Bug 489747 - root email not getting forwarded
root email not getting forwarded
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2009-03-11 12:58 EDT by Mace Moneta
Modified: 2009-03-27 15:43 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-03-27 14:57:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mace Moneta 2009-03-11 12:58:22 EDT
Description of problem:

Root has a .forward file to forward email to another user.  Sendmail reports:
sendmail[19969]: n2BGgM8u019968: forward /root/.forward: Permission denied

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.Create a .forward file on root
2.Send an email to root
Actual results:

Permission denied error

Expected results:

Email gets forwarded

Additional info:

I created a local policy with audit2allow -l -a -m localxxx to work around the problem:

module local016 1.0;

require {
        type sendmail_t;
        type admin_home_t;
        class file { read getattr open };

#============= sendmail_t ==============
allow sendmail_t admin_home_t:file { read getattr open };
Comment 1 Gilles Detillieux 2009-03-27 13:26:53 EDT
I've had the same problem on my rawhide system since December 8, 2008, just a few hours after this update:

Dec 08 13:05:49 Updated: sendmail-8.14.3-2.fc11.i386
Dec 08 13:08:25 Updated: selinux-policy-targeted-3.6.1-6.fc11.noarch

I tried loading the local policy shown above, and it didn't make a difference.  Using the sealert -b browser, there seems to have been only 5 AVC denied messages related to sendmail attempting to access /root/.forward, and the most recent of them was December 10.

I tried changing the mode on /root to readable and searchable by all (755) and that didn't help.  What did help was "setenforce 0", so clearly it is an SELinux problem, but why are we getting SELinux denials with nothing being logged in /var/log/audit/audit.log?
Comment 2 Mace Moneta 2009-03-27 13:53:16 EDT
Yeah, I confirmed the local policy change no longer works with the current policy, and there's no audit but setenforce 0 does work.

I changed the sendmail aliases as a workaround, but that's not as dynamic.  A permission denied without an audit is troubling.
Comment 3 Daniel Walsh 2009-03-27 14:57:36 EDT
Fixed in selinux-policy-3.6.10-4.fc11.noarch
Comment 4 Gilles Detillieux 2009-03-27 15:43:00 EDT
Thanks, Daniel.  Does the new policy fix the problem with access to /root/.forward, the problem with denials not getting logged, or both?

Should I open a new bug report for the lack of audits in the log?

Note You need to log in before you can comment on or make changes to this bug.