This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 405291 - SELinux shortcomings for sockets used by milters and SASL
SELinux shortcomings for sockets used by milters and SASL
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-29 20:14 EST by Glen Turner
Modified: 2008-01-30 14:06 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:06:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Glen Turner 2007-11-29 20:14:51 EST
Description of problem: 

To enhance security Sendmail inspects the ownership and permissions of many
files, including Unix-domain sockets. Sockets are used extensively to augment
Sendmail with spam filtering, virus checking and authentication.
 spamass-milter uses /var/run/spamass-milter/spamass-milter.sock
 clamav-milter should use /var/run/clamav-milter/clamav.sock
  (use is actually inconsistent, Bugzilla has a bug about that)
 cyrus-sasl uses /var/run/saslauthd/mux

Sendmail checks that files and their paths have safe ownership and permissions.
These checks fail for all of the above sockets, disabling those services.

A typical error message on "service sendmail start" is
/etc/mail/sendmail.cf: line 1785: Xspamassassin: local socket name
/var/run/spamass-milter/spamass-milter.sock unsafe: Permission denied

Authsasld does not generate an error. An error occurs silently when sendmail
attempts to validate a SMTP AUTH request. The AUTH fails immediately, without
giving the opportunity to provide a password. Debug logging on saslauthd shows
no connection from sendmail.

No SELinux audit records are produced.

Version-Release number of selected component (if applicable):

sendmail-8.14.1-4.2.fc8
sendmail-cf-8.14.1-4.2.fc8
cyrus-sasl-plain-2.1.22-7
cyrus-sasl-2.1.22-7
cyrus-sasl-lib-2.1.22-7
clamav-milter-0.91.2-3.fc8
clamav-filesystem-0.91.2-3.fc8
clamav-server-sysv-0.91.2-3.fc8
clamav-0.91.2-3.fc8
clamav-data-0.91.2-3.fc8
clamav-server-0.91.2-3.fc8
clamav-milter-sysv-0.91.2-3.fc8
clamav-update-0.91.2-3.fc8
clamav-lib-0.91.2-3.fc8
spamassassin-3.2.3-2.fc8
spamass-milter-0.3.1-5.fc8

How reproducible:

sendmail.mc contains in part

define(`confAUTH_OPTIONS', `A p y')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confCACERT', `/etc/pki/tls/certs/server-chain.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confCLIENT_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
define(`confCLIENT_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
FEATURE(delay_checks)dnl
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav-milter/clamav.sock, F=,
T=S:4m;R:4m')dnl
INPUT_MAIL_FILTER(`spamassassin',
`S=unix:/var/run/spamass-milter/spamass-milter.sock, F=,
T=C:15m;S:4m;R:4m;E:10m')dnl
define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name},
{if_addr}')dnl
define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher}, {cipher_bits},
{cert_subject}, {cert_issuer}')dnl
define(`confMILTER_MACROS_ENVRCPT',confMILTER_MACROS_ENVRCPT`,r, v, Z')dnl
define(`confINPUT_MAIL_FILTERS', `clamav,spamassassin')

There should be a DontBlameSendmail option to ignore the permissions and
ownership of the socket and its path, but I can't find it.
Comment 1 Glen Turner 2007-11-30 21:54:49 EST
Actually SELinux does generate warnings.  audit2allow reports
#============= sendmail_t ==============
allow sendmail_t saslauthd_var_run_t:dir { write search };
allow sendmail_t spamd_var_run_t:dir { search getattr };
allow sendmail_t var_run_t:sock_file getattr;
Comment 2 Glen Turner 2007-11-30 22:17:46 EST
And now that sendmail can read the /var/run/saslauthd directory we additionally need

#============= sendmail_t ==============
allow sendmail_t saslauthd_var_run_t:dir { write search };
allow sendmail_t saslauthd_var_run_t:sock_file write;
allow sendmail_t spamd_var_run_t:dir { search getattr };
allow sendmail_t var_run_t:sock_file getattr;
Comment 3 Glen Turner 2007-11-30 22:25:32 EST
The final set of SELinux policies which allow SMTP AUTH to work are

#============= sendmail_t ==============
allow sendmail_t saslauthd_t:unix_stream_socket connectto;
allow sendmail_t saslauthd_var_run_t:dir { write search };
allow sendmail_t saslauthd_var_run_t:sock_file write;
allow sendmail_t var_run_t:sock_file getattr;
Comment 4 Glen Turner 2007-12-01 01:02:15 EST
The final set of SELinux policies which allow SMTP AUTH, Spamassassin milter and
ClamAV milter.

#============= sendmail_t ==============
allow sendmail_t initrc_t:unix_stream_socket connectto;
allow sendmail_t saslauthd_t:unix_stream_socket connectto;
allow sendmail_t saslauthd_var_run_t:dir { write search };
allow sendmail_t saslauthd_var_run_t:sock_file write;
allow sendmail_t spamd_var_run_t:dir { search getattr };
allow sendmail_t spamd_var_run_t:sock_file { write getattr };
allow sendmail_t var_run_t:sock_file { write getattr };

#============= system_mail_t ==============
allow system_mail_t security_t:filesystem getattr;
allow system_mail_t spamd_var_run_t:dir { search getattr };
allow system_mail_t var_run_t:sock_file getattr;

Considering that SELinux enforcing and sendmail are recommended system
configurations I'd say this shows a distinct lack of system testing.
Comment 5 Glen Turner 2007-12-01 01:06:07 EST
Altered component to selinux-policy-targeted

libselinux-2.0.43-1.fc8
libselinux-devel-2.0.43-1.fc8
selinux-policy-3.0.8-56.fc8
selinux-policy-targeted-3.0.8-56.fc8
libselinux-python-2.0.43-1.fc8
checkpolicy-2.0.4-1.fc8
policycoreutils-2.0.31-15.fc8
Comment 6 Daniel Walsh 2007-12-01 07:57:17 EST
Thanks for the analysys.  I believe I have encorporated all your changes into 
selinux-policy-3.0.8-63.fc8
Comment 7 Glen Turner 2007-12-02 01:52:05 EST
Thanks Dan. I won't be in a position to test selinux-policy-3.0.8-63.fc8 until
Wednesday (South Australia time).
Comment 8 Daniel Walsh 2008-01-30 14:06:47 EST
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.