+++ This bug was initially created as a clone of Bug #634989 +++ Description of problem: I'm getting AVC error when I'm pushing to channel on SWnightly on Fedora13. Version-Release number of selected component (if applicable): SWnightly as of 2010-09-16 How reproducible: 1 of 2 Spacewalks Steps to Reproduce: 1. # runcon -u unconfined_u -r unconfined_r -t unconfined_t -l s0-s0:c0.c1023 -- rhnpush -v --server=<fqdn> --username=<user> --password=<pass> -d rhel4 --channel=my-channel 2. Check AVC messages Actual results: /usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -sv no -m AVC -m USER_AVC -m SELINUX_ERR -ts 09/15/2010 22:00:55 < /dev/null ---- time->Wed Sep 15 22:01:46 2010 type=SYSCALL msg=audit(1284602506.003:30904): arch=40000003 syscall=12 success=no exit=-13 a0=bfbfddbc a1=bfbfddbc a2=cf7738 a3=d2a450 items=0 ppid=9166 pid=13762 auid=4294967295 uid=48 gid=494 euid=48 suid=48 fsuid=48 egid=490 sgid=490 fsgid=490 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1284602506.003:30904): avc: denied { search } for pid=13762 comm="sendmail" name="clientmqueue" dev=dm-0 ino=524716 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir ---- time->Wed Sep 15 22:01:53 2010 type=SYSCALL msg=audit(1284602513.290:30905): arch=40000003 syscall=12 success=no exit=-13 a0=bf9b6cfc a1=bf9b6cfc a2=cdc738 a3=d0f450 items=0 ppid=8411 pid=13821 auid=4294967295 uid=48 gid=494 euid=48 suid=48 fsuid=48 egid=490 sgid=490 fsgid=490 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1284602513.290:30905): avc: denied { search } for pid=13821 comm="sendmail" name="clientmqueue" dev=dm-0 ino=524716 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir ---- time->Wed Sep 15 22:02:01 2010 type=SYSCALL msg=audit(1284602521.150:30906): arch=40000003 syscall=12 success=no exit=-13 a0=bfdd6b0c a1=bfdd6b0c a2=261738 a3=294450 items=0 ppid=11685 pid=13887 auid=4294967295 uid=48 gid=494 euid=48 suid=48 fsuid=48 egid=490 sgid=490 fsgid=490 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1284602521.150:30906): avc: denied { search } for pid=13887 comm="sendmail" name="clientmqueue" dev=dm-0 ino=524716 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir Expected results: There should not be such errors. --- Additional comment from jpazdziora on 2010-11-19 11:02:19 EST --- Mass-moving to space13. --- Additional comment from jpazdziora on 2010-11-20 12:27:11 EST --- I assume that the sendmail process seems to be started when Apache wants to send some traceback email. Unfortunately, rhnpush seems to be that stable on my Spacewalk 1.2 (Fedora 13, PostgreSQL) that I did not get any tracebacks. So I put i = 1 / 0 to /usr/share/rhn/upload_server/handlers/package_push/package_push.py to handler and I indeed can see the reproducer. type=AVC msg=audit(1290274022.882:21541): avc: denied { search } for pid=3005 comm="sendmail" name="clientmqueue" dev=dm-0 ino=833 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir Taking. --- Additional comment from msuchy on 2011-04-11 03:30:52 EDT --- We did not have time for this one during Spacewalk 1.4 time frame. Mass moving to Spacewalk 1.5. --- Additional comment from msuchy on 2011-04-11 03:36:11 EDT --- We did not have time for this one during Spacewalk 1.4 time frame. Mass moving to Spacewalk 1.5. --- Additional comment from jpazdziora on 2011-05-10 07:28:44 EDT --- The fix is to set the httpd_can_sendmail boolean: # setsebool -P httpd_can_sendmail on --- Additional comment from jpazdziora on 2011-05-10 07:29:51 EDT --- This issue is also present on Satellite 5.4.0. --- Additional comment from jpazdziora on 2011-05-10 07:32:50 EDT --- We now set the boolean in spacewalk-selinux-enable: Spacewalk master 87e7077f0a2923763ef5ce9ec5de6e3aa7533467. --- Additional comment from jpazdziora on 2011-05-10 07:55:48 EDT --- The same AVCs happen on https://FQDN/help/forgot_password.pxt, with the SELinux boolean turned off.
Cherry picked to SATELLITE-5.4, 883cc09730bad3fdd4f9fefc297e0a79ce5133a4.
Tagged and built as spacewalk-selinux-1.2.1-4.
Changing to Verified: Testing procedure: - provoke traceback mail from package_push.py - solicit for mail resetting password - e-mails sent, no AVC denial Verified against: spacewalk-selinux-1.2.1-5.el6sat Satellite-5.4.1-RHEL6-re20110511.0
Verified in stage w/ spacewalk-selinux-1.2.1-5 -> release pending.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. https://rhn.redhat.com/errata/RHEA-2011-0875.html