Bug 438184 - SELinux is preventing sendmail (system_mail_t) "append" to /var/rkhunter/tmp/rkhcronlog.wSLuzk5001 (var_t).
SELinux is preventing sendmail (system_mail_t) "append" to /var/rkhunter/tmp/...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: rkhunter (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Kevin Fenzi
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-19 12:13 EDT by long
Modified: 2008-06-06 03:47 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-29 08:55:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description long 2008-03-19 12:13:07 EDT
Description of problem:
When rkhunter is run via its daily cron job it produces a selinux denial.

Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-93.fc8

How reproducible:
every day

Steps to Reproduce:
1.Install rkhunter using yum
2.Wait until daily rkhunter cron job runs
3.
  
Actual results:

Summary:

SELinux is preventing sendmail (system_mail_t) "append" to
/var/rkhunter/tmp/rkhcronlog.wSLuzk5001 (var_t).

Detailed Description:

SELinux denied access requested by sendmail. It is not expected that this access
is required by sendmail and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/rkhunter/tmp/rkhcronlog.wSLuzk5001,

restorecon -v '/var/rkhunter/tmp/rkhcronlog.wSLuzk5001'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:system_mail_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                /var/rkhunter/tmp/rkhcronlog.wSLuzk5001 [ file ]
Source                        sendmail
Source Path                   /usr/sbin/sendmail.sendmail
Port                          <Unknown>
Host                          griffon.cc.ku.edu
Source RPM Packages           sendmail-8.14.2-1.fc8
Target RPM Packages           
Policy RPM                    selinux-policy-3.0.8-93.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     griffon.cc.ku.edu
Platform                      Linux griffon.cc.ku.edu 2.6.24.3-34.fc8 #1 SMP Wed
                              Mar 12 18:17:20 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Wed 19 Mar 2008 10:56:18 AM CDT
Last Seen                     Wed 19 Mar 2008 10:56:18 AM CDT
Local ID                      5ab0ec93-baf8-4f2a-bb30-1bc75ac0298d
Line Numbers                  

Raw Audit Messages            

host=griffon.cc.ku.edu type=AVC msg=audit(1205942178.16:221): avc:  denied  {
append } for  pid=22609 comm="sendmail"
path="/var/rkhunter/tmp/rkhcronlog.wSLuzk5001" dev=dm-0 ino=3143636
scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:var_t:s0
tclass=file

host=griffon.cc.ku.edu type=SYSCALL msg=audit(1205942178.16:221): arch=40000003
syscall=11 success=yes exit=0 a0=805848b a1=889560c a2=bfb56108 a3=889560c
items=0 ppid=1 pid=22609 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=51 sgid=51 fsgid=51 tty=(none) comm="sendmail"
exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null)




Expected results:
No daily selinux denial.

Additional info:
Comment 1 Daniel Walsh 2008-03-19 15:18:14 EDT
Please put log files in a reasonable location like /var/log/rkhunter/

This is simple redirection of sendmail and will not prevent anything from working.  
Comment 2 Kevin Fenzi 2008-03-19 19:50:43 EDT
rkhunter uses /var/rkhunter/tmp/ for all it's temp files... including this file
which is part of it's email it's constructing for it's nightly cron job. 

It already puts it's log in /var/log/rkhunter.log 

I can change both or either of those if need be, but can't selinux handle the
current setup? 

Note that rkhunter docs say never to use /tmp as your temp dir as that will leak 
information about a running rkhunter process. 

Thoughts? Ideas? Questions? Expansion of the comments in Comment #1? 
Comment 3 Daniel Walsh 2008-03-20 09:32:15 EDT
Well SELinux can handle this path,  But it is an unusual path and not standard.

/var/run/rkhunter should be a place for tmp files and any files that you do not
care if they survice a reboot.
/var/log/rkhunter for log files.
/var/lib/rkhunter for files that rkhunter needs to write to and keep (Not
temporary).

This is the way almost every service application is coded.

Then we can talk about writing SELinux policy for rkhunter.
Comment 4 Kevin Fenzi 2008-03-27 00:10:05 EDT
All very solid suggestions. 

I have made a first attempt at moving things around in the just tagged and built
version: rkhunter-1.3.2-2.fc9

Dan: Can you check this version and see if there is any further
improvement/changes I can make to make this app more selinux friendly? 

Thanks. 
Comment 5 Kevin Fenzi 2008-04-28 22:51:20 EDT
Hey Dan. Have you had a chance to look over the current package?

Anything I can do to modify the package to get it selinux friendly?

Let me know... 
Comment 6 Daniel Walsh 2008-04-29 08:55:16 EDT
Well system_mail_t is allowed to append to log files so this problem should be
fixed.  I just installed the Fedora 9 package on my machine, and will  watch for
avc's.  

We looked into confining this application but it is way to intrusive to be
confinable.  :^)

Comment 7 Fedora Update System 2008-05-17 17:32:41 EDT
rkhunter-1.3.2-3.fc8 has been submitted as an update for Fedora 8
Comment 8 Fedora Update System 2008-05-17 17:41:33 EDT
rkhunter-1.3.2-3.fc7 has been submitted as an update for Fedora 7
Comment 9 Fedora Update System 2008-06-06 03:46:58 EDT
rkhunter-1.3.2-3.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2008-06-06 03:47:07 EDT
rkhunter-1.3.2-3.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.