Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 617790 - logwatch unable to invoke sendmail
logwatch unable to invoke sendmail
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
: 617899 617928 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-23 20:40 EDT by Andrew Schultz
Modified: 2010-08-10 23:08 EDT (History)
31 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-44.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-08-10 17:41:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrew Schultz 2010-07-23 20:40:23 EDT
Description of problem:
I have logwatch configured to send mail to me.  This morning (after updating selinux-policy last night), I got:

---------
/etc/cron.daily/0logwatch:

Can't exec "sendmail": Permission denied at /usr/sbin/logwatch line 1032, <TESTFILE> line 2.
Can't execute sendmail -t: Permission denied
---------

In audit.log, I see
type=SELINUX_ERR msg=audit(1279896003.502:31721): security_compute_sid:  invalid context system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 for scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process


Version-Release number of selected component (if applicable):
3.7.19-39.fc13

I'm guessing this is due to bug 614698
Comment 1 Steve Bryant 2010-07-24 03:16:54 EDT
Getting the same here - "logwatch" email is not received:

type=SELINUX_ERR msg=audit(1279953314.126:44): security_compute_sid:  invalid context system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 for scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process

$ uname -r
2.6.33.6-147.fc13.i686.PAE

$ rpm -q logwatch selinux-policy
logwatch-7.3.6-51.fc13.noarch
selinux-policy-3.7.19-39.fc13.noarch
Comment 2 Bojan Smojver 2010-07-24 21:02:41 EDT
Just a me to here:

selinux-policy-3.7.19-39.fc13.noarch
logwatch-7.3.6-51.fc13.noarch
Comment 3 Dominic Hopf 2010-07-25 06:07:53 EDT
Fully reproducible here too.

logwatch-7.3.6-51.fc13.noarch
selinux-policy-3.7.19-39.fc13.noarch
Comment 4 David 2010-07-25 11:41:57 EDT
I observe the same issue on all of my Fedora 13 systems (both 32 and 64 bit).  It appears to be a permissions problem somewhere.  It works as normal with no issue if I manually execute logwatch as root.

2.6.33.6-147.fc13.x86_64

logwatch-7.3.6-51.fc13.noarch
selinux-policy-3.7.19-39.fc13.noarch
Comment 5 Miroslav Grepl 2010-07-25 12:26:04 EDT
It was fixed in selinux-policy-3.7.19-40.fc13.noarch

selinux-policy and selinux-policy-targeted packages are available for now from koji

http://koji.fedoraproject.org/koji/buildinfo?buildID=186159
Comment 6 Garry T. Williams 2010-07-25 13:18:52 EDT
(In reply to comment #5)
> It was fixed in selinux-policy-3.7.19-40.fc13.noarch

I just installed and can verify that it is fixed.  (I tested from root's cron.)

Thanks.
Comment 7 Dave Jones 2010-07-26 00:44:06 EDT
*** Bug 617899 has been marked as a duplicate of this bug. ***
Comment 8 Nicola Soranzo 2010-07-26 06:12:24 EDT
*** Bug 617928 has been marked as a duplicate of this bug. ***
Comment 9 Joel Uckelman 2010-07-26 07:34:49 EDT
I think 3.7.19-40.fc13 doesn't completely solve the problem. What I'm seeing from anacron after installing the policy update is:


/etc/cron.daily/0logwatch:

sendmail: fatal: chdir /var/spool/postfix: Permission denied



This isn't the same failure as with 3.7.19-39.fc13, but is a failure still.
Comment 10 Miroslav Grepl 2010-07-26 07:42:57 EDT
What AVC are you seeing?

ausearch -m avc -ts recent
Comment 11 Joel Uckelman 2010-07-26 07:53:43 EDT
(In reply to comment #10)
> What AVC are you seeing?
> 
> ausearch -m avc -ts recent    

[root@hydra uckelman]# ausearch -m avc -ts recent
<no matches>


I'm not getting an AVC which is logged, which puzzles me. For the record, I was getting the same error message as in Comment 0, but not that AVC either. I have no idea why this is---I've had other AVCs in the audit.log within the past few days.
Comment 12 Joel Uckelman 2010-07-26 09:08:14 EDT
Ah, I found the message in the audit.log by looking for it by hand:

type=AVC msg=audit(1280139552.870:9392): avc:  denied  { read } for  pid=26659 comm="sendmail" name="unix" dev=proc ino=4026531958 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file

type=SYSCALL msg=audit(1280139552.870:9392): arch=c000003e syscall=21 success=no exit=-13 a0=7fffffa254c0 a1=4 a2=7fffffa254ce a3=ffffffffffffffa8 items=0 ppid=26546 pid=26659 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1284 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null)

I'm not sure why ausearch didn't see it.
Comment 13 Miroslav Grepl 2010-07-26 11:36:04 EDT
Joel,
can you execute

# semanage permissive -a logwatch_mail_t

and test it.

Then grab the output from 

ausearch -m avc -su logwatch_mail_t


So we can get all of the AVC messages. Thanks.
Comment 14 Joel Uckelman 2010-07-26 12:06:33 EDT
(In reply to comment #13)
> Joel,
> can you execute
> 
> # semanage permissive -a logwatch_mail_t
> 
> and test it.

Do you know how I can make cron run /etc/cron.daily/0logwatch right now, so it's run from the right context? (Otherwise, I can just wait until tomorrow to get the output.)
Comment 15 Daniel Walsh 2010-07-26 17:11:56 EDT
Miroslav I think we need to change some system_mail_t calls to user_mail_domain

kernel_read_system_state(user_mail_domain)
kernel_read_network_state(user_mail_domain)
kernel_request_load_module(user_mail_domain)

FOr example.
Comment 16 Andrew Schultz 2010-07-26 21:41:23 EDT
> Do you know how I can make cron run /etc/cron.daily/0logwatch right now, so
> it's run from the right context? (Otherwise, I can just wait until tomorrow to
> get the output.)

You can remove /var/spool/anacron/cron.daily and restart the cron service (it will still take an hour to kick in).  You might also try just copying 0logwatch to /etc/cron.hourly to make it run hourly (or set it up to run more frequently via /etc/crontab)
Comment 17 Joel Uckelman 2010-07-27 07:11:42 EDT
(In reply to comment #13)
> Joel,
> can you execute
> 
> # semanage permissive -a logwatch_mail_t
> 
> and test it.
> 
> Then grab the output from 
> 
> ausearch -m avc -su logwatch_mail_t
> 
> 
> So we can get all of the AVC messages. Thanks.    

I have two F13 machines where I had the original logwatch problem. I've
installed the 3.7.19-40.fc13 policy RPMs on both of them. One I set to
be permissive for logwatch_mail_t, the other I didn't change.

On the permissive machine, I got:

* no additional AVCs
* the logwatch email, as expected
* this error email from cron:

> /etc/cron.daily/0logwatch:
>
> You have old files in your logwatch tmpdir (/var/cache/logwatch):
>        logwatch.C0aNS7fD
> The directories listed above were most likely created by a
> logwatch run that failed to complete successfully.  If so, you
> may delete these directories.

On the impermissive machine, I got:

* another copy of the same AVC as in Comment #12
* no logwatch email
* this error email from cron:

> /etc/cron.daily/0logwatch:
> 
> You have old files in your logwatch tmpdir (/var/cache/logwatch):
>         logwatch.cgf57GcR
> The directories listed above were most likely created by a
> logwatch run that failed to complete successfully.  If so, you
> may delete these directories.
> 
> sendmail: fatal: chdir /var/spool/postfix: Permission denied
Comment 18 Miroslav Grepl 2010-07-27 08:23:18 EDT
(In reply to comment #15)
> Miroslav I think we need to change some system_mail_t calls to user_mail_domain
> 
> kernel_read_system_state(user_mail_domain)
> kernel_read_network_state(user_mail_domain)
> kernel_request_load_module(user_mail_domain)

I am adding it to selinux-policy-3.7.19-41.fc13.

Joel,
thanks for testing.
Comment 19 Joel Uckelman 2010-07-28 06:50:18 EDT
(In reply to comment #18)
> 
> I am adding it to selinux-policy-3.7.19-41.fc13.
> 

I'm testing 3.7-19-41.fc13 now.
Comment 20 Miroslav Grepl 2010-07-28 10:30:03 EDT
Joel,
does it work?
Comment 21 Gabriel VLASIU 2010-07-28 10:44:43 EDT
Does not work with postfix:

# rpm -qa | grep selinux-policy
selinux-policy-targeted-3.7.19-41.fc13.noarch
selinux-policy-3.7.19-41.fc13.noarch

/etc/cron.daily/0logwatch:

You have old files in your logwatch tmpdir (/var/cache/logwatch):
        logwatch.uNHRXvK5
The directories listed above were most likely created by a
logwatch run that failed to complete successfully.  If so, you
may delete these directories.

sendmail: fatal: chdir /var/spool/postfix: Permission denied
Comment 22 Fedora Update System 2010-07-28 11:11:01 EDT
selinux-policy-3.7.19-41.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-41.fc13
Comment 23 Gabriel Ramirez 2010-07-28 12:16:02 EDT
the selinux-policy-targeted-3.7.19-41.fc13.noarch and selinux-policy-3.7.19-41.fc13.noarch, didn't fix the error with postfix and logwatch I got this email:


/etc/cron.daily/0logwatch:

sendmail: fatal: chdir /var/spool/postfix: Permission denied



Gabriel
Comment 24 Sam 2010-07-28 14:42:25 EDT
Reproduced here after upgrade to Fedora 13 from Fedora 12 using preupgrade yesterday.
Comment 25 Miroslav Grepl 2010-07-28 17:03:24 EDT
We will fix it as soon as buildsystem and CVS work again. Thanks for testing.
Comment 26 Simon Andrews 2010-07-29 01:51:16 EDT
(In reply to comment #22)
> selinux-policy-3.7.19-41.fc13 has been submitted as an update for Fedora 13.
> http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-41.fc13    

This update did fix the problem on one of our systems.  We're using sendmail rather than postfix though.
Comment 27 Joel Uckelman 2010-07-29 07:00:33 EDT
On my "impermissive" system with 3.7.19-41.fc13 I'm getting the same AVC as with build 40:

[uckelman@one ~]$ sudo ausearch -m avc -su logwatch_mail_t

... output trimmed ...
---
time->Wed Jul 28 03:44:24 2010
type=SYSCALL msg=audit(1280313864.353:13788): arch=c000003e syscall=21 success=no exit=-13 a0=7fff3f12f460 a1=4 a2=7fff3f12f46e a3=ffffffffffffffa8 items=0 ppid=19730 pid=19837 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1928 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1280313864.353:13788): avc:  denied  { read } for  pid=19837 comm="sendmail" name="unix" dev=proc ino=4026531958 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Comment 28 Domingo Becker 2010-07-29 07:48:55 EDT
Reproduced here after update in some F13 systems.

The error is:

/etc/cron.daily/0logwatch:

Can't exec "sendmail": Permission denied at /usr/sbin/logwatch line 1032, <TESTFILE> line 1.
Can't execute sendmail -t: Permission denied

when I do
ls -lh /usr/sbin/logwatch
lrwxrwxrwx. 1 root root 45 jul 29 08:41 /usr/sbin/logwatch -> ../..//usr/share/logwatch/scripts/logwatch.pl

The link seems to be wrong with those ../../ in the beginning.
It is created by logwatch-7.3.6-51.fc13.noarch package.
For my case, the problem seems to be in that package, instead of selinux-policy, and the error is the same as the description of this bug report.

kind regards
Comment 29 Fedora Update System 2010-07-30 04:40:58 EDT
selinux-policy-3.7.19-41.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-41.fc13
Comment 30 Joel Uckelman 2010-07-30 07:26:08 EDT
I'm still getting the same AVC denial with 3.7.19-41.fc13, so you know.
Comment 31 Domingo Becker 2010-07-30 12:38:11 EDT
(In reply to comment #28)
> when I do
> ls -lh /usr/sbin/logwatch
> lrwxrwxrwx. 1 root root 45 jul 29 08:41 /usr/sbin/logwatch ->
> ../..//usr/share/logwatch/scripts/logwatch.pl
> 
> The link seems to be wrong with those ../../ in the beginning.

Just an update.

I changed the link to a correct path /usr/share/logwatch/scripts/logwatch.pl and it works again.

I did not update the selinux-policy package.

In my case, although it is the same error, the problem is in logwatch-7.3.6-51.fc13.noarch package.

kind regards
Comment 32 Stefan Jensen 2010-07-30 18:41:01 EDT
Domingo is right. Correcting this link, solved it for me. (without the update to selinux-policy)

best regards
Comment 33 David 2010-07-30 19:33:57 EDT
The symlink is not wrong. I have F11 and F12 servers that have the exact same link as the F13.

It was the selinux-policy update that stopped logwatch.
Comment 34 Steve Bryant 2010-07-31 04:50:43 EDT
selinux-policy-3.7.19-40 resolved the issue I reported at Comment 1 above - 

Thanks!
Comment 35 Stefan Jensen 2010-07-31 08:31:25 EDT
I have to revert my Comment #32.

I run it from a root console.
Running from regular cron job will produce the error from Comment 28.

selinux-policy-3.7.19-40 resolved that.

Sorry for the noise.

Thank you.
Comment 36 Dominic Hopf 2010-07-31 09:04:20 EDT
Can confirm this works for me again too. I have selinux-policy-3.7.19-41.fc13.noarch installed.
Comment 37 Miroslav Grepl 2010-08-02 08:57:01 EDT
(In reply to comment #23)
> the selinux-policy-targeted-3.7.19-41.fc13.noarch and
> selinux-policy-3.7.19-41.fc13.noarch, didn't fix the error with postfix and
> logwatch I got this email:
> 
> 
> /etc/cron.daily/0logwatch:
> 
> sendmail: fatal: chdir /var/spool/postfix: Permission denied
> 
> 
> 
> Gabriel    

Fixed in selinux-policy-3.7.19-42.fc13.
Comment 38 Miroslav Grepl 2010-08-02 09:03:37 EDT
selinux packages are available from koji 

http://koji.fedoraproject.org/koji/taskinfo?taskID=2373358
Comment 39 Gabriel VLASIU 2010-08-02 10:26:27 EDT
(In reply to comment #37)
> 
> Fixed in selinux-policy-3.7.19-42.fc13.    

Works fine. Thank you.


Gabriel
Comment 40 Joel Uckelman 2010-08-03 06:46:05 EDT
(In reply to comment #37)
> 
> Fixed in selinux-policy-3.7.19-42.fc13.    
>

I believe we have a winner. This build works for me. Thanks!
Comment 41 Gabriel Ramirez 2010-08-03 12:01:46 EDT
(In reply to comment #37)

> Fixed in selinux-policy-3.7.19-42.fc13.    

thanks that fixed the problem with postfix and logwatch

Gabriel
Comment 42 Fedora Update System 2010-08-05 19:39:19 EDT
selinux-policy-3.7.19-41.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 43 Nicola Soranzo 2010-08-06 04:01:56 EDT
As mentioned in several comments, this bug is NOT completely fixed in selinux-policy-3.7.19-41.fc13 , but only in selinux-policy-3.7.19-42.fc13 .
Reopened until the latter is released as stable update.
Comment 44 Fedora Update System 2010-08-06 09:41:10 EDT
selinux-policy-3.7.19-44.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-44.fc13
Comment 45 Fedora Update System 2010-08-06 16:59:30 EDT
selinux-policy-3.7.19-44.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-44.fc13
Comment 46 Fedora Update System 2010-08-10 17:39:39 EDT
selinux-policy-3.7.19-44.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.