary solution
requires a reboot, while the secondary solution is not offered:

If you want a confined domain to use these files you will probably need to
relabel the file/directory with chcon. In some cases it is just easier to
relabel the system, to relabel execute: "touch /.autorelabel; reboot"


Expected results:
No setroubleshoot display with default system.


Additional info:

Comment 1 Douglas Campbell 2007-07-24 03:25:02 UTC

uid 51 is smmsp.

Comment 2 Daniel Walsh 2007-07-24 12:41:56 UTC

Your root directory is mislabeled.

restorecon -R -v /root

Comment 3 Douglas Campbell 2007-07-24 16:32:38 UTC

But I didn't label my root directory.  Hence, this step should be done by F7
during install.  I therefore respectfully submit that this is still a bug.

I will apply the fix you have mentioned (which, as you may note from my initial
description, was not suggested by setroubleshoot).

Comment 4 Douglas Campbell 2007-07-24 16:35:34 UTC

But I didn't label my root directory.  Hence, this step should be done by F7
during install.  I therefore respectfully submit that this is still a bug.  If
you agree with me, please reopen this as a bug.

I will apply the fix you have mentioned (which, as you may note from my initial
description, was not suggested by setroubleshoot).

Note You need to log in before you can comment on or make changes to this bug.