Bug 452811 - Selenix Is Preventing Sendmail from using Mislabeled files.
Selenix Is Preventing Sendmail from using Mislabeled files.
Status: CLOSED CANTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: sendmail (Show other bugs)
5.1
All Linux
low Severity low
: rc
: ---
Assigned To: Miroslav Lichvar
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-25 05:03 EDT by Joe Fain Sr
Modified: 2009-10-26 11:12 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-26 11:12:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Sendmail Alert Mislabeled Files (3.17 KB, text/plain)
2008-06-25 05:03 EDT, Joe Fain Sr
no flags Details

  None (edit)
Description Joe Fain Sr 2008-06-25 05:03:51 EDT
Description of problem:
Summary:

SELinux is preventing the sendmail from using potentially mislabeled files
(2F746D702F2E4E5350522D41464D2D363336332D3261616263383066633837302E30202864656C6574656429).

Detailed Description:

SELinux has denied sendmail access to potentially mislabeled file(s)
(2F746D702F2E4E5350522D41464D2D363336332D3261616263383066633837302E30202864656C6574656429).
This means that SELinux will not allow sendmail to use these files. It is common
for users to edit files in their home directory or tmp directories and then move
(mv) them to system directories. The problem is that the files end up with the
wrong file context which confined applications are not allowed to access.

Allowing Access:

If you want sendmail to access this files, you need to relabel them using
restorecon -v
'2F746D702F2E4E5350522D41464D2D363336332D3261616263383066633837302E30202864656C6574656429'.
You might want to relabel the entire directory using restorecon -R -v ''.

Additional Information:

Source Context                system_u:system_r:system_mail_t
Target Context                system_u:object_r:httpd_tmp_t
Target Objects                2F746D702F2E4E5350522D41464D2D363336332D3261616263
                              383066633837302E30202864656C6574656429 [ file ]
Source                        sendmail
Source Path                   /usr/sbin/sendmail.sendmail
Port                          <Unknown>
Host                          LS1000.tmch.com
Source RPM Packages           sendmail-8.13.8-2.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-137.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     LS1000.tmch.com
Platform                      Linux LS1000.tmch.com 2.6.18-92.1.1.el5 #1 SMP Thu
                              May 22 09:01:47 EDT 2008 x86_64 x86_64
Alert Count                   2
First Seen                    Mon 23 Jun 2008 02:40:26 PM CDT
Last Seen                     Mon 23 Jun 2008 02:40:27 PM CDT
Local ID                      413eb782-5b3f-4543-a9f3-ceee3ad22e54
Line Numbers                  

Raw Audit Messages            

host=LS1000.tmch.com type=AVC msg=audit(1214250027.124:570): avc:  denied  {
read write } for  pid=32570 comm="sendmail"
path=2F746D702F2E4E5350522D41464D2D363336332D3261616263383066633837302E30202864656C6574656429
dev=dm-2 ino=98310 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file

host=LS1000.tmch.com type=AVC msg=audit(1214250027.124:570): avc:  denied  {
read } for  pid=32570 comm="sendmail" path="eventpoll:[347445]" dev=eventpollfs
ino=347445 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=file

host=LS1000.tmch.com type=SYSCALL msg=audit(1214250027.124:570): arch=c000003e
syscall=59 success=yes exit=0 a0=18357d70 a1=18357de0 a2=18356d00 a3=3 items=0
ppid=15844 pid=32570 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail"
exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null)





Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Joe Fain Sr 2008-06-25 05:03:51 EDT
Created attachment 310239 [details]
Sendmail Alert Mislabeled Files
Comment 2 Thomas Woerner 2008-07-15 08:56:44 EDT
This path is strange - I do not know what exactly this should be.

Do you have more information?
Comment 3 Daniel Walsh 2009-10-26 11:08:14 EDT
Taking these AVC's and applying to Fedora 12 setroubleshoot shows.

Summary:

SELinux is preventing /usr/sbin/sendmail.sendmail access to a leaked
/tmp/.NSPR-AFM-6363-2aabc80fc870.0 (deleted) file descriptor.

Detailed Description:

[sendmail has a permissive type (system_mail_t). This access was not denied.]

SELinux denied access requested by the sendmail command. It looks like this is
either a leaked descriptor or sendmail output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the /tmp/.NSPR-AFM-6363-2aabc80fc870.0 (deleted). You should generate a bugzilla
on selinux-policy, and it will get routed to the appropriate package. You can
safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                system_u:system_r:system_mail_t:s0
Target Context                system_u:object_r:httpd_tmp_t:s0
Target Objects                /tmp/.NSPR-AFM-6363-2aabc80fc870.0 (deleted) [
                              file ]
Source                        sendmail
Source Path                   /usr/sbin/sendmail.sendmail
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           sendmail-8.14.3-8.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-33.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.31.1-48.fc12.x86_64 #1 SMP Fri Sep 25 16:57:40
                              EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Mon Jun 23 15:40:27 2008
Last Seen                     Mon Jun 23 15:40:27 2008
Local ID                      d97e260c-b582-4acd-8013-265954378cba
Line Numbers                  1, 2, 4

Raw Audit Messages            

type=AVC msg=audit(1214250027.124:570): avc:  denied  { read write } for  pid=32570 comm="sendmail" path=2F746D702F2E4E5350522D41464D2D363336332D3261616263383066633837302E30202864656C6574656429 dev=dm-2 ino=98310 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file 

type=AVC msg=audit(1214250027.124:570): avc:  denied  { read } for  pid=32570 comm="sendmail" path="eventpoll:[347445]" dev=eventpollfs ino=347445 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file

type=SYSCALL msg=audit(1214250027.124:570): arch=c000003e syscall=59 success=yes exit=0 a0=18357d70 a1=18357de0 a2=18356d00 a3=3 items=0 ppid=15844 pid=32570 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null)
Comment 4 Daniel Walsh 2009-10-26 11:12:02 EDT
This is not a sendmail or an selinux policy bug.

This indicates that the apache scripts/modules you are using a leaking files to the sendmail program.  You can safely ignore these errors, since SELinux will close the access.  If you want to allow the access you can use audit2allow  to generate a policy module.

# grep sendmail /var/log/audit/audit.log | audit2allow -m mysendmail
# semodule -i mysendmail.pp


I can not tell from the AVC which apache module is leaking the descriptors, but you should report this as a bug to those apps to close the descriptors on exec.

fcntl(fd, F_SETFD, FD_CLOEXEC)

Note You need to log in before you can comment on or make changes to this bug.