Bug 283481 - SElinux prevents smartd from sending warning mails
SElinux prevents smartd from sending warning mails
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
All Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-08 08:02 EDT by Felix Schwarz
Modified: 2008-01-30 14:06 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:06:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
first selinux denial (complete output of sealert) (1.25 KB, text/plain)
2007-09-08 08:02 EDT, Felix Schwarz
no flags Details
extracted selinux denials (2.44 KB, text/plain)
2007-09-08 08:04 EDT, Felix Schwarz
no flags Details
generated policy addition with audit2allow (370 bytes, application/octet-stream)
2007-09-08 08:04 EDT, Felix Schwarz
no flags Details
Bodged extra allowals for exim over selinux-policy-2.6.4-43.fc7 (2.36 KB, application/octet-stream)
2007-10-02 11:33 EDT, Jón Fairbairn
no flags Details
result of grepping for exim through an audit log (71.44 KB, application/octet-stream)
2007-10-10 13:04 EDT, Jón Fairbairn
no flags Details

  None (edit)
Description Felix Schwarz 2007-09-08 08:02:43 EDT
Description of problem:
In the default Fedora setup smartd will send a warning mail to root if it
detects a disk problem (such as Current_Pending_Sector > 0). 

Unfortunately, this does not work with SElinux set to enforcing and using exim
(did not test with other mtas).

Version-Release number of selected component (if applicable):
exim-4.66-3.fc7
selinux-policy-2.6.4-40.fc7
smartmontools-5.37-3.1.fc7

How reproducible:
Always

Steps to Reproduce:
1. Set SElinux to enforcing
2. Edit /etc/smartd.conf: 
  Remove *SMARTD*AUTOGENERATED* to prevent that the config file will be
overwritten at next startup.
  Configure smart that it sends a test message at every startup by adding "-M
test", e.g. /dev/sdb -d ata -H -m root -M test
  Restart smartd
3. look at the selinux error log 
  
Actual results:
In /var/log/messages something like this will appear:
Sep  8 13:59:09 ws2 smartd[17638]: Test of mail to root produced unexpected
output (438 bytes) to STDOUT/STDERR:  2007-09-
08 13:59:09 1ITyxx-0004aX-79 Cannot open main log file "/var/log/exim/main.log":
Permission denied: euid=93 egid=93 2007-0
9-08 13:59:09 1ITyxx-0004aX-79 Failed to create spool file
/var/spool/exim/input//1ITyxx-0004aX-79-D: Permission denied 20
07-09-08 13:59:09 1ITyxx-0004aX-79 Cannot open main log file
"/var/log/exim/main.log": Permission denied: euid=93 egid=93 

I add the exact SElinux error messages etc. as attachements.

Expected results:
The warning message should be sent.
Comment 1 Felix Schwarz 2007-09-08 08:02:43 EDT
Created attachment 190701 [details]
first selinux denial (complete output of sealert)
Comment 2 Felix Schwarz 2007-09-08 08:04:14 EDT
Created attachment 190711 [details]
extracted selinux denials
Comment 3 Felix Schwarz 2007-09-08 08:04:54 EDT
Created attachment 190721 [details]
generated policy addition with audit2allow
Comment 4 Daniel Walsh 2007-09-13 13:09:03 EDT
Added rudimentary exim policy selinux-policy-2.6.4-43.fc7.src.rpm
Comment 5 Jón Fairbairn 2007-10-02 11:28:52 EDT
A recent upgrade to selinux-policy-2.6.4-43.fc7
(or possibly -targeted-) seems to cause exim to be denied for many cases.

eg
type=AVC msg=audit(1191268740.384:7357): avc:  denied  { entrypoint } for 
pid=9568 comm="crond" name="exim" dev=md2 ino=259656
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:exim_exec_t:s0 tclass=file

I'm a complete novice with SELinux, but I'll attach the .te file I knocked
together to circumvent this.
Comment 6 Jón Fairbairn 2007-10-02 11:33:22 EDT
Created attachment 213581 [details]
Bodged extra allowals for exim over selinux-policy-2.6.4-43.fc7

I suspect the beginning of this .te file is bogus; I freely admit that I didn't
know what I was doing.	I did seem to need all the allows though.

[before I updated to 2.6.4-43 I had no problems running exim]
Comment 7 Daniel Walsh 2007-10-02 12:38:45 EDT
Could you attach the audit.log used to generate these rules.

Thanks.
Comment 8 Jón Fairbairn 2007-10-10 13:04:20 EDT
Created attachment 222791 [details]
result of grepping for exim through an audit log

I think this attachment covers them.  I've been away and logrotate has run...
Comment 9 Daniel Walsh 2008-01-30 14:06:49 EST
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.