Bug 510107 - setroubleshoot: SELinux is preventing the sendmail from using potentially mislabeled files /etc/postfix (postfix_etc_t).
setroubleshoot: SELinux is preventing the sendmail from using potentiall...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:037d8757663...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-07 13:49 EDT by Nicolas Mailhot
Modified: 2009-10-20 17:53 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-20 17:53:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
httpd_can_sendmail.py plugin (2.13 KB, application/octet-stream)
2009-07-07 15:15 EDT, Daniel Walsh
no flags Details

  None (edit)
Description Nicolas Mailhot 2009-07-07 13:49:35 EDT
The following was filed automatically by setroubleshoot:

Résumé:

SELinux is preventing the sendmail from using potentially mislabeled files
/etc/postfix (postfix_etc_t).

Description détaillée:

SELinux has denied the sendmail access to potentially mislabeled files
/etc/postfix. This means that SELinux will not allow httpd to use these files.
Many third party apps install html files in directories that SELinux policy
cannot predict. These directories have to be labeled with a file context which
httpd can access.

Autoriser l'accès:

If you want to change the file context of /etc/postfix so that the httpd daemon
can access it, you need to execute it using chcon -t httpd_sys_content_t
'/etc/postfix'. You can look at the httpd_selinux man page for additional
information.

Informations complémentaires:

Contexte source               system_u:system_r:httpd_t:s0
Contexte cible                system_u:object_r:postfix_etc_t:s0
Objets du contexte            /etc/postfix [ dir ]
source                        sendmail
Chemin de la source           /usr/sbin/sendmail.postfix
Port                          <Inconnu>
Hôte                         (removed)
Paquetages RPM source         postfix-2.6.2-1.fc12
Paquetages RPM cible          postfix-2.6.2-1.fc12
Politique RPM                 selinux-policy-3.6.20-2.fc12
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 httpd_bad_labels
Nom de l'hôte                (removed)
Plateforme                    Linux (removed)
                              2.6.31-0.38.rc1.git7.bko13551.fc12.x86_64 #1 SMP
                              Sun Jul 5 14:27:52 EDT 2009 x86_64 x86_64
Compteur d'alertes            1
Première alerte              mar. 07 juil. 2009 14:51:59 CEST
Dernière alerte              mar. 07 juil. 2009 14:51:59 CEST
ID local                      c6477be7-16a1-496c-8034-6c1bc2a61fea
Numéros des lignes           

Messages d'audit bruts        

node=(removed) type=AVC msg=audit(1246971119.879:36512): avc:  denied  { search } for  pid=29322 comm="sendmail" name="postfix" dev=dm-3 ino=65645 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1246971119.879:36512): arch=c000003e syscall=2 success=no exit=-13 a0=7f912fc40670 a1=0 a2=0 a3=7fff0d36fee0 items=0 ppid=11032 pid=29322 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:httpd_t:s0 key=(null)


audit2allow suggests:

#============= httpd_t ==============
allow httpd_t postfix_etc_t:dir search;
Comment 1 Nicolas Mailhot 2009-07-07 13:50:30 EDT
selinux is preventing postfix's sendmail emulation to read its own (postfix) files
Comment 2 Daniel Walsh 2009-07-07 14:04:16 EDT
What is the label on /usr/sbin/sendmail.postfix

If you turn on the boolean httpd_can_sendmail does it work?
Comment 3 Nicolas Mailhot 2009-07-07 14:15:09 EDT
#  ls -Z /usr/sbin/sendmail
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       /usr/sbin/sendmail -> /etc/alternatives/mta

# ls -Z /etc/alternatives/mta
lrwxrwxrwx. root root system_u:object_r:etc_t:s0       /etc/alternatives/mta -> /usr/sbin/sendmail.postfix

# ls -Z /usr/sbin/sendmail.postfix 
-rwxr-xr-x. root root system_u:object_r:sendmail_exec_t:s0 /usr/sbin/sendmail.postfix
Comment 4 Nicolas Mailhot 2009-07-07 14:26:39 EDT
with setroubleshoot it seems to work. So I guess it was just terrible setroubleshoot analysis

PS why do  httpd_can_sendmail  exist but not httpd_can_mail_services (as in imap/s, pop3/s, smtp/s, submission, as needed by webmails, without opening every possible port to apache?)
Comment 5 Daniel Walsh 2009-07-07 15:13:31 EDT
can_sendmail allows the httpd_t to connect to all mail ports and to transition to system_mail_t, so I guess this would work in either case.

The analysys is only as good as the code written for it, since httpd is able to execute all execuables, it is allowed to run sendmail.postfix without transition.  So the only thing we got from the kernel was that httpd_t tried to read postfix_etc_t.  I guess we could look at the target and figure out that comm="sendmail" so httpd is probably trying to send mail.

I am writing a new plugin for Rawhide, that would catch this.  I will attach it to this bug report.
Comment 6 Daniel Walsh 2009-07-07 15:15:01 EDT
Created attachment 350853 [details]
httpd_can_sendmail.py plugin

cp this file to /usr/share/setroubleshoot/plugins

Then run 

sealert -a /var/log/audit/audit.log

And you should get a better analysys.
Comment 7 Nicolas Mailhot 2009-07-07 15:48:00 EDT
(In reply to comment #5)
> can_sendmail allows the httpd_t to connect to all mail ports and to transition
> to system_mail_t, so I guess this would work in either case.

ok, this is much more than just accessing sendmail, I guess I was fooled by the boolean name

> The analysys is only as good as the code written for it, since httpd is able to
> execute all execuables, it is allowed to run sendmail.postfix without
> transition.  So the only thing we got from the kernel was that httpd_t tried to
> read postfix_etc_t.  I guess we could look at the target and figure out that
> comm="sendmail" so httpd is probably trying to send mail.
> 
> I am writing a new plugin for Rawhide, that would catch this.  I will attach it
> to this bug report.



# sealert -a /var/log/audit/audit.log
100% donefound 8 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

Traceback (most recent call last):
  File "/usr/bin/sealert", line 860, in on_analyzer_state_change
    self.output_results()
  File "/usr/bin/sealert", line 879, in output_results
    print siginfo.format_text()
  File "/usr/lib64/python2.6/site-packages/setroubleshoot/signature.py", line 46
6, in format_text
    text += html_to_text('<h1>'+_("Summary")+':</h1>'+summary)
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 16: ordinal
 not in range(128)
[root@arekh nim]# sealert -a /var/log/audit/audit.log
100% donefound 8 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

Traceback (most recent call last):
  File "/usr/bin/sealert", line 860, in on_analyzer_state_change
    self.output_results()
  File "/usr/bin/sealert", line 879, in output_results
    print siginfo.format_text()
  File "/usr/lib64/python2.6/site-packages/setroubleshoot/signature.py", line 466, in format_text
    text += html_to_text('<h1>'+_("Summary")+':</h1>'+summary)
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 16: ordinal not in range(128)
Comment 8 Nicolas Mailhot 2009-07-07 15:51:53 EDT
(In reply to comment #7)
> (In reply to comment #5)
> > can_sendmail allows the httpd_t to connect to all mail ports and to transition
> > to system_mail_t, so I guess this would work in either case.
> 
> ok, this is much more than just accessing sendmail, I guess I was fooled by the
> boolean name

I guess this advice is misleading too then

SELinux is preventing the http daemon from connecting to network port 993

SELinux has denied the http daemon from connecting to 993. An httpd script is trying to do a network connect to a remote port. If you did not setup httpd to network connections, this could signal a intrusion attempt.

If you want httpd to connect to network ports you need to turn on the httpd_can_network_network_connect boolean: "setsebool -P httpd_can_network_connect=1" 

setsebool -P httpd_can_network_connect=1
Comment 9 Daniel Walsh 2009-10-20 17:53:54 EDT
sendmail plugin has been added to rawhide.

Note You need to log in before you can comment on or make changes to this bug.