744311 – Is it intentional gpg_t is not allowed to read mail_spool_t

Bug 744311 - Is it intentional gpg_t is not allowed to read mail_spool_t

Summary: Is it intentional gpg_t is not allowed to read mail_spool_t

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	16
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-10-07 20:02 UTC by Göran Uddeborg
Modified:	2011-10-19 04:32 UTC (History)
CC List:	1 user (show)
Fixed In Version:	selinux-policy-3.10.0-40.fc16
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-10-19 04:32:34 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Göran Uddeborg 2011-10-07 20:02:33 UTC

Description of problem:
Setroubleshoot sent me a report that a process in the gpg_t domain had tried to read a file with the mail_spool_t type and been denied.  This happens for a user_u user.  (I have __default__ mapped to user_u, and a few selected users mapped to unconfined_u in my /etc/selinux/targeted/seusers)

Most likely, the user had logged in and read his mail using mutt, and mutt had tried to verify a signature in one of the mails.  This seems like something that would make sense to allow.  Is it intentional it is prohibited, or is it a bug that should be fixed?

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-38.fc16.noarch

Comment 1 Göran Uddeborg 2011-10-09 13:55:11 UTC

I forgot, I should of course have included the actual AVC:

type=AVC msg=audit(1317979307.260:618): avc:  denied  { read } for  pid=10206 comm="gpg" path="/var/spool/mail/david" dev=dm-0 ino=5193737 scontext=user_u:user_r:gpg_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file


type=SYSCALL msg=audit(1317979307.260:618): arch=x86_64 syscall=execve success=yes exit=0 a0=a47170 a1=a47ae0 a2=a45200 a3=7fff0c5f1210 items=0 ppid=10164 pid=10206 auid=505 uid=505 gid=505 euid=505 suid=505 fsuid=505 egid=505 sgid=505 fsgid=505 tty=pts2 ses=85 comm=gpg exe=/usr/bin/gpg2 subj=user_u:user_r:gpg_t:s0 key=(null)

Comment 2 Miroslav Grepl 2011-10-10 12:09:54 UTC

Fixed in selinux-policy-targeted-3.10.0-39.fc16

Comment 3 Fedora Update System 2011-10-14 16:19:16 UTC

selinux-policy-3.10.0-40.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-40.fc16

Comment 4 Fedora Update System 2011-10-15 14:32:55 UTC

Package selinux-policy-3.10.0-40.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-40.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-14363
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2011-10-19 04:32:34 UTC

selinux-policy-3.10.0-40.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.