518998 – SELinux is preventing mailx (sendmail_t) "read" inotify (inotifyfs_t). (abrt mailx plugin)

Bug 518998 - SELinux is preventing mailx (sendmail_t) "read" inotify (inotifyfs_t). (abrt mailx plugin)

Summary: SELinux is preventing mailx (sendmail_t) "read" inotify (inotifyfs_t). (abrt ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	abrt
Sub Component:
Version:	12
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nikola Pajkovsky
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (4):	578507 581911 585685 587950 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-08-24 14:33 UTC by Daniel Novotny
Modified:	2014-02-02 22:13 UTC (History)
CC List:	10 users (show)
Fixed In Version:	abrt-1.1.13-1.fc12
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-08-17 05:27:51 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Daniel Novotny 2009-08-24 14:33:42 UTC

Description of problem:

Summary:

SELinux is preventing mailx (sendmail_t) "read" inotify (inotifyfs_t).

Detailed Description:

SELinux denied access requested by the mailx command. It looks like this is
either a leaked descriptor or mailx output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the inotify. You should generate a bugzilla on selinux-policy, and it will get
routed to the appropriate package. You can safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                unconfined_u:system_r:sendmail_t:s0
Target Context                system_u:object_r:inotifyfs_t:s0
Target Objects                inotify [ dir ]
Source                        mailx
Source Path                   /bin/mailx
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           mailx-12.4-3.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.28-5.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31-0.125.4.2.rc5.git2.fc12.i686
                              #1 SMP Tue Aug 11 21:20:05 EDT 2009 i686 i686
Alert Count                   8
First Seen                    Sat 15 Aug 2009 03:35:44 PM EDT
Last Seen                     Sat 15 Aug 2009 04:11:35 PM EDT
Local ID                      2e34d5dd-dbba-4c15-8989-b9e49cf7ea59
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1250367095.123:85): avc:  denied  { read } for  pid=2446 comm="mailx" path="inotify" dev=inotifyfs ino=1 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir

node=(removed) type=AVC msg=audit(1250367095.123:85): avc:  denied  { read write } for  pid=2446 comm="mailx" path="/var/run/abrt.lock" dev=dm-0 ino=344298 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:abrt_var_run_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1250367095.123:85): arch=40000003 syscall=11 success=yes exit=0 a0=9f01e70 a1=9f01ee8 a2=9f01250 a3=9f01ee8 items=0 ppid=2239 pid=2446 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="mailx" exe="/bin/mailx" subj=unconfined_u:system_r:sendmail_t:s0 key=(null)


Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. install abrt and configure it for Mailx plugin
  (abrt.conf: Mailx has to be in EnabledPlugins
  in AnalyzerActionsAndReporters
  CCpp = Mailx )
   
2. generate a crash, run abrt-gui (or click tray icon)
3. click on "Report", then "Send"
 
  
Actual results:
AVC denial

Expected results:
mail sent

Additional info:

Comment 1 Daniel Walsh 2009-08-24 14:47:02 UTC

abrt is leaking an open file descriptor to inotify.

Comment 2 Daniel Walsh 2009-08-24 14:47:38 UTC

Daniel you can ignore this for now.

Comment 3 Michal Nowak 2009-09-04 12:21:15 UTC

What to do with this one? is the fd leak still present?

Comment 4 Bug Zapper 2009-11-16 11:38:13 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 6 Nikola Pajkovsky 2010-05-05 12:24:29 UTC

Not now, I hope.

$ git log 3d6f441 --oneline | head -n 1
3d6f441 fork_execv_on_steroids: close other end of the pipe in the child

Comment 7 Nikola Pajkovsky 2010-05-05 12:27:22 UTC

*** Bug 585685 has been marked as a duplicate of this bug. ***

Comment 8 Nikola Pajkovsky 2010-05-05 12:27:34 UTC

*** Bug 587950 has been marked as a duplicate of this bug. ***

Comment 9 Nikola Pajkovsky 2010-05-05 12:27:42 UTC

*** Bug 581911 has been marked as a duplicate of this bug. ***

Comment 10 Nikola Pajkovsky 2010-05-05 12:27:52 UTC

*** Bug 578507 has been marked as a duplicate of this bug. ***

Comment 11 Nikola Pajkovsky 2010-05-05 13:20:32 UTC

Not working

Comment 12 Denys Vlasenko 2010-05-25 12:28:26 UTC

Perhaps this can be closed now, inotify_fd leak has been plugged, fix will be in 1.1.4

Comment 14 Fedora Update System 2010-08-11 11:08:44 UTC

abrt-1.1.13-1.fc14 has been submitted as an update for Fedora 14.
http://admin.fedoraproject.org/updates/abrt-1.1.13-1.fc14

Comment 15 Fedora Update System 2010-08-12 12:57:29 UTC

abrt-1.1.13-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/abrt-1.1.13-1.fc13

Comment 16 Fedora Update System 2010-08-12 19:51:44 UTC

abrt-1.1.13-1.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update abrt'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/abrt-1.1.13-1.fc14

Comment 17 Fedora Update System 2010-08-16 14:06:06 UTC

abrt-1.1.13-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/abrt-1.1.13-1.fc12

Comment 18 Fedora Update System 2010-08-17 05:26:21 UTC

abrt-1.1.13-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2010-08-20 13:30:41 UTC

abrt-1.1.13-2.fc14 has been submitted as an update for Fedora 14.
http://admin.fedoraproject.org/updates/abrt-1.1.13-2.fc14

Comment 20 Fedora Update System 2010-08-24 01:11:17 UTC

abrt-1.1.13-2.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2010-08-24 21:16:59 UTC

abrt-1.1.13-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.