Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 703485

Summary: AVC error when pushing to channel
Product: Red Hat Satellite 5 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: ServerAssignee: Jan Pazdziora (Red Hat) <jpazdziora>
Status: CLOSED ERRATA QA Contact: Šimon Lukašík <slukasik>
Severity: medium Docs Contact:
Priority: low    
Version: 541CC: jhutar, jpazdziora, mzazrivec, slukasik
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: spacewalk-selinux-1.2.1-4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 634989 Environment:
Last Closed: 2011-06-17 02:42:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 634989    
Bug Blocks: 677501    

Comment 1 Jan Pazdziora (Red Hat) 2011-05-10 13:50:40 UTC 
+++ This bug was initially created as a clone of Bug #634989 +++

Description of problem:
I'm getting AVC error when I'm pushing to channel on SWnightly on Fedora13.


Version-Release number of selected component (if applicable):
SWnightly as of 2010-09-16


How reproducible:
1 of 2 Spacewalks


Steps to Reproduce:
1. # runcon -u unconfined_u -r unconfined_r -t unconfined_t -l s0-s0:c0.c1023
-- rhnpush -v --server=<fqdn> --username=<user> --password=<pass> -d rhel4
--channel=my-channel
2. Check AVC messages


Actual results:
/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -sv no -m AVC -m USER_AVC -m
SELINUX_ERR -ts 09/15/2010 22:00:55 < /dev/null
----
time->Wed Sep 15 22:01:46 2010
type=SYSCALL msg=audit(1284602506.003:30904): arch=40000003 syscall=12
success=no exit=-13 a0=bfbfddbc a1=bfbfddbc a2=cf7738 a3=d2a450 items=0
ppid=9166 pid=13762 auid=4294967295 uid=48 gid=494 euid=48 suid=48 fsuid=48
egid=490 sgid=490 fsgid=490 tty=(none) ses=4294967295 comm="sendmail"
exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1284602506.003:30904): avc:  denied  { search } for 
pid=13762 comm="sendmail" name="clientmqueue" dev=dm-0 ino=524716
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
----
time->Wed Sep 15 22:01:53 2010
type=SYSCALL msg=audit(1284602513.290:30905): arch=40000003 syscall=12
success=no exit=-13 a0=bf9b6cfc a1=bf9b6cfc a2=cdc738 a3=d0f450 items=0
ppid=8411 pid=13821 auid=4294967295 uid=48 gid=494 euid=48 suid=48 fsuid=48
egid=490 sgid=490 fsgid=490 tty=(none) ses=4294967295 comm="sendmail"
exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1284602513.290:30905): avc:  denied  { search } for 
pid=13821 comm="sendmail" name="clientmqueue" dev=dm-0 ino=524716
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
----
time->Wed Sep 15 22:02:01 2010
type=SYSCALL msg=audit(1284602521.150:30906): arch=40000003 syscall=12
success=no exit=-13 a0=bfdd6b0c a1=bfdd6b0c a2=261738 a3=294450 items=0
ppid=11685 pid=13887 auid=4294967295 uid=48 gid=494 euid=48 suid=48 fsuid=48
egid=490 sgid=490 fsgid=490 tty=(none) ses=4294967295 comm="sendmail"
exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1284602521.150:30906): avc:  denied  { search } for 
pid=13887 comm="sendmail" name="clientmqueue" dev=dm-0 ino=524716
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir


Expected results:
There should not be such errors.

--- Additional comment from jpazdziora on 2010-11-19 11:02:19 EST
---

Mass-moving to space13.

--- Additional comment from jpazdziora on 2010-11-20 12:27:11 EST
---

I assume that the sendmail process seems to be started when Apache wants to
send some traceback email. Unfortunately, rhnpush seems to be that stable on my
Spacewalk 1.2 (Fedora 13, PostgreSQL) that I did not get any tracebacks.

So I put

        i = 1 / 0

to /usr/share/rhn/upload_server/handlers/package_push/package_push.py to
handler and I indeed can see the reproducer.

type=AVC msg=audit(1290274022.882:21541): avc:  denied  { search } for 
pid=3005 comm="sendmail" name="clientmqueue" dev=dm-0 ino=833
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir

Taking.

--- Additional comment from msuchy on 2011-04-11 03:30:52 EDT ---

We did not have time for this one during Spacewalk 1.4 time frame. Mass moving
to Spacewalk 1.5.

--- Additional comment from msuchy on 2011-04-11 03:36:11 EDT ---

We did not have time for this one during Spacewalk 1.4 time frame. Mass moving
to Spacewalk 1.5.

--- Additional comment from jpazdziora on 2011-05-10 07:28:44 EDT
---

The fix is to set the httpd_can_sendmail boolean:

# setsebool -P httpd_can_sendmail on

--- Additional comment from jpazdziora on 2011-05-10 07:29:51 EDT
---

This issue is also present on Satellite 5.4.0.

--- Additional comment from jpazdziora on 2011-05-10 07:32:50 EDT
---

We now set the boolean in spacewalk-selinux-enable: Spacewalk master
87e7077f0a2923763ef5ce9ec5de6e3aa7533467.

--- Additional comment from jpazdziora on 2011-05-10 07:55:48 EDT
---

The same AVCs happen on https://FQDN/help/forgot_password.pxt, with the SELinux
boolean turned off.
Comment 2 Jan Pazdziora (Red Hat) 2011-05-10 13:52:56 UTC 
Cherry picked to SATELLITE-5.4, 883cc09730bad3fdd4f9fefc297e0a79ce5133a4.
Comment 3 Jan Pazdziora (Red Hat) 2011-05-10 14:00:04 UTC 
Tagged and built as spacewalk-selinux-1.2.1-4.
Comment 5 Šimon Lukašík 2011-05-16 07:38:39 UTC 
Changing to Verified:

Testing procedure:
 - provoke traceback mail from package_push.py
 - solicit for mail resetting password
 - e-mails sent, no AVC denial

Verified against:
spacewalk-selinux-1.2.1-5.el6sat
Satellite-5.4.1-RHEL6-re20110511.0
Comment 6 Milan Zázrivec 2011-06-08 14:55:39 UTC 
Verified in stage w/ spacewalk-selinux-1.2.1-5 -> release pending.
Comment 7 Clifford Perry 2011-06-17 02:42:29 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

https://rhn.redhat.com/errata/RHEA-2011-0875.html