Bug 301111 - SELinux is preventing /usr/bin/procmail (procmail_t) "read write" to /var/lib/samba/gencache.tdb (samba_var_t).
SELinux is preventing /usr/bin/procmail (procmail_t) "read write" to /var/lib...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-21 15:26 EDT by Stephanos Manos
Modified: 2007-11-30 17:12 EST (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-05 09:54:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
output from 'strings libnss_wins.so.2 | grep gencache' (549 bytes, text/plain)
2007-09-24 14:35 EDT, Nalin Dahyabhai
no flags Details

  None (edit)
Description Stephanos Manos 2007-09-21 15:26:18 EDT
Every time sendmail starts i get the following two AVC's

Summary
    SELinux is preventing /usr/bin/procmail (procmail_t) "read write" to
    /var/lib/samba/gencache.tdb (samba_var_t).

Detailed Description
    SELinux denied access requested by /usr/bin/procmail. It is not expected
    that this access is required by /usr/bin/procmail and this access may signal
    an intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /var/lib/samba/gencache.tdb,
    restorecon -v /var/lib/samba/gencache.tdb If this does not work, there is
    currently no automatic way to allow this access. Instead,  you can generate
    a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                user_u:system_r:procmail_t
Target Context                system_u:object_r:samba_var_t
Target Objects                /var/lib/samba/gencache.tdb [ file ]
Affected RPM Packages         procmail-3.22-19.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-42.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     viper.myhome-net.net
Platform                      Linux viper.myhome-net.net 2.6.22.5-76.fc7 #1 SMP
                              Thu Aug 30 13:47:21 EDT 2007 i686 i686
Alert Count                   34
First Seen                    Fri 21 Sep 2007 09:43:39 PM EEST
Last Seen                     Fri 21 Sep 2007 09:45:12 PM EEST
Local ID                      9f57482e-1afa-40be-9098-2260835c29a5
Line Numbers                  

Raw Audit Messages            

avc: denied { read, write } for comm="procmail" dev=dm-0 egid=0 euid=0
exe="/usr/bin/procmail" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="gencache.tdb"
path="/var/lib/samba/gencache.tdb" pid=11208
scontext=user_u:system_r:procmail_t:s0 sgid=0 subj=user_u:system_r:procmail_t:s0
suid=0 tclass=file tcontext=system_u:object_r:samba_var_t:s0 tty=(none) uid=0

--------------------------------------------------------------------------------

Summary
    SELinux is preventing /usr/bin/procmail (procmail_t) "read write" to
    /var/lib/samba/gencache.tdb (samba_var_t).

Detailed Description
    SELinux denied access requested by /usr/bin/procmail. It is not expected
    that this access is required by /usr/bin/procmail and this access may signal
    an intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /var/lib/samba/gencache.tdb,
    restorecon -v /var/lib/samba/gencache.tdb If this does not work, there is
    currently no automatic way to allow this access. Instead,  you can generate
    a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:procmail_t
Target Context                system_u:object_r:samba_var_t
Target Objects                /var/lib/samba/gencache.tdb [ file ]
Affected RPM Packages         procmail-3.22-19.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-42.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     viper.myhome-net.net
Platform                      Linux viper.myhome-net.net 2.6.22.5-76.fc7 #1 SMP
                              Thu Aug 30 13:47:21 EDT 2007 i686 i686
Alert Count                   8
First Seen                    Sat 15 Sep 2007 02:22:42 AM EEST
Last Seen                     Fri 21 Sep 2007 09:54:48 PM EEST
Local ID                      5ce7c853-35e7-4318-a6e9-efb62dadaeea
Line Numbers                  

Raw Audit Messages            

avc: denied { read, write } for comm="procmail" dev=dm-0 egid=0 euid=0
exe="/usr/bin/procmail" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="gencache.tdb"
path="/var/lib/samba/gencache.tdb" pid=3169
scontext=system_u:system_r:procmail_t:s0 sgid=0
subj=system_u:system_r:procmail_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:samba_var_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2007-09-22 07:30:55 EDT
Simo you have any reason why procmail would be reading/writing this file?
Comment 2 Simo Sorce 2007-09-22 15:05:09 EDT
I am not familiar with procmail code.
Is it linked with smbclient ?
Is this on a system with nss_winbindd ?
Comment 3 Daniel Walsh 2007-09-24 14:06:35 EDT
This could be a descriptor leak.  If smbd or nmbd opens
/var/lib/samba/gencache.tdb without closing on exec and somehow ends up execing
procmail, this could happen.
Comment 4 Simo Sorce 2007-09-24 14:16:50 EDT
I don't see why samba should execute procmail ... and it doesn't as far as I know.
That said people can and do use things like preexec and root preexec scripts.
We fork out in that case and execute a shell.

However the bug report say this happens every time sendmail start/stop, I don't
see how smbd/nmbd can be involved there.

But, other samba binaries/libraries may use gencache.tdb ..
Comment 5 Simo Sorce 2007-09-24 14:26:27 EDT
Re-assigning to procmail (sorry assigned to sendmail by mistake in the meantime)
Comment 6 Nalin Dahyabhai 2007-09-24 14:33:50 EDT
The libnss_wins module seems to include routines to directly manipulate this file.

Stephanos, are you using 'wins' anywhere in /etc/nsswitch.conf?
Comment 7 Nalin Dahyabhai 2007-09-24 14:35:39 EDT
Created attachment 204391 [details]
output from 'strings libnss_wins.so.2 | grep gencache'
Comment 8 Stephanos Manos 2007-09-24 15:05:43 EDT
The only line with wins in it is
hosts:      files dns wins

Comment 9 Nalin Dahyabhai 2007-09-24 15:43:27 EDT
(In reply to comment #8)
> The only line with wins in it is
> hosts:      files dns wins

Yep, that'd do it.  Both sendmail and procmail appear to translate
hostnames to network addresses, so both would use the nss_wins
module.  That, in turn, would attempt to access the gencache.tdb file.
Comment 10 Simo Sorce 2007-09-24 16:33:14 EDT
In my opinion this is an SELinux problem as accessing gencache.tdb is legitimate
when using wins in nsswitch.conf
Comment 11 Daniel Walsh 2007-09-24 16:56:57 EDT
So they need read/write access to this file?
Comment 12 Daniel Walsh 2007-09-24 17:00:09 EDT
This change will instantly give every confined domain that uses nsswitch the
ability to read/write all files under /var/lib/samba?  

Or do we need a new context for gencache.tdb?

Comment 13 Simo Sorce 2007-09-24 17:09:29 EDT
Read only mostly, write is reserved to process that run as root and are
therefore trusted, and usually just smbd/nmbd/winbindd.

unexpected.tdb is another file that user process can try to access. I can't
recall if nss_wins actually does it. Unexpected.tdb is a trap for ol clients
(win9x) sending netbios replies to the wrong udp port.
Comment 14 Daniel Walsh 2007-09-24 17:12:58 EDT
Ok I will change policy to

allow read
dontaudit write for users of nsswitch

Comment 15 Daniel Walsh 2007-09-24 17:15:36 EDT
And in SELinux world we don't trust applications running as root.  :^)

Fixed in selinux-policy-3.0.8-12
Comment 16 Daniel Walsh 2007-09-24 17:17:00 EDT
Oops thats rawhide.   I will backport to FC7

selinux-policy-2.6.4-45
Comment 17 Stephanos Manos 2007-10-04 14:56:03 EDT
Fixed.

Thanks

Note You need to log in before you can comment on or make changes to this bug.