Bug 768097 - SELinux is preventing smtpd (postfix_smtpd_t) "getattr" to /rhnsat (oracle_dir_t)
SELinux is preventing smtpd (postfix_smtpd_t) "getattr" to /rhnsat (oracle_di...
Status: CLOSED ERRATA
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
541
All Linux
high Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
Lukas Pramuk
: Patch
Depends On:
Blocks: sat541-triage
  Show dependency treegraph
 
Reported: 2011-12-15 13:30 EST by Marcelo Moreira de Mello
Modified: 2012-11-01 05:25 EDT (History)
8 users (show)

See Also:
Fixed In Version: oracle-rhnsat-selinux-10.2.0.20-4-sat
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-11-01 05:25:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Replaces files_type(oracle_dir_t) with files_mountpoint(oracle_dir_t) (356 bytes, patch)
2012-08-16 05:03 EDT, Mark Huth
no flags Details | Diff

  None (edit)
Comment 8 Jan Pazdziora 2012-02-24 08:31:58 EST
Are you able to also get the AVC denial when you use the https://the-satellite.fqdn/help/forgot_password.pxt and the Email Address / Send Login part of that page? Or is the email delivered without issues in this case?
Comment 9 Jan Pazdziora 2012-02-27 06:09:28 EST
Also, are you able to get the AVC denial when you use https://FQDN/rhn/users/UserDetails.do?uid=26x ?

Note the x in that parameter which should cause the thing to send traceback email. Does the traceback email get sent fine or are any AVC denials logged?
Comment 21 Mark Huth 2012-08-16 02:52:59 EDT
this is git/satellite/selinux/oracle-rhnsat-selinux/oracle-rhnsat.te:

  1 policy_module(oracle-rhnsat,@@VERSION@@)
  2 
  3 require {
  4     type initrc_t;
  5     type oracle_db_t;
  6     type oracle_db_log_t;
  7     type oracle_sqlplus_t;
  8     type initrc_tmp_t;
  9     type oracle_tnslsnr_t;
 10     type oracle_tnslsnr_log_t;
 11     type oracle_lsnrctl_t;
 12 };
 13 
 14 # Type for common, read-only directories
 15 type oracle_dir_t;
 16 files_type(oracle_dir_t);

I'm wondering if we need an extra line in there for /rhnsat (oracle_dir_t) as a filesystem mountpoint:

files_mountpoint(oracle_dir_t);

dist-git/selinux-policy/serefpolicy-2.4.6/policy/modules/kernel/files.if
  61 ########################################
  62 ## <summary>
  63 ##  Make the specified type usable for
  64 ##  filesystem mount points.
  65 ## </summary>
  66 ## <param name="type">
  67 ##  <summary>
  68 ##  Type to be used for mount points.
  69 ##  </summary>
  70 ## </param>
  71 #
  72 interface(`files_mountpoint',`
  73     gen_require(`
  74         attribute mountpoint;
  75     ')
  76 
  77     files_type($1)
  78     typeattribute $1 mountpoint;
  79 ')

postfix already has the ability to search mountpoints:

[mhuth@mhuth-laptop services]$ grep mountpoint postfix.*
postfix.if:	fs_search_auto_mountpoints(postfix_$1_t)
postfix.if:	files_search_all_mountpoints(postfix_$1_t)

dist-git/selinux-policy/serefpolicy-2.4.6/policy/modules/kernel/files.if
1017 ########################################
1018 ## <summary>
1019 ##  Search all mount points.
1020 ## </summary>
1021 ## <param name="domain">
1022 ##  <summary>
1023 ##  Domain allowed access.
1024 ##  </summary>
1025 ## </param>
1026 #
1027 interface(`files_search_all_mountpoints',`
1028     gen_require(`
1029         attribute mountpoint;
1030     ')
1031 
1032     allow $1 mountpoint:dir search_dir_perms;
1033 ')

So by making oracle_dir_t an SELinux mountpoint type, postfix should be able to search it (do a stat on it) without generating the getattr denial.
Comment 22 Mark Huth 2012-08-16 05:03:12 EDT
Created attachment 604831 [details]
Replaces files_type(oracle_dir_t) with files_mountpoint(oracle_dir_t)

The customer confirmed the following SELinux policy fixed the problem for them:

policy_module(oracle-rhnsat-mountpoint, 1.0)
require {
    type oracle_dir_t;
}
files_mountpoint(oracle_dir_t);

The patch replaces files_type with files_mountpoint in oracle-rhnsat.te, because according to the SELinux policy, files_mountpoint is a superset of files_type:

From selinux-policy/serefpolicy-3.7.19/policy/modules/kernel/files.if
########################################
## <summary>
##  Make the specified type usable for
##  filesystem mount points.
## </summary>
## <param name="type">
##  <summary>
##  Type to be used for mount points.
##  </summary>
## </param>
#
interface(`files_mountpoint',`
    gen_require(`
        attribute mountpoint;
    ')

    files_type($1)
    typeattribute $1 mountpoint;
')
Comment 23 Mark Huth 2012-08-16 21:48:06 EDT
Created a scratch build of oracle-rhnsat-selinux for the customer to test the patch:
https://brewweb.devel.redhat.com/taskinfo?taskID=4770606
Comment 24 Marcelo Moreira de Mello 2012-08-20 09:05:17 EDT
 Hello Mark, 

   Please let us know if the test package addressed the customer's issue. 

 Thank you.
Comment 27 Mark Huth 2012-09-02 20:27:25 EDT
Customer has confirmed they are no longer encountering the SELinux denial, either creating users or in their overnight reports.

<customer>
I can confirm that the overnight reports have not raised an SELinux alert.  I didn't think they would either, but thought it best to verify to you guys.

Thanks for all your help - this ticket's been quite a long one!

Could you let me know if & when this fix is agreed to be part of Satellite 5.5 please?
</customer>
Comment 32 Jan Pazdziora 2012-09-12 08:30:53 EDT
The secret to reproducer is in comment 20.

Namely, the machine needs to have both /rhnsat and /var as mountpoints. That fsspace() call is done as

   fsspace(".", &fsbuf)

-- that is why the whole /proc/mounts is parsed. I believe the /rhnsat needs to be in /proc/mounts before /var but I did not check this.
Comment 33 Jan Pazdziora 2012-09-12 08:35:14 EDT
A mere

# echo Test | mail root

will trigger the AVC denial is such a case.
Comment 34 Jan Pazdziora 2012-09-12 08:37:47 EDT
(In reply to comment #32)
> The secret to reproducer is in comment 20.
> 
> Namely, the machine needs to have both /rhnsat and /var as mountpoints. That
> fsspace() call is done as
> 
>    fsspace(".", &fsbuf)

... while the cwd of smtpd is something under /var.
Comment 35 Jan Pazdziora 2012-09-12 09:55:53 EDT
Public summary:

Every day around 23:00, Satellite generates AVC denial

type=AVC msg=audit(1321484405.181:5911): avc:  denied  { getattr } for  pid=11360 comm="smtpd" path="/rhnsat" dev=dm-7 ino=2 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:oracle_dir_t:s0 tclass=dir
Comment 36 Jan Pazdziora 2012-09-12 10:07:04 EDT
I've opted for dontaudit, per similar fix for bug 245268.

Fixed in Spacewalk master, 01a3088cb86c2e607ec47ca446e075c1e7e1701f.
Comment 44 errata-xmlrpc 2012-11-01 05:25:44 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-1421.html

Note You need to log in before you can comment on or make changes to this bug.