Description of problem: I'm getting AVC Denials from SELinux when sendmail tries to execute mailman because the milter file descriptors are leaked (remain open) when sendmail forks to execute mailman. According to Paul Howarth on the fedora-selinux-list: > Do your milters exec other programs? There are a couple of sockets > involved in the milter process (one in libmilter that shows up in the > milter process itself, and one at the other end of the connection in > sendmail) that don't have close-on-exec set, so their descriptors leak > when they exec other programs, and that looks like what you're seeing > here. I've submitted patches against 8.14.3 upstream many months ago > but there hasn't been a new release since. Version-Release number of selected component (if applicable): sendmail-8.14.3-3.fc10.i386 selinux-policy-targeted-3.5.13-41.fc10.noarch How reproducible: 100% Steps to Reproduce: 1. setup sendmail to call a mailman list via: mailman: "|/usr/lib/mailman/mail/mailman post mailman" 2. send mail (from another host) to this address 3. Look in the audit log. Actual results: Summary SELinux is preventing mailman (mailman_mail_t) "read write" sendmail_t. Detailed Description SELinux denied access requested by mailman. It is not expected that this access is required by mailman and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional Information Source Context: system_u:system_r:mailman_mail_t:s0 Target Context: system_u:system_r:sendmail_t:s0 Target Objects: socket [ unix_stream_socket ] Source: mailman Source Path: /usr/lib/mailman/mail/mailman Port: <Unknown> Host: <redacted> Source RPM Packages: mailman-2.1.11-3.fc10 Target RPM Packages: Policy RPM: selinux-policy-3.5.13-41.fc10 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: catchall Host Name: code.gnucash.org Platform: Linux code.gnucash.org 2.6.27.12-170.2.5.fc10.i686 #1 SMP Wed Jan 21 02:09:37 EST 2009 i686 athlon Alert Count: 1 First Seen: Sun 08 Feb 2009 11:28:40 AM EST Last Seen: Sun 08 Feb 2009 03:04:01 PM EST Local ID: 606e93dc-55fc-4454-acfa-1081a87deb63 Line Numbers: Raw Audit Messages : node=code.gnucash.org type=AVC msg=audit(1234123441.829:421): avc: denied { read write } for pid=17455 comm="mailman" path="socket:[105075]" dev=sockfs ino=105075 scontext=system_u:system_r:mailman_mail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket node=code.gnucash.org type=AVC msg=audit(1234123441.829:421): avc: denied { read write } for pid=17455 comm="mailman" path="socket:[105077]" dev=sockfs ino=105077 scontext=system_u:system_r:mailman_mail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket node=code.gnucash.org type=AVC msg=audit(1234123441.829:421): avc: denied { read write } for pid=17455 comm="mailman" path="socket:[105079]" dev=sockfs ino=105079 scontext=system_u:system_r:mailman_mail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket node=code.gnucash.org type=SYSCALL msg=audit(1234123441.829:421): arch=40000003 syscall=11 success=yes exit=0 a0=8d42e38 a1=8d42f20 a2=8d42508 a3=0 items=0 ppid=17454 pid=17455 auid=4294967295 uid=8 gid=12 euid=8 suid=8 fsuid=8 egid=41 sgid=41 fsgid=41 tty=(none) ses=4294967295 comm="mailman" exe="/usr/lib/mailman/mail/mailman" subj=system_u:system_r:mailman_mail_t:s0 key=(null) Expected results: Sendmail shouldn't leak sockets, so there shouldn't be any AVC denials. Additional info: see the thread on the fedora-selinux-list: https://www.redhat.com/archives/fedora-selinux-list/2009-February/msg00060.html
Created attachment 331837 [details] libmilter socket close-on-exec patch This patch sets close-on-exec for the milter/MTA socket at the libmilter end, preventing the milter socket descriptor leaking into child processes of the milter. I submitted this upstream on 18th June 2008.
Created attachment 331838 [details] sendmail socket close-on-exec patch This patch sets close-on-exec for the milter/MTA socket at the sendmail end, preventing the milter socket descriptor leaking into the local delivery process (this is probably the source of Derek's AVCs). I submitted this upstream on 22nd September 2008.
This message is a reminder that Fedora 10 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 10. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '10'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 10's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 10 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
This remains unfixed in Rawhide.
Included in sendmail-8.14.3-9.fc13. Thanks for the patches.