Bug 253742 - sendmail and cfengine issues.
sendmail and cfengine issues.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-21 13:31 EDT by Orion Poplawski
Modified: 2008-03-27 19:07 EDT (History)
0 users

See Also:
Fixed In Version: 3.0.8-95.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-27 19:07:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2007-08-21 13:31:06 EDT
Description of problem:

I use cfengine to reload sendmail if needed.  This fails in development with the
following denials:

Aug 21 11:02:59 lynx kernel: audit(1187715779.021:126): avc:  denied  { read }
for  pid=3533 comm="newaliases" path="pipe:[12155]" dev=pipefs ino=12155
scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
Aug 21 11:02:59 lynx kernel: audit(1187715779.022:127): avc:  denied  { write }
for  pid=3533 comm="newaliases"
path="/var/cfengine/outputs/cf_lynx_cora_nwra_com_2007-08-21--11-00-03" dev=sda6
ino=18486 scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=file
Aug 21 11:02:59 lynx kernel: audit(1187715779.266:128): avc:  denied  {
execute_no_trans } for  pid=2253 comm="sendmail"
path="/usr/sbin/sendmail.sendmail" dev=sda3 ino=1039513
scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
Aug 21 11:02:59 lynx kernel: audit(1187715779.271:129): avc:  denied  {
execute_no_trans } for  pid=2262 comm="sendmail"
path="/usr/sbin/sendmail.sendmail" dev=sda3 ino=1039513
scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file

First two is presumably the attempt to send the output of newaliases to the
cfengine log file.  The second two seem to be the killers.  After this, sendmail
is no longer running.

When I start sendmail by hand with "service sendmail start", I then get:

Aug 21 11:25:42 lynx kernel: audit(1187717142.781:130): avc:  denied  { read
write } for  pid=3825 comm="newaliases" name="0" dev=devpts ino=2
scontext=root:system_r:sendmail_t:s0
tcontext=root:object_r:unconfined_devpts_t:s0 tclass=chr_file
Aug 21 11:25:42 lynx kernel: audit(1187717142.782:131): avc:  denied  { read
write } for  pid=3825 comm="newaliases" path="/dev/pts/0" dev=devpts ino=2
scontext=root:system_r:sendmail_t:s0
tcontext=root:object_r:unconfined_devpts_t:s0 tclass=chr_file
Aug 21 11:25:42 lynx kernel: audit(1187717142.819:132): avc:  denied  {
dac_override } for  pid=3825 comm="newaliases" capability=1
scontext=root:system_r:sendmail_t:s0 tcontext=root:system_r:sendmail_t:s0
tclass=capability
Aug 21 11:25:42 lynx kernel: audit(1187717142.819:133): avc:  denied  {
dac_override } for  pid=3825 comm="newaliases" capability=1
scontext=root:system_r:sendmail_t:s0 tcontext=root:system_r:sendmail_t:s0
tclass=capability
Aug 21 11:25:42 lynx kernel: audit(1187717142.820:134): avc:  denied  {
dac_override } for  pid=3825 comm="newaliases" capability=1
scontext=root:system_r:sendmail_t:s0 tcontext=root:system_r:sendmail_t:s0
tclass=capability
Aug 21 11:25:42 lynx kernel: audit(1187717142.833:135): avc:  denied  { read
write } for  pid=3829 comm="sendmail" name="0" dev=devpts ino=2
scontext=root:system_r:sendmail_t:s0
tcontext=root:object_r:unconfined_devpts_t:s0 tclass=chr_file
Aug 21 11:25:42 lynx kernel: audit(1187717142.833:136): avc:  denied  { read
write } for  pid=3829 comm="sendmail" path="/dev/pts/0" dev=devpts ino=2
scontext=root:system_r:sendmail_t:s0
tcontext=root:object_r:unconfined_devpts_t:s0 tclass=chr_file
Aug 21 11:25:42 lynx kernel: audit(1187717142.833:137): avc:  denied  { read
write } for  pid=3829 comm="sendmail" path="/dev/pts/0" dev=devpts ino=2
scontext=root:system_r:sendmail_t:s0
tcontext=root:object_r:unconfined_devpts_t:s0 tclass=chr_file
Aug 21 11:25:42 lynx kernel: audit(1187717142.834:138): avc:  denied  { read
write } for  pid=3829 comm="sendmail" path="/dev/pts/0" dev=devpts ino=2
scontext=root:system_r:sendmail_t:s0
tcontext=root:object_r:unconfined_devpts_t:s0 tclass=chr_file

but sendmail starts fine.

Version-Release number of selected component (if applicable):
selinux-policy-3.0.5-8.fc8
Comment 1 Daniel Walsh 2007-09-10 10:34:41 EDT
Fixed in selinux-policy-3.0.7-8.fc8.src.rpm
Comment 2 Daniel Walsh 2007-09-12 13:00:40 EDT
ALready fixed in rawhide
Comment 3 Orion Poplawski 2008-02-08 11:16:09 EST
Still seeing denials with the output of commands run by cfengine trying to get
logged:

Feb  7 15:00:29 ranier kernel: audit(1202421629.349:5): avc:  denied  { write }
for  pid=5376 comm="newaliases"
path="/var/cfengine/outputs/cf_ranier_cora_nwra_com_2008-02-07--15-00-04"
dev=dm-2 ino=229508 scontext=system_u:system_r:sendmail_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=file

Perhaps /var/cfengine/outputs should get labeled var_log_t?

selinux-policy-3.0.8-81.fc8
Comment 4 Daniel Walsh 2008-03-05 17:28:36 EST
This is a simple redirection of stdout.  newaliases output is being redirected
to the cfengine log file.  This log file should probably be in var_log.

Comment 5 Orion Poplawski 2008-03-05 17:55:22 EST
(In reply to comment #4)
> This is a simple redirection of stdout.  newaliases output is being redirected
> to the cfengine log file.  This log file should probably be in var_log.

Agreed, but I think it will take a while to get cfengine FHS compliant.  In the
meantime, can we get /var/cfengine/outputs labeled as var_log_t?  It's
equivalent to /var/log/cfengine.
Comment 6 Daniel Walsh 2008-03-18 14:50:32 EDT
Fixed in selinux-policy-3.0.8-95.fc8
Comment 7 Orion Poplawski 2008-03-27 19:07:11 EDT
Confirmed fixed.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.