693465 – SELinux is preventing /usr/sbin/sendmail.postfix from 'read' accesses on the fifo_file fifo_file.

Bug 693465 - SELinux is preventing /usr/sbin/sendmail.postfix from 'read' accesses on the fifo_file fifo_file.

Summary: SELinux is preventing /usr/sbin/sendmail.postfix from 'read' accesses on the ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	14
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:d055507552f...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-04-04 18:36 UTC by Gabriel Ramirez
Modified:	2011-04-25 00:00 UTC (History)
CC List:	2 users (show)
Fixed In Version:	selinux-policy-3.9.7-40.fc14
Clone Of:
Environment:
Last Closed:	2011-04-25 00:00:08 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Gabriel Ramirez 2011-04-04 18:36:23 UTC

SELinux is preventing /usr/sbin/sendmail.postfix from 'read' accesses on the fifo_file fifo_file.

*****  Plugin leaks (50.5 confidence) suggests  ******************************

If you want to ignore sendmail.postfix trying to read access the fifo_file fifo_file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/sbin/sendmail.postfix /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (50.5 confidence) suggests  ***************************

If you believe that sendmail.postfix should be allowed read access on the fifo_file fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sendmail.postfi /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:system_mail_t:s0
Target Context                system_u:system_r:postfix_master_t:s0
Target Objects                fifo_file [ fifo_file ]
Source                        sendmail.postfi
Source Path                   /usr/sbin/sendmail.postfix
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           postfix-2.7.3-1.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-37.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
                              UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 04 Apr 2011 04:26:59 AM CDT
Last Seen                     Mon 04 Apr 2011 04:26:59 AM CDT
Local ID                      376297c4-a3ef-4831-afa5-ee031837ea34

Raw Audit Messages
type=AVC msg=audit(1301909219.556:76454): avc:  denied  { read } for  pid=23417 comm="sendmail.postfi" path="pipe:[22094254]" dev=pipefs ino=22094254 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=fifo_file


type=AVC msg=audit(1301909219.556:76454): avc:  denied  { write } for  pid=23417 comm="sendmail.postfi" path="pipe:[22094254]" dev=pipefs ino=22094254 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=fifo_file


type=SYSCALL msg=audit(1301909219.556:76454): arch=x86_64 syscall=execve success=yes exit=0 a0=16a9930 a1=16a8bd0 a2=16a88f0 a3=7fff5397ac80 items=0 ppid=23402 pid=23417 auid=500 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=2206 comm=sendmail.postfi exe=/usr/sbin/sendmail.postfix subj=system_u:system_r:system_mail_t:s0 key=(null)

Hash: sendmail.postfi,system_mail_t,postfix_master_t,fifo_file,read

audit2allow

#============= system_mail_t ==============
#!!!! This avc is allowed in the current policy

allow system_mail_t postfix_master_t:fifo_file { read write };

audit2allow -R

#============= system_mail_t ==============
#!!!! This avc is allowed in the current policy

allow system_mail_t postfix_master_t:fifo_file { read write };

Comment 1 Gabriel Ramirez 2011-04-04 18:53:19 UTC

about:

#!!!! This avc is allowed in the current policy

is because I inserted the mypol.pp in the running  policy

 along with the above AVC I see https://bugzilla.redhat.com/show_bug.cgi?id=690556

and this one


SELinux is preventing /usr/bin/procmail from 'read' accesses on the fifo_file fifo_file.

*****  Plugin leaks (50.5 confidence) suggests  ******************************

If you want to ignore procmail trying to read access the fifo_file fifo_file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/bin/procmail /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (50.5 confidence) suggests  ***************************

If you believe that procmail should be allowed read access on the fifo_file fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep procmail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:procmail_t:s0
Target Context                unconfined_u:system_r:postfix_master_t:s0
Target Objects                fifo_file [ fifo_file ]
Source                        procmail
Source Path                   /usr/bin/procmail
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           procmail-3.22-25.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-37.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
                              UTC 2011 x86_64 x86_64
Alert Count                   45
First Seen                    Sun 03 Apr 2011 08:43:08 PM CDT
Last Seen                     Mon 04 Apr 2011 04:21:34 AM CDT
Local ID                      b2decd93-b02b-44a1-97cb-721dcf5ac9a2

Raw Audit Messages
type=AVC msg=audit(1301908894.972:76431): avc:  denied  { read } for  pid=23146 comm="procmail" path="pipe:[21587814]" dev=pipefs ino=21587814 scontext=unconfined_u:system_r:procmail_t:s0 tcontext=unconfined_u:system_r:postfix_master_t:s0 tclass=fifo_file


type=AVC msg=audit(1301908894.972:76431): avc:  denied  { write } for  pid=23146 comm="procmail" path="pipe:[21587814]" dev=pipefs ino=21587814 scontext=unconfined_u:system_r:procmail_t:s0 tcontext=unconfined_u:system_r:postfix_master_t:s0 tclass=fifo_file


type=SYSCALL msg=audit(1301908894.972:76431): arch=x86_64 syscall=execve success=yes exit=0 a0=7f4b9e7cc310 a1=7f4b9e7cc2b0 a2=7f4b9e7cbd90 a3=7fff8b76aa70 items=0 ppid=23145 pid=23146 auid=500 uid=500 gid=100 euid=500 suid=500 fsuid=500 egid=100 sgid=100 fsgid=100 tty=(none) ses=3499 comm=procmail exe=/usr/bin/procmail subj=unconfined_u:system_r:procmail_t:s0 key=(null)

Hash: procmail,procmail_t,postfix_master_t,fifo_file,read

audit2allow

#============= procmail_t ==============
allow procmail_t postfix_master_t:fifo_file { read write };

audit2allow -R

#============= procmail_t ==============
allow procmail_t postfix_master_t:fifo_file { read write };


thanks in advance, 

Gabriel

Comment 2 Daniel Walsh 2011-04-04 19:37:46 UTC

I just allowed these in F15.  Probably not causing any problems, I believe this is just stdin,stdout coming from postfix_master to other domains.

Comment 3 Miroslav Grepl 2011-04-04 19:55:40 UTC

Yes, it looks so.

Comment 4 Gabriel Ramirez 2011-04-04 23:08:11 UTC

yeah but sometimes stdout stdin in postfix means emails so I prefer report them before lost any

thanks, 


Gabriel

Comment 5 Miroslav Grepl 2011-04-05 15:27:24 UTC

Fixed in selinux-policy-3.9.7-39.fc14

Comment 6 Fedora Update System 2011-04-21 14:50:16 UTC

selinux-policy-3.9.7-40.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-40.fc14

Comment 7 Fedora Update System 2011-04-21 22:25:50 UTC

Package selinux-policy-3.9.7-40.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-40.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-40.fc14
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2011-04-24 23:59:02 UTC

selinux-policy-3.9.7-40.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.