This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 725595 - selinux policy does not allow postfix to access httpd_sys_content_t and etc.
selinux policy does not allow postfix to access httpd_sys_content_t and etc.
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.6
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
:
Depends On:
Blocks: 957745
  Show dependency treegraph
 
Reported: 2011-07-25 20:54 EDT by Erik M Jacobs
Modified: 2014-09-30 19:33 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 957745 (view as bug list)
Environment:
Last Closed: 2013-04-29 08:52:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Erik M Jacobs 2011-07-25 20:54:27 EDT
Description of problem:
After installing a somewhat "typical" php/web application, it was discovered that SELinux was blocking access for postfix to pipe into php.

Version-Release number of selected component (if applicable):
2.4.6-300.el5_6.1

How reproducible:
100%

Steps to Reproduce:
1. install/configure postfix
2. install something in /var/www/html
3. try to pipe to it
  
Actual results:
SELinux denies the access

Expected results:
SELinux should be (more) easily configurable to allow the access

Additional info:
So I don't really feel that this is a "bug" in selinux-policy exactly.  It may be useful to have some kind of boolean to allow postfix/pipe to access httpd/databases.  I would think that it is "common" to want to process email via postfix and then send it via pipe to some kind of web program.

The following policy was generated by audit2allow.  All of this is required for "my" specific use-case, but I am guessing this is not that uncommon of a use case to begin with.  The specific web application being used is OSTicket, a PHP-based helpdesk.

Would it make more sense to somehow package this as a policy module for OSTicket, if it were packaged as an RPM?  The difficulty there is that someone could be using any MTA with OSTicket, not necessarily postfix.  Seems like making this associated with postfix covers more use cases.

Output:
module postfix 1.0;

require {
	type mysqld_var_run_t;
	type usr_t;
	type httpd_var_run_t;
	type mysqld_t;
	type mysqld_db_t;
	type httpd_sys_content_t;
	type system_mail_t;
	type postfix_pipe_t;
	class sock_file write;
	class unix_stream_socket { read write connectto };
	class dir { write search add_name getattr };
	class file { write getattr ioctl read lock create execute execute_no_trans };
}

#============= postfix_pipe_t ==============
allow postfix_pipe_t httpd_sys_content_t:dir { search getattr };
allow postfix_pipe_t httpd_sys_content_t:file { read execute ioctl execute_no_trans getattr };
allow postfix_pipe_t httpd_var_run_t:dir { write search add_name };
allow postfix_pipe_t httpd_var_run_t:file { write lock create getattr };
allow postfix_pipe_t mysqld_db_t:dir search;
allow postfix_pipe_t mysqld_t:unix_stream_socket connectto;
allow postfix_pipe_t mysqld_var_run_t:sock_file write;
allow postfix_pipe_t usr_t:file { read getattr };

#============= system_mail_t ==============
allow system_mail_t postfix_pipe_t:unix_stream_socket { read write };
Comment 2 Miroslav Grepl 2011-09-29 02:07:46 EDT
I am interested in 

allow postfix_pipe_t httpd_sys_content_t:file { read execute ioctl
execute_no_trans getattr };

What is executed by postfix pipe? I mean a path to a script?
Comment 3 Erik M Jacobs 2011-09-30 22:09:18 EDT
Here's the example pipe from my master.cf for my use case:

### osticket pipe
osticket unix - n n - - pipe flags=Fq user=apache:apache argv=/var/www/html/helpdesk/api/pipe.php ${sender}

OSTicket is a PHP application for helpdesk-type ticketing.  When emails come in for a particular user, they are piped (via postfix pipe) to this php script so that OSTicket can ingest them.

In this case, that's essentially the crux of the missing SELinux policy -- pipe should be able to access httpd content and execute things like php scripts, for users who wish for it to be able to do so.
Comment 4 Miroslav Grepl 2011-10-03 07:29:39 EDT
I would image allow it using a new boolean which could contain

apache_domtrans_sys_script(postfix_pipe_t)

which would require also to have enabled "httpd_enable_cgi" & "httpd_unified" booleans.

Could you test it with the following local policy


# cat mypostfix.te
policy_module(mypostfix, 1.0)

require{
 type postfix_pipe_t;
}

apache_domtrans_sys_script(postfix_pipe_t)




---

# make -f /usr/share/selinux/devel/Makefile
# semodule -i mypostfix.pp

and

# setsebool httpd_enable_cgi on
# setsebool httpd_unified on
Comment 5 Erik M Jacobs 2011-10-03 09:24:49 EDT
Do I need to unload the module I compiled based on my initial comment, or is the module you're suggesting in addition to what I've already compiled/installed?
Comment 6 Miroslav Grepl 2011-10-03 09:31:49 EDT
Yes, please, unload your module. I would like to see all AVC msgs.
Comment 7 Miroslav Grepl 2011-11-10 07:42:05 EST
Erik,
any update on this?
Comment 8 Erik M Jacobs 2011-11-10 10:20:58 EST
Been travelling like a madman.  Hopefully the week after next.  I need to take some PTO, too, so we'll see. Sorry!
Comment 9 Erik M Jacobs 2011-11-22 09:46:26 EST
Doesn't look like it worked:

==> /var/log/maillog <==
Nov 22 14:43:42 rails3 postfix/pickup[2223]: AC0B230787: uid=0 from=<root>
Nov 22 14:43:42 rails3 postfix/cleanup[3535]: AC0B230787: message-id=<20111122144342.GA3471@rails3.bar.baz>
Nov 22 14:43:42 rails3 postfix/qmgr[2224]: AC0B230787: from=<root@rails3.bar.baz>, size=397, nrcpt=1 (queue active)
Nov 22 14:43:43 rails3 postfix/smtpd[3542]: connect from rails3.bar.baz[127.0.0.1]
Nov 22 14:43:43 rails3 postfix/smtpd[3542]: 500B2304E3: client=rails3.bar.baz[127.0.0.1]
Nov 22 14:43:43 rails3 postfix/cleanup[3535]: 500B2304E3: message-id=<20111122144342.GA3471@rails3.bar.baz>
Nov 22 14:43:43 rails3 postfix/qmgr[2224]: 500B2304E3: from=<root@rails3.bar.baz>, size=862, nrcpt=1 (queue active)
Nov 22 14:43:43 rails3 postfix/smtpd[3542]: disconnect from rails3.bar.baz[127.0.0.1]
Nov 22 14:43:43 rails3 pipe[3544]: fatal: pipe_command: execvp /var/www/html/helpdesk/api/pipe.php: Permission denied
Nov 22 14:43:43 rails3 amavis[2329]: (02329-01) Passed CLEAN, <root@rails3.bar.baz> -> <"support@bar.baz"@osticket.bar.baz>, Message-ID: <20111122144342.GA3471@rails3.bar.baz>, mail_id: VLHc+62U54rD, Hits: -0.001, queued_as: 500B2304E3, 746 ms
Nov 22 14:43:43 rails3 postfix/lmtp[3537]: AC0B230787: to=<support@bar.baz@osticket.bar.baz>, orig_to=<support@bar.baz>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.92, delays=0.17/0.01/0.01/0.74, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=02329-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 500B2304E3)
Nov 22 14:43:43 rails3 postfix/qmgr[2224]: AC0B230787: removed
Nov 22 14:43:43 rails3 postfix/pipe[3543]: 500B2304E3: to=<support@bar.baz@osticket.bar.baz>, relay=osticket, delay=0.28, delays=0.17/0.01/0/0.1, dsn=4.3.0, status=deferred (temporary failure. Command output: pipe: fatal: pipe_command: execvp /var/www/html/helpdesk/api/pipe.php: Permission denied )

==> /var/log/audit/audit.log <==
type=AVC msg=audit(1321973023.508:101): avc:  denied  { search } for  pid=3544 comm="pipe" name="www" dev=dm-0 ino=197955 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1321973023.508:101): arch=40000003 syscall=11 success=no exit=-13 a0=890c548 a1=890bf38 a2=890c5d8 a3=30 items=0 ppid=3543 pid=3544 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pipe" exe="/usr/libexec/postfix/pipe" subj=system_u:system_r:postfix_pipe_t:s0 key=(null)

root@rails3.bar.baz ~/selinux> semodule -l
aisexec	1.0.0
amavis	1.1.0
ccs	1.0.0
clamav	1.1.0
clogd	1.0.0
dcc	1.1.0
dnsmasq	1.1.1
evolution	1.1.0
ipsec	1.4.0
iscsid	1.0.0
milter	1.0.0
mozilla	1.1.0
mplayer	1.1.0
mypostfix	1.0
nagios	1.1.0
oddjob	1.0.1
pcscd	1.0.0
piranha	1.0.0
postgrey	1.1.0
prelude	1.0.0
pyzor	1.1.0
qemu	1.1.2
razor	1.1.0
rgmanager	1.0.0
rhcs	1.1.0
ricci	1.0.0
rsyslog	1.0
smartmon	1.1.0
spamassassin	1.9.0
sssd	1.0.2
vhostmd	1.0.0
virt	1.2.1
zarafa	1.2
zosremote	1.0.0

root@rails3.bar.baz ~/selinux> getsebool -a | grep httpd
httpd_enable_cgi --> on
httpd_unified --> on

root@rails3.bar.baz ~/selinux> cat mypostfix.te 
policy_module(mypostfix, 1.0)

require{
 type postfix_pipe_t;
 }

 apache_domtrans_sys_script(postfix_pipe_t)
Comment 10 Erik M Jacobs 2011-11-22 09:48:56 EST
root@rails3.bar.baz ~/selinux> yum list installed '*selinux*'
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.us.leaseweb.net
 * extras: mirror.highspeedweb.net
 * updates: ftp.usf.edu
Installed Packages
libselinux.i386 1.33.4-5.7.el5  
libselinux-devel.i386 1.33.4-5.7.el5
libselinux-python.i386 1.33.4-5.7.el5
libselinux-ruby.i386 1.33.4-5.7.el5
libselinux-utils.i386 1.33.4-5.7.el5
selinux-policy.noarch 2.4.6-316.el5
selinux-policy-devel.noarch 2.4.6-316.el5
selinux-policy-targeted.noarch 2.4.6-316.el5
Comment 11 Miroslav Grepl 2011-11-23 03:48:51 EST
Erik,
could you switch to permissive mode for all AVC msgs.

# setenforce 0

re-test it and

# ausearch -m avc -ts recent


Thank you.
Comment 12 Erik M Jacobs 2011-12-22 10:29:38 EST
I know, I'm a slowpoke.

root@rails3.bar.baz /var/www/html/helpdesk/api> ausearch -m avc -ts recent
----
time->Thu Dec 22 15:19:35 2011
type=SYSCALL msg=audit(1324567175.526:73): arch=40000003 syscall=11 success=no exit=-13 a0=89ec550 a1=89ebf40 a2=89ec5e0 a3=30 items=0 ppid=2948 pid=2949 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pipe" exe="/usr/libexec/postfix/pipe" subj=system_u:system_r:postfix_pipe_t:s0 key=(null)
type=AVC msg=audit(1324567175.526:73): avc:  denied  { search } for  pid=2949 comm="pipe" name="helpdesk" dev=dm-0 ino=426749 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1324567175.526:73): avc:  denied  { search } for  pid=2949 comm="pipe" name="www" dev=dm-0 ino=197955 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
----
time->Thu Dec 22 15:24:48 2011
type=SYSCALL msg=audit(1324567488.032:80): arch=40000003 syscall=11 success=no exit=-13 a0=85ab550 a1=85aaf40 a2=85ab5e0 a3=30 items=0 ppid=3179 pid=3180 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pipe" exe="/usr/libexec/postfix/pipe" subj=system_u:system_r:postfix_pipe_t:s0 key=(null)
type=AVC msg=audit(1324567488.032:80): avc:  denied  { search } for  pid=3180 comm="pipe" name="helpdesk" dev=dm-0 ino=426749 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1324567488.032:80): avc:  denied  { search } for  pid=3180 comm="pipe" name="www" dev=dm-0 ino=197955 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
----
time->Thu Dec 22 15:27:25 2011
type=SYSCALL msg=audit(1324567645.277:82): arch=40000003 syscall=5 success=yes exit=4 a0=bf94e218 a1=42 a2=180 a3=8ca8a24 items=0 ppid=3227 pid=3228 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pipe.php" exe="/usr/bin/php" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1324567645.277:82): avc:  denied  { create } for  pid=3228 comm="pipe.php" name="sess_1ap4pntrt4bdr4r83ssj7le4l0" scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file
type=AVC msg=audit(1324567645.277:82): avc:  denied  { add_name } for  pid=3228 comm="pipe.php" name="sess_1ap4pntrt4bdr4r83ssj7le4l0" scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1324567645.277:82): avc:  denied  { write } for  pid=3228 comm="pipe.php" name="session" dev=dm-0 ino=295350 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1324567645.277:82): avc:  denied  { search } for  pid=3228 comm="pipe.php" name="session" dev=dm-0 ino=295350 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=dir
----
time->Thu Dec 22 15:27:25 2011
type=SYSCALL msg=audit(1324567645.163:81): arch=40000003 syscall=5 success=no exit=-2 a0=bf9522e8 a1=0 a2=1b6 a3=8b9c038 items=0 ppid=3227 pid=3228 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pipe.php" exe="/usr/bin/php" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1324567645.163:81): avc:  denied  { search } for  pid=3228 comm="pipe.php" name="postfix" dev=dm-0 ino=197490 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
----
time->Thu Dec 22 15:27:25 2011
type=SYSCALL msg=audit(1324567645.278:83): arch=40000003 syscall=143 success=yes exit=0 a0=4 a1=2 a2=0 a3=8ca8a24 items=0 ppid=3227 pid=3228 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pipe.php" exe="/usr/bin/php" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1324567645.278:83): avc:  denied  { lock } for  pid=3228 comm="pipe.php" path="/var/lib/php/session/sess_1ap4pntrt4bdr4r83ssj7le4l0" dev=dm-0 ino=297576 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file
----
time->Thu Dec 22 15:27:25 2011
type=SYSCALL msg=audit(1324567645.278:84): arch=40000003 syscall=197 success=yes exit=0 a0=4 a1=bf94f1c0 a2=71fff4 a3=3 items=0 ppid=3227 pid=3228 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pipe.php" exe="/usr/bin/php" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1324567645.278:84): avc:  denied  { getattr } for  pid=3228 comm="pipe.php" path="/var/lib/php/session/sess_1ap4pntrt4bdr4r83ssj7le4l0" dev=dm-0 ino=297576 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file
----
time->Thu Dec 22 15:27:25 2011
type=SYSCALL msg=audit(1324567645.303:85): arch=40000003 syscall=181 success=yes exit=33 a0=4 a1=8e1d8e4 a2=21 a3=0 items=0 ppid=3227 pid=3228 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pipe.php" exe="/usr/bin/php" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1324567645.303:85): avc:  denied  { write } for  pid=3228 comm="pipe.php" path="/var/lib/php/session/sess_1ap4pntrt4bdr4r83ssj7le4l0" dev=dm-0 ino=297576 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file
Comment 14 Erik M Jacobs 2012-03-31 12:52:17 EDT
Please let me know if there is any additional information I can provide to speed this along.
Comment 15 RHEL Product and Program Management 2012-04-02 07:20:10 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 21 Erik M Jacobs 2012-12-18 10:02:55 EST
Hi,

It's been a really long time.  Will this make it into RHEL5 or is this going to only be in RHEL6?
Comment 24 RHEL Product and Program Management 2013-04-04 08:31:11 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 25 Miroslav Grepl 2013-04-29 08:52:11 EDT
We are going to fix it in RHEL6+.

Note You need to log in before you can comment on or make changes to this bug.