Bug 424011 - SELinux prevent postifx geoIP.dat
Summary: SELinux prevent postifx geoIP.dat
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: GeoIP
Version: 7
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ---
Assignee: Michael Fleming
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-12-13 20:05 UTC by Daniel Peterson
Modified: 2008-06-17 02:55 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-06-17 02:55:42 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Daniel Peterson 2007-12-13 20:05:14 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.10) Gecko/20071128 Fedora/2.0.0.10-2.fc7 Firefox/2.0.0.10

Description of problem:
Summary
    SELinux is preventing /usr/sbin/sendmail.postfix (system_mail_t) "read" to
    /usr/share/GeoIP/GeoIP.dat (usr_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/sendmail.postfix. It is not
    expected that this access is required by /usr/sbin/sendmail.postfix and this
    access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /usr/share/GeoIP/GeoIP.dat,
    restorecon -v /usr/share/GeoIP/GeoIP.dat If this does not work, there is
    currently no automatic way to allow this access. Instead,  you can generate
    a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:system_mail_t
Target Context                system_u:object_r:usr_t
Target Objects                /usr/share/GeoIP/GeoIP.dat [ file ]
Affected RPM Packages         postfix-2.4.5-2.fc7 [application]GeoIP-1.4.3-1.fc7
                              [target]
Policy RPM                    selinux-policy-2.6.4-61.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     newage.cosywallet.com
Platform                      Linux newage.cosywallet.com 2.6.23.8-34.fc7 #1 SMP
                              Thu Nov 22 20:39:56 EST 2007 x86_64 x86_64
Alert Count                   196
First Seen                    Fri 23 Nov 2007 11:54:18 PM CET
Last Seen                     Wed 12 Dec 2007 11:34:28 AM CET
Local ID                      ae2dfe4b-7a17-4912-990a-55c189f0d266
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm="sendmail" dev=dm-0 egid=48 euid=48
exe="/usr/sbin/sendmail.postfix" exit=0 fsgid=48 fsuid=48 gid=48 items=0
path="/usr/share/GeoIP/GeoIP.dat" pid=3255
scontext=system_u:system_r:system_mail_t:s0 sgid=48
subj=system_u:system_r:system_mail_t:s0 suid=48 tclass=file
tcontext=system_u:object_r:usr_t:s0 tty=(none) uid=48



Version-Release number of selected component (if applicable):
postfix 2:2.4.5-2.fc7.x86_64 selinux-policy 2.6.4-61.fc7.noarch

How reproducible:
Always


Steps to Reproduce:
1.Send mail from php
2.
3.

Actual Results:


Expected Results:


Additional info:

Comment 1 Daniel Walsh 2007-12-13 20:18:29 UTC
Is this actually trying to mail this file?  Or is this another leaked file
descriptor?

Comment 2 Daniel Peterson 2007-12-14 10:27:18 UTC
This is connected to the geoip packages.
I had
GeoIP 1.4.3-1.fc7.x86_64
and
mod_geoip 1.2.0-1.fc7.x86_64

I have uninstall those packages, so now it works.
How those packages connects to postfix I do not really know or investigated but
postfix seems to access /usr/share/GeoIP/GeoIP.dat every time you send a mail
from php.

However I do not use the GeoIP packages for now but I maybe will in the future,
I built some hobby websites with GIS.
www.geobait.com
www.snowbull.com
www.riderguru.com


Comment 3 Daniel Walsh 2007-12-17 15:45:06 UTC
Ok, this is probably a leaked file descriptor.  Some where along the line you
apache scripts were call ing mod_geoip, which opened /usr/share/GeoIP/GeoIP.dat
but did not close it on exec.  When apache starts postfix to send mail, the
kernel looks at all open file descriptors from apache and checks the postfix
access,  If postfix is not allowed to use the file descriptor, it closes it and
runs the app.  So postfix would work correctly, but you get a nasty avc reported.


So mod_geoip should close all file descriptors on exec

fcntl(fd, F_SETFD, FD_CLOEXEC)



Comment 4 Michael Fleming 2008-01-28 10:14:51 UTC
I'll add a METOO to this bug, although I'm not conversant enough in C to work
out exactly what the fix is going to look like (I might kick it upstream anyway,
even if I get a flash of enlightenment)

Comment 5 Bug Zapper 2008-05-14 15:09:52 UTC
This message is a reminder that Fedora 7 is nearing the end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 7. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '7'.

Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 7's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 7 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug. If you are unable to change the version, please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. If possible, it is recommended that you try the newest available Fedora distribution to see if your bug still exists.

Please read the Release Notes for the newest Fedora distribution to make sure it will meet your needs:
http://docs.fedoraproject.org/release-notes/

The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 6 Bug Zapper 2008-06-17 02:55:40 UTC
Fedora 7 changed to end-of-life (EOL) status on June 13, 2008. 
Fedora 7 is no longer maintained, which means that it will not 
receive any further security or bug fix updates. As a result we 
are closing this bug. 

If you can reproduce this bug against a currently maintained version 
of Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.