Bug 785759 - SELinux is preventing /usr/bin/procmail from 'getattr' accesses on the None /var/spool/mail/nieks.
Summary: SELinux is preventing /usr/bin/procmail from 'getattr' accesses on the None /...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:fa24a178958d77924d7e5acd35a...
: 758529 788261 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-30 14:57 UTC by Niclas Ekstedt
Modified: 2012-04-05 07:54 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-3.10.0-80.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-24 00:39:09 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Niclas Ekstedt 2012-01-30 14:57:05 UTC
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.2.2-1.fc16.x86_64
reason:         SELinux is preventing /usr/bin/procmail from 'getattr' accesses on the None /var/spool/mail/nieks.
time:           Mon 30 Jan 2012 03:56:25 PM CET

description:
:SELinux is preventing /usr/bin/procmail from 'getattr' accesses on the None /var/spool/mail/nieks.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that procmail should be allowed getattr access on the nieks <Unknown> by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep procmail /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:procmail_t:s0
:Target Context                system_u:object_r:quota_db_t:s0
:Target Objects                /var/spool/mail/nieks [ None ]
:Source                        procmail
:Source Path                   /usr/bin/procmail
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           
:Target RPM Packages           
:Policy RPM                    <Unknown>
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.2.2-1.fc16.x86_64 #1
:                              SMP Thu Jan 26 03:21:58 UTC 2012 x86_64 x86_64
:Alert Count                   5
:First Seen                    Mon 30 Jan 2012 03:28:08 PM CET
:Last Seen                     Mon 30 Jan 2012 03:28:10 PM CET
:Local ID                      0aae3bba-4acd-4870-b930-cfe862fc5a7a
:
:Raw Audit Messages
:type=AVC msg=audit(1327933690.369:1547): avc:  denied  { getattr } for  pid=16340 comm="procmail" path="/var/spool/mail/nieks" dev=dm-2 ino=13894602 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:quota_db_t:s0 tclass=filenode=(removed) type=SYSCALL msg=audit(1327933690.369:1547): arch=c000003e syscall=6 success=no exit=-13 a0=24883e0 a1=7fff50151fc0 a2=7fff50151fc0 a3=2e items=0 ppid=16224 pid=16340 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=12 fsgid=1000 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
:
:
:Hash: procmail,procmail_t,quota_db_t,None,getattr
:
:audit2allow
:
:
:audit2allow -R
:
:

Comment 1 Daniel Walsh 2012-01-30 19:11:47 UTC
This looks like /var/spool/mail/nieks is mislabeled, why is it labeled quota_db_t?

Comment 2 Miroslav Grepl 2012-01-31 11:04:24 UTC
$ runcon -u system_u -r system_r -t initrc_t -- runcon -t quota_t -- touch /var/spool/mail/test_bad_label

$ ls -lZ /var/spool/mail/test_bad_label 
-rw-r--r--. root root system_u:object_r:quota_db_t:s0  /var/spool/mail/test_bad_label

optional_policy(`
        mta_spool_filetrans(quota_t, quota_db_t, file)
        mta_spool_filetrans(quota_t, quota_db_t, file)
        mta_spool_filetrans_queue(quota_t, quota_db_t,file)
')

I guess it relates with user quota on /var/spool/mail directory.

Niclas,
did you setup it?

Comment 3 Amit Shah 2012-02-03 06:56:16 UTC
I didn't do anything special in /var/spool.  I get this on a fresh F16 install.  Interestingly, root's labels are correct.

$ ls -lZ /var/spool/mail/
-rw-rw----. amit mail system_u:object_r:quota_db_t:s0  amit
-rw-------. root root system_u:object_r:mail_spool_t:s0 root
-rw-rw----. rpc  mail system_u:object_r:mail_spool_t:s0 rpc

Comment 4 Miroslav Grepl 2012-02-03 08:10:08 UTC
Strange. You can fix it using

# restorecon -R -v /var/spool/mail/amit

Comment 5 Miroslav Grepl 2012-02-09 08:39:43 UTC
*** Bug 788261 has been marked as a duplicate of this bug. ***

Comment 6 Jan Pazdziora 2012-02-21 09:10:16 UTC
Is bug 758529 a dupe as well?

Comment 7 Jan Pazdziora 2012-02-21 09:13:37 UTC
On my Fedora 16 with

selinux-policy-targeted-3.10.0-75.fc16.noarch
selinux-policy-3.10.0-75.fc16.noarch

I see output

# sesearch --all -C | grep quota_db_t | grep mail_spool_t
ERROR: Cannot get avrules: Neverallow rules requested but not available
   type_transition fsadm_t mail_spool_t : file quota_db_t; 
   type_transition mono_t mail_spool_t : file quota_db_t; 
   type_transition nova_vncproxy_t mail_spool_t : file quota_db_t; 
   type_transition devicekit_disk_t mail_spool_t : file quota_db_t; 
   type_transition depmod_t mail_spool_t : file quota_db_t; 
   type_transition crond_t mail_spool_t : file quota_db_t; 
   type_transition nagios_unconfined_plugin_t mail_spool_t : file quota_db_t; 
   type_transition wine_t mail_spool_t : file quota_db_t; 
   type_transition anaconda_t mail_spool_t : file quota_db_t; 
   type_transition httpd_unconfined_script_t mail_spool_t : file quota_db_t; 
   type_transition udev_t mail_spool_t : file quota_db_t; 
   type_transition bootloader_t mail_spool_t : file quota_db_t; 
   type_transition unconfined_cronjob_t mail_spool_t : file quota_db_t; 
   type_transition puppet_t mail_spool_t : file quota_db_t; 
   type_transition unconfined_execmem_t mail_spool_t : file quota_db_t; 
   type_transition rgmanager_t mail_spool_t : file quota_db_t; 
   type_transition devicekit_t mail_spool_t : file quota_db_t; 
   type_transition nova_direct_t mail_spool_t : file quota_db_t; 
   type_transition nova_api_t mail_spool_t : file quota_db_t; 
   type_transition ada_t mail_spool_t : file quota_db_t; 
   type_transition rpm_t mail_spool_t : file quota_db_t; 
   type_transition unconfined_java_t mail_spool_t : file quota_db_t; 
   type_transition nova_network_t mail_spool_t : file quota_db_t; 
   type_transition unconfined_mono_t mail_spool_t : file quota_db_t; 
   type_transition samba_unconfined_script_t mail_spool_t : file quota_db_t; 
   type_transition nova_objectstore_t mail_spool_t : file quota_db_t; 
   type_transition abrt_handle_event_t mail_spool_t : file quota_db_t; 
   type_transition system_cronjob_t mail_spool_t : file quota_db_t; 
   type_transition samba_unconfined_net_t mail_spool_t : file quota_db_t; 
   type_transition setfiles_mac_t mail_spool_t : file quota_db_t; 
   type_transition insmod_t mail_spool_t : file quota_db_t; 
   type_transition nova_scheduler_t mail_spool_t : file quota_db_t; 
   type_transition rpm_script_t mail_spool_t : file quota_db_t; 
   type_transition inetd_child_t mail_spool_t : file quota_db_t; 
   type_transition unconfined_dbusd_t mail_spool_t : file quota_db_t; 
   type_transition nova_volume_t mail_spool_t : file quota_db_t; 
   type_transition kernel_t mail_spool_t : file quota_db_t; 
   type_transition initrc_t mail_spool_t : file quota_db_t; 
   type_transition lvm_t mail_spool_t : file quota_db_t; 
   type_transition virtd_t mail_spool_t : file quota_db_t; 
   type_transition devicekit_power_t mail_spool_t : file quota_db_t; 
   type_transition prelink_t mail_spool_t : file quota_db_t; 
   type_transition sosreport_t mail_spool_t : file quota_db_t; 
   type_transition nova_ajax_t mail_spool_t : file quota_db_t; 
   type_transition unconfined_t mail_spool_t : file quota_db_t; 
   type_transition dirsrvadmin_unconfined_script_t mail_spool_t : file quota_db_t; 
   type_transition mdadm_t mail_spool_t : file quota_db_t; 
   type_transition firstboot_t mail_spool_t : file quota_db_t; 
   type_transition livecd_t mail_spool_t : file quota_db_t; 
   type_transition inetd_t mail_spool_t : file quota_db_t; 
   type_transition xserver_t mail_spool_t : file quota_db_t; 
   type_transition quota_t mail_spool_t : file quota_db_t; 
   type_transition clvmd_t mail_spool_t : file quota_db_t; 
   type_transition init_t mail_spool_t : file quota_db_t; 

So it looks like virtually anything which writes to /var/spool/mail would create file as quota_db_t. Is that correct?

Comment 8 Jan Pazdziora 2012-02-21 09:29:30 UTC
I picked unconfined_mono_t:

# runcon -u system_u -r system_r -t unconfined_mono_t -- touch /var/spool/mail/test_unconfined_mono_t
# ls -ldZ /var/spool/mail /var/spool/mail/test_unconfined_mono_t 
drwxrwxr-x. root mail system_u:object_r:mail_spool_t:s0 /var/spool/mail
-rw-r--r--. root root system_u:object_r:quota_db_t:s0  /var/spool/mail/test_unconfined_mono_t
# 

When I took selinux-policy-3.10.0-75.fc16.src.rpm and run rpmbuild -bp on it, grep shows only two occurrences of unconfined_mono_t:

./policy/modules/roles/unconfineduser.te:	unconfined_domain_noaudit(unconfined_mono_t)
./policy/modules/roles/unconfineduser.te:	role system_r types unconfined_mono_t;

Yet, these two occurrences are enough to cause the system_u:system_r:unconfined_mono_t:s0-s0:c0.c1023 process to create quota_db_t file in /var/spool/mail.

Comment 9 Miroslav Grepl 2012-02-21 10:14:20 UTC
You GOT it. Nice catch.

commit bb3f364a9b3120f65540120784d535e5ef0e77bf
Author: Miroslav Grepl <mgrepl>
Date:   Tue Feb 21 12:12:04 2012 +0000

    Fix mta_spool_filetrans() interface

Comment 10 Daniel Walsh 2012-02-21 13:49:31 UTC
Nice job Miroslav and Jan.  That is strange that the interface would generate quotadb_t...

Comment 11 Fedora Update System 2012-02-29 09:34:00 UTC
selinux-policy-3.10.0-78.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-78.fc16

Comment 12 Fedora Update System 2012-03-01 09:25:06 UTC
Package selinux-policy-3.10.0-78.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-78.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-78.fc16
then log in and leave karma (feedback).

Comment 13 Miroslav Grepl 2012-03-13 08:54:28 UTC
*** Bug 758529 has been marked as a duplicate of this bug. ***

Comment 14 Fedora Update System 2012-03-21 02:26:56 UTC
Package selinux-policy-3.10.0-80.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-80.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-80.fc16
then log in and leave karma (feedback).

Comment 15 Fedora Update System 2012-03-24 00:39:09 UTC
selinux-policy-3.10.0-80.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Stef Walter 2012-04-05 06:14:02 UTC
I'm still seeing this bug on Fedora 17. I used the kerberos krb5-send-pr program to send a bug report to the MIT kerberos project. Bug report output:


SELinux is preventing /usr/bin/procmail from 'getattr' accesses on the file /var/spool/mail/stef.

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label. 
/var/spool/mail/stef default label should be mail_spool_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/spool/mail/stef

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that procmail should be allowed getattr access on the stef file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep procmail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:procmail_t:s0
Target Context                system_u:object_r:quota_db_t:s0
Target Objects                /var/spool/mail/stef [ file ]
Source                        procmail
Source Path                   /usr/bin/procmail
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           procmail-3.22-29.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-106.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux stef-desktop.thewalter.lan
                              3.3.0-8.fc17.x86_64 #1 SMP Thu Mar 29 18:18:26 UTC
                              2012 x86_64 x86_64
Alert Count                   2
First Seen                    2012-04-05T08:11:11 CEST
Last Seen                     2012-04-05T08:11:11 CEST
Local ID                      a052bd95-7e4b-48fb-87d2-02d39b543014

Raw Audit Messages
type=AVC msg=audit(1333606271.120:329): avc:  denied  { getattr } for  pid=3723 comm="procmail" path="/var/spool/mail/stef" dev="sda1" ino=62189 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:quota_db_t:s0 tclass=file


type=SYSCALL msg=audit(1333606271.120:329): arch=x86_64 syscall=lstat success=no exit=EACCES a0=1462430 a1=7fff17c2aa10 a2=7fff17c2aa10 a3=2e items=0 ppid=3712 pid=3723 auid=4294967295 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=12 fsgid=100 tty=(none) ses=4294967295 comm=procmail exe=/usr/bin/procmail subj=system_u:system_r:procmail_t:s0 key=(null)

Hash: procmail,procmail_t,quota_db_t,file,getattr

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied

Comment 17 Miroslav Grepl 2012-04-05 07:36:59 UTC
Stef,
I think you need to fix labeling and then it should be ok. 

$ restorecon -v /var/spool/mail/stef

and if you get it again, reopen the bug. Thanks.

Comment 18 Stef Walter 2012-04-05 07:54:07 UTC
Yes, that did the trick. Thanks.


Note You need to log in before you can comment on or make changes to this bug.