Bug 730218 - selinux preventing procmail to execute hostname command
Summary: selinux preventing procmail to execute hostname command
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 730294
TreeView+ depends on / blocked
 
Reported: 2011-08-12 08:02 UTC by Karel Srot
Modified: 2012-10-16 08:21 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.7.19-108.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 730294 (view as bug list)
Environment:
Last Closed: 2011-12-06 10:13:03 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Karel Srot 2011-08-12 08:02:17 UTC 
Description of problem:

I am not sure whether this is a bug or not. The test case for bug 442028
produces following AVCs:

----
time->Thu Aug 11 10:17:34 2011
type=SYSCALL msg=audit(1313072254.344:233414): arch=80000016 syscall=11 per=400000 success=no exit=-13 a0=3fffff7c5f3 a1=8001eb60 a2=8001ec80 a3=200002514c0 items=0 ppid=11957 pid=11958 auid=4294967295 uid=502 gid=503 euid=502 suid=502 fsuid=502 egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1313072254.344:233414): avc:  denied  { execute } for  pid=11958 comm="procmail" name="hostname" dev=dm-0 ino=1177374 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
----
time->Thu Aug 11 10:17:34 2011
type=SYSCALL msg=audit(1313072254.344:233415): arch=80000016 syscall=106 per=400000 success=no exit=-13 a0=80103790 a1=3fffff76550 a2=3fffff76550 a3=200001d69b0 items=0 ppid=11957 pid=11958 auid=4294967295 uid=502 gid=503 euid=502 suid=502 fsuid=502 egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1313072254.344:233415): avc:  denied  { getattr } for  pid=11958 comm="sh" path="/bin/hostname" dev=dm-0 ino=1177374 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
----
time->Thu Aug 11 10:17:36 2011
type=SYSCALL msg=audit(1313072256.164:233422): arch=80000016 syscall=11 per=400000 success=no exit=-13 a0=8001d2fa a1=8001eb60 a2=8001ec80 a3=200002514c0 items=0 ppid=11993 pid=11994 auid=4294967295 uid=501 gid=502 euid=501 suid=501 fsuid=501 egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1313072256.164:233422): avc:  denied  { execute } for  pid=11994 comm="procmail" name="hostname" dev=dm-0 ino=1177374 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
----
time->Thu Aug 11 10:17:36 2011
type=SYSCALL msg=audit(1313072256.164:233423): arch=80000016 syscall=5 per=400000 success=no exit=-13 a0=801036f0 a1=0 a2=3fffff95e46 a3=0 items=0 ppid=11993 pid=11994 auid=4294967295 uid=501 gid=502 euid=501 suid=501 fsuid=501 egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:procmail_t:s0 key=(null)
type=AVC msg=audit(1313072256.164:233423): avc:  denied  { read } for  pid=11994 comm="sh" name="hostname" dev=dm-0 ino=1177374 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file

This is because of procmail recipe which instructs procmail to execute hostname command:

# cat /home/she10779/.procmailrc
PATH=$HOME/bin:/bin:/usr/bin:/usr/local/bin
MAILDIR=$HOME/mail
LOGFILE=$HOME/mail/procmail.log
HOST_NAME=`hostname`

:0:
* ^From:.*he6691@.*$
my-love

I know that this can be avoided using $HOSTNAME instead of `hostname`.
Strange thing is that this happend on s390x platform only, the test passed on other platforms.
I am not sure whether there is any risk in allowing procmail to execute hostname command.


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-93.el6_1.7

How reproducible:
always

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 2 Karel Srot 2011-08-12 09:22:04 UTC 
Oh, now I can see the test should load a custom module to allow it. Switching to RHEL Tests component, the test should be reviewed.
Comment 3 Daniel Walsh 2011-08-12 10:41:53 UTC 
Miroslav lets add

application_exec_all(procmail_t)
Comment 4 Karel Srot 2011-08-12 11:39:40 UTC 
OK, this is a policy bug, switching back to RHEL6

to QE: RHTS test should be updated to not to load the module.
Comment 6 Miroslav Grepl 2011-08-24 15:32:50 UTC 
Fixed in selinux-policy-3.7.19-108.el6
Comment 9 errata-xmlrpc 2011-12-06 10:13:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html
Note You need to log in before you can comment on or make changes to this bug.