Bug 254076 - SELinux/apcupsd quirk with email reports
SELinux/apcupsd quirk with email reports
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
All Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-23 18:52 EDT by Anthony Messina
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-24 09:37:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Anthony Messina 2007-08-23 18:52:28 EDT
Description of problem:
With SELinux in permissive mode, it prevents apcupsd from interacting with the
sendmail(.postfix) binary.  The strange thing is, it looks as though the
sendmail(.postfix) binary is trying to operate under the apcupsd_t context; that
doesn't seem right.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.6.4-33.fc7
apcupsd-3.14.1-2.fc7
postfix-2.4.3-2.fc7

How reproducible:
Every time a power failure occurs and apcupsd tries to send an email.

Steps to Reproduce:
1. Enable apcupsd
2. Pull the power plug
  
Actual results:
avc: denied { ioctl } for comm="sendmail" dev=sockfs egid=0 euid=0
exe="/usr/sbin/sendmail.postfix" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=""
path="socket:[112735]" pid=5009 scontext=system_u:system_r:apcupsd_t:s0 sgid=0
subj=system_u:system_r:apcupsd_t:s0 suid=0 tclass=udp_socket
tcontext=system_u:system_r:apcupsd_t:s0 tty=(none) uid=0

avc: denied { create } for comm="postdrop" dev=sda2 egid=90 euid=0
exe="/usr/sbin/postdrop" exit=4 fsgid=90 fsuid=0 gid=0 items=0
name="707034.5013" pid=5013 scontext=system_u:system_r:apcupsd_t:s0 sgid=90
subj=system_u:system_r:apcupsd_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tty=(none) uid=0

avc: denied { getattr } for comm="postdrop" dev=sda2 egid=90 euid=0
exe="/usr/sbin/postdrop" exit=0 fsgid=90 fsuid=0 gid=0 items=0
name="707034.5013" path="/var/spool/postfix/maildrop/707034.5013" pid=5013
scontext=system_u:system_r:apcupsd_t:s0 sgid=90
subj=system_u:system_r:apcupsd_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tty=(none) uid=0

avc: denied { rename } for comm="postdrop" dev=sda2 egid=90 euid=0
exe="/usr/sbin/postdrop" exit=0 fsgid=90 fsuid=0 gid=0 items=0
name="707034.5013" pid=5013 scontext=system_u:system_r:apcupsd_t:s0 sgid=90
subj=system_u:system_r:apcupsd_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tty=(none) uid=0

avc: denied { write } for comm="postdrop" dev=sda2 egid=90 euid=0
exe="/usr/sbin/postdrop" exit=1437 fsgid=90 fsuid=0 gid=0 items=0
name="AD8AC53D991" path="/var/spool/postfix/maildrop/AD8AC53D991" pid=5013
scontext=system_u:system_r:apcupsd_t:s0 sgid=90
subj=system_u:system_r:apcupsd_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tty=(none) uid=0

avc: denied { setattr } for comm="postdrop" dev=sda2 egid=90 euid=0
exe="/usr/sbin/postdrop" exit=0 fsgid=90 fsuid=0 gid=0 items=0
name="AD8AC53D991" pid=5013 scontext=system_u:system_r:apcupsd_t:s0 sgid=90
subj=system_u:system_r:apcupsd_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tty=(none) uid=0

avc: denied { add_name } for comm="postdrop" dev=sda2 egid=90 euid=0
exe="/usr/sbin/postdrop" exit=4 fsgid=90 fsuid=0 gid=0 items=0
name="999567.5039" pid=5039 scontext=system_u:system_r:apcupsd_t:s0 sgid=90
subj=system_u:system_r:apcupsd_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tty=(none) uid=0

avc: denied { remove_name } for comm="postdrop" dev=sda2 egid=90 euid=0
exe="/usr/sbin/postdrop" exit=0 fsgid=90 fsuid=0 gid=0 items=0
name="999567.5039" pid=5039 scontext=system_u:system_r:apcupsd_t:s0 sgid=90
subj=system_u:system_r:apcupsd_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tty=(none) uid=0


Expected results:
I would expect that the sendmail(.postfix) binary would run under it's own
context and that apcupsd would also be ale to initiate a message using the
sendmail(.postfix) binary, as other daemons do.

Additional info:
Comment 1 Daniel Walsh 2007-08-24 09:37:51 EDT
Please update to the latest policy, apcuspd transitions to sendmail

Note You need to log in before you can comment on or make changes to this bug.