Description of problem: SSIA, if SELinux is enforcing targeted policy, it prevents sendmail.postfix from reading UUCP spool files which causes it to deliver mails with empty headers and bodies (and removes the UUCP spool file in question, thus causing data loss). Note that the uucico in question is run once a minute from cron and I've quickly switched over to permissive mode in order not to lose more mail. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.3.1-51.fc9.noarch postfix-2.5.1-2.fc9.x86_64 uucp-1.07-17.fc9.x86_64 cronie-1.0-5.fc9.x86_64 Actual results: --- 8< --- Alert 1 of 4 --- Summary: SELinux is preventing sendmail (system_mail_t) "read" to /var/spool/uucp/winz/D./D.winzN2S35 (uucpd_spool_t). Detailed Description: SELinux denied access requested by sendmail. It is not expected that this access is required by sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/spool/uucp/winz/D./D.winzN2S35, restorecon -v '/var/spool/uucp/winz/D./D.winzN2S35' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023 Target Context system_u:object_r:uucpd_spool_t:s0 Target Objects /var/spool/uucp/winz/D./D.winzN2S35 [ file ] Source sendmail Source Path /usr/sbin/sendmail.postfix Port <Unknown> Host wombat Source RPM Packages postfix-2.5.1-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-51.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name wombat Platform Linux wombat 2.6.25.4-30.fc9.x86_64 #1 SMP Wed May 21 17:34:18 EDT 2008 x86_64 x86_64 Alert Count 1 First Seen Mon 26 May 2008 12:42:06 PM CEST Last Seen Mon 26 May 2008 12:42:06 PM CEST Local ID 2af28e82-5647-410c-8c56-f83364fc4ab0 Line Numbers Raw Audit Messages host=wombat type=AVC msg=audit(1211798526.819:214): avc: denied { read } for pid=6217 comm="sendmail" path="/var/spool/uucp/winz/D./D.winzN2S35" dev=dm-3 ino=360465 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:uucpd_spool_t:s0 tclass=file host=wombat type=AVC msg=audit(1211798526.819:214): avc: denied { write } for pid=6217 comm="sendmail" path="/var/spool/uucp/.Temp/TM.7x1.00" dev=dm-3 ino=360501 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:uucpd_spool_t:s0 tclass=file host=wombat type=SYSCALL msg=audit(1211798526.819:214): arch=c000003e syscall=59 success=yes exit=0 a0=2577490 a1=2575120 a2=2577820 a3=7fff329f1120 items=0 ppid=6215 pid=6217 auid=0 uid=10 gid=14 euid=10 suid=10 fsuid=10 egid=14 sgid=14 fsgid=14 tty=(none) ses=19 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) --- >8 --- --- 8< --- Alert 2 of 4 --- Summary: SELinux is preventing postqueue (postfix_postqueue_t) "getattr" to pipe (crond_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by postqueue. It is not expected that this access is required by postqueue and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:postfix_postqueue_t:s0-s0:c0.c10 23 Target Context system_u:system_r:crond_t:s0-s0:c0.c1023 Target Objects pipe [ fifo_file ] Source postqueue Source Path /usr/sbin/postqueue Port <Unknown> Host wombat Source RPM Packages postfix-2.5.1-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-51.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name wombat Platform Linux wombat 2.6.25.4-30.fc9.x86_64 #1 SMP Wed May 21 17:34:18 EDT 2008 x86_64 x86_64 Alert Count 4 First Seen Mon 26 May 2008 12:43:07 PM CEST Last Seen Mon 26 May 2008 12:49:01 PM CEST Local ID 39383a6c-eaf4-4c7a-bb04-85098224707e Line Numbers Raw Audit Messages host=wombat type=AVC msg=audit(1211798941.888:290): avc: denied { getattr } for pid=6782 comm="postqueue" path="pipe:[69614]" dev=pipefs ino=69614 scontext=system_u:system_r:postfix_postqueue_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file host=wombat type=SYSCALL msg=audit(1211798941.888:290): arch=c000003e syscall=5 success=yes exit=0 a0=0 a1=7fff10192990 a2=7fff10192990 a3=7fff10192710 items=0 ppid=6778 pid=6782 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=90 sgid=90 fsgid=90 tty=(none) ses=26 comm="postqueue" exe="/usr/sbin/postqueue" subj=system_u:system_r:postfix_postqueue_t:s0-s0:c0.c1023 key=(null) --- >8 --- --- 8< --- Alert 3 of 4 --- Summary: SELinux is preventing postqueue (postfix_postqueue_t) "read" to pipe (crond_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by postqueue. It is not expected that this access is required by postqueue and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:postfix_postqueue_t:s0-s0:c0.c10 23 Target Context system_u:system_r:crond_t:s0-s0:c0.c1023 Target Objects pipe [ fifo_file ] Source postqueue Source Path /usr/sbin/postqueue Port <Unknown> Host wombat Source RPM Packages postfix-2.5.1-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-51.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name wombat Platform Linux wombat 2.6.25.4-30.fc9.x86_64 #1 SMP Wed May 21 17:34:18 EDT 2008 x86_64 x86_64 Alert Count 10 First Seen Mon 26 May 2008 12:40:01 PM CEST Last Seen Mon 26 May 2008 12:49:01 PM CEST Local ID 829c8305-39fb-49bf-98bd-b25ae5851071 Line Numbers Raw Audit Messages host=wombat type=AVC msg=audit(1211798941.872:289): avc: denied { read } for pid=6782 comm="postqueue" path="pipe:[69614]" dev=pipefs ino=69614 scontext=system_u:system_r:postfix_postqueue_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file host=wombat type=AVC msg=audit(1211798941.872:289): avc: denied { write } for pid=6782 comm="postqueue" path="pipe:[69615]" dev=pipefs ino=69615 scontext=system_u:system_r:postfix_postqueue_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file host=wombat type=SYSCALL msg=audit(1211798941.872:289): arch=c000003e syscall=59 success=yes exit=0 a0=7fdb11f9c1f0 a1=7fdb11f9c180 a2=7fdb11f9baf0 a3=7fff17e7c610 items=0 ppid=6778 pid=6782 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=90 sgid=90 fsgid=90 tty=(none) ses=26 comm="postqueue" exe="/usr/sbin/postqueue" subj=system_u:system_r:postfix_postqueue_t:s0-s0:c0.c1023 key=(null) --- >8 --- --- 8< --- Alert 4 of 4 --- Summary: SELinux is preventing run-mail-queue. (postfix_postqueue_t) "sigchld" to <Unknown> (system_crond_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by run-mail-queue.. It is not expected that this access is required by run-mail-queue. and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:postfix_postqueue_t:s0-s0:c0.c10 23 Target Context system_u:system_r:system_crond_t:s0-s0:c0.c1023 Target Objects None [ process ] Source run-mail-queue. Source Path /bin/bash Port <Unknown> Host wombat Source RPM Packages bash-3.2-22.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-51.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name wombat Platform Linux wombat 2.6.25.4-30.fc9.x86_64 #1 SMP Wed May 21 17:34:18 EDT 2008 x86_64 x86_64 Alert Count 30 First Seen Mon 26 May 2008 12:40:01 PM CEST Last Seen Mon 26 May 2008 12:51:01 PM CEST Local ID aac62db1-9511-40c9-829b-a19183fd3ab0 Line Numbers Raw Audit Messages host=wombat type=AVC msg=audit(1211799061.326:310): avc: denied { sigchld } for pid=6824 comm="run-mail-queue." scontext=system_u:system_r:postfix_postqueue_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_crond_t:s0-s0:c0.c1023 tclass=process host=wombat type=SYSCALL msg=audit(1211799061.326:310): arch=c000003e syscall=61 success=yes exit=6828 a0=ffffffffffffffff a1=7fff43c8d094 a2=0 a3=0 items=0 ppid=6822 pid=6824 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=29 comm="run-mail-queue." exe="/bin/bash" subj=system_u:system_r:system_crond_t:s0-s0:c0.c1023 key=(null) --- >8 --- Expected results: No alerts, mail gets through untampered.
You can allow this for now by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-56.fc9
Just for the record, here's the output of audit2allow. There's one rule in between for ppp, I don't know how that's relevant, I didn't notice it up to know but you might want to know. #============= postfix_postdrop_t ============== allow postfix_postdrop_t uucpd_spool_t:file { write getattr }; #============= postfix_postqueue_t ============== allow postfix_postqueue_t crond_t:fifo_file { read write getattr }; allow postfix_postqueue_t system_crond_t:process sigchld; #============= pppd_t ============== allow pppd_t initrc_t:process signal; #============= system_mail_t ============== allow system_mail_t uucpd_spool_t:file { read write getattr }; #============= uux_t ============== allow uux_t anon_inodefs_t:file { read write };
allow pppd_t initrc_t:process signal; What process is running as initrc_t?
Hmm, the most likely culprit is the NoIP client (http://www.no-ip.com) which updates my IP address with their DynDNS service. As I've packaged this locally, you can just forget about it ;-).
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.