821503 – logwatch should be able to send mail using courier

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 821503 - logwatch should be able to send mail using courier

Summary: logwatch should be able to send mail using courier

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-05-14 17:37 UTC by Gordon Messmer
Modified:	2015-02-25 10:41 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.7.19-255.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-02-25 10:41:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
output of ps -efZ \|grep initrc (5.49 KB, text/plain) 2012-09-26 09:40 UTC, Michal Trunecka	no flags	Details
View All

Description Gordon Messmer 2012-05-14 17:37:49 UTC

Description of problem:

# restorecon -v /usr/lib/courier/bin/sendmail
restorecon reset /usr/lib/courier/bin/sendmail context system_u:object_r:bin_t:s0->system_u:object_r:sendmail_exec_t:s0

/etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/courier/bin/sendmail	--	system_u:object_r:sendmail_exec_t:s0

The sendmail SELinux policy is tailored to confine Sendmail, and imposes restrictions inappropriate for other applications.  Please remove the file rule that labels Courier's sendmail binary under the sendmail_exec_t context.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-126.el6_2.10.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install Courier on RHEL 6
2. Check context of /usr/lib/courier/bin/sendmail

Comment 2 Daniel Walsh 2012-05-14 19:39:17 UTC

sendmail policy is actually written to confine any console mail app that is used to send mail.  If you have specific access that is being blocked by sendmail policy for courier, please add those AVC's and we will figure out how to allow them by extending the labeling of the sendmail policy or adding allow rules if appropriate.

Comment 3 Gordon Messmer 2012-05-15 03:09:22 UTC

This problem may actually be that logwatch_t isn't transitioning to sendmail_t.  I put the system in permissive mode and got the following:

type=AVC msg=audit(1337050926.686:947673): avc:  denied  { getattr } for  pid=28522 comm="sendmail" path="pipe:[10936300]" dev=pipefs ino=10936300 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1337050926.686:947674): avc:  denied  { getattr } for  pid=28522 comm="sendmail" path="pipe:[10936301]" dev=pipefs ino=10936301 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1337050926.686:947675): avc:  denied  { write } for  pid=28522 comm="sendmail" path="pipe:[10936300]" dev=pipefs ino=10936300 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1337050926.686:947676): avc:  denied  { read } for  pid=28522 comm="sendmail" path="pipe:[10936301]" dev=pipefs ino=10936301 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1337050931.925:947677): avc:  denied  { write } for  pid=28529 comm="submit" name="133705" dev=dm-3 ino=132771 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_spool_t:s0 tclass=dir
type=AVC msg=audit(1337050931.925:947677): avc:  denied  { add_name } for  pid=28529 comm="submit" name="1337050931.28529.mailfilter.rpr.com" scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_spool_t:s0 tclass=dir
type=AVC msg=audit(1337050931.925:947677): avc:  denied  { create } for  pid=28529 comm="submit" name="1337050931.28529.mailfilter.rpr.com" scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_spool_t:s0 tclass=file
type=AVC msg=audit(1337050931.925:947677): avc:  denied  { append open } for  pid=28529 comm="submit" name="1337050931.28529.mailfilter.rpr.com" dev=dm-3 ino=130751 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_spool_t:s0 tclass=file
type=AVC msg=audit(1337050931.926:947678): avc:  denied  { getattr } for  pid=28529 comm="submit" path="/var/spool/courier/tmp/133705/1337050931.28529.mailfilter.rpr.com" dev=dm-3 ino=130751 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_spool_t:s0 tclass=file
type=AVC msg=audit(1337050931.926:947679): avc:  denied  { read write } for  pid=28529 comm="submit" name="D130751" dev=dm-3 ino=132607 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_spool_t:s0 tclass=file
type=AVC msg=audit(1337050931.972:947680): avc:  denied  { remove_name } for  pid=28529 comm="submit" name="1337050931.28529.mailfilter.rpr.com" dev=dm-3 ino=130751 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_spool_t:s0 tclass=dir
type=AVC msg=audit(1337050931.972:947680): avc:  denied  { rename } for  pid=28529 comm="submit" name="1337050931.28529.mailfilter.rpr.com" dev=dm-3 ino=130751 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:courier_spool_t:s0 tclass=file
type=AVC msg=audit(1337050931.972:947681): avc:  denied  { write } for  pid=28529 comm="submit" name="trigger" dev=dm-3 ino=131841 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_spool_t:s0 tclass=fifo_file
type=AVC msg=audit(1337050931.972:947681): avc:  denied  { open } for  pid=28529 comm="submit" name="trigger" dev=dm-3 ino=131841 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_spool_t:s0 tclass=fifo_file

Comment 6 RHEL Program Management 2012-07-10 08:19:34 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 7 RHEL Program Management 2012-07-11 01:56:09 UTC

This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.

Comment 8 Gordon Messmer 2012-09-06 21:46:36 UTC

Thanks for addressing this problem.  Is the updated package available for testing, or will this change be available only in the 6.4 update?  What changes were made to correct the problem?

Comment 9 Milos Malik 2012-09-07 11:19:06 UTC

Latest selinux-policy packages for RHEL-6 are usually available at http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/. Unfortunately, packages which contain fix for this bug are not yet built.

Comment 11 Milos Malik 2012-09-07 14:48:04 UTC

Hi Gordon,

updated packages are available at http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/. You can give it a try. If you encounter other AVCs related to this scenario please report them here.

Comment 12 Gordon Messmer 2012-09-10 23:53:47 UTC

# rpm -Uvh selinux-policy-*
Preparing...                ########################################### [100%]
   1:selinux-policy         ########################################### [ 50%]
   2:selinux-policy-targeted########################################### [100%]
semodule:  Failed on #pkcsslotd.pp.bz2!

I'm not sure if that's a concern.  I'll follow up if there are continued AVCs.  Thanks, Milos.

Comment 13 Gordon Messmer 2012-09-11 00:06:32 UTC

Actually, yes.  This remains a problem, and the problem seems to be the one I originally suggested.  The sendmail security policy does not describe the behavior of Courier's sendmail, so it's not appropriate to label Courier's sendmail with that type.

Courier's sendmail calls Courier's submit, which writes to Courier's spool.  None of this appears to be described as appropriate behavior for sendmail_exec_t.  The service only works correctly if I "chcon system_u:object_r:bin_t:s0 /usr/lib/courier/bin/sendmail"

Please remove this rule from /etc/selinux/targeted/contexts/files/file_contexts
/usr/lib/courier/bin/sendmail	--	system_u:object_r:sendmail_exec_t:s0

Otherwise, the policy does not work:

type=AVC msg=audit(1347321260.420:230630): avc:  denied  { write } for  pid=31555 comm="submit" name="socket" dev=dm-3 ino=2327 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:courier_spool_t:s0 tclass=sock_file
type=AVC msg=audit(1347321260.420:230630): avc:  denied  { connectto } for  pid=31555 comm="submit" path="/var/spool/authdaemon/socket" scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1347321260.420:230630): arch=c000003e syscall=42 success=yes exit=0 a0=5 a1=7fff66a3f1d0 a2=6e a3=0 items=0 ppid=31554 pid=31555 auid=0 uid=5002 gid=2 euid=5002 suid=5002 fsuid=5002 egid=2 sgid=2 fsgid=2 tty=(none) ses=46 comm="submit" exe="/usr/lib/courier/libexec/courier/submit" subj=unconfined_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1347321260.426:230631): avc:  denied  { write } for  pid=31555 comm="submit" name="134732" dev=dm-3 ino=1803278 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:courier_spool_t:s0 tclass=dir
type=AVC msg=audit(1347321260.426:230631): avc:  denied  { add_name } for  pid=31555 comm="submit" name="1347321260.31555.mail.troutpocket.org" scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:courier_spool_t:s0 tclass=dir
type=AVC msg=audit(1347321260.426:230631): avc:  denied  { create } for  pid=31555 comm="submit" name="1347321260.31555.mail.troutpocket.org" scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:courier_spool_t:s0 tclass=file
type=AVC msg=audit(1347321260.426:230631): avc:  denied  { append open } for  pid=31555 comm="submit" name="1347321260.31555.mail.troutpocket.org" dev=dm-3 ino=1803639 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:courier_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1347321260.426:230631): arch=c000003e syscall=2 success=yes exit=5 a0=21634e8 a1=6c1 a2=1b0 a3=28 items=0 ppid=31554 pid=31555 auid=0 uid=5002 gid=2 euid=5002 suid=5002 fsuid=5002 egid=2 sgid=2 fsgid=2 tty=(none) ses=46 comm="submit" exe="/usr/lib/courier/libexec/courier/submit" subj=unconfined_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1347321260.427:230632): avc:  denied  { getattr } for  pid=31555 comm="submit" path="/var/spool/courier/tmp/134732/1347321260.31555.mail.troutpocket.org" dev=dm-3 ino=1803639 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:courier_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1347321260.427:230632): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7fff66a3f380 a2=7fff66a3f380 a3=28 items=0 ppid=31554 pid=31555 auid=0 uid=5002 gid=2 euid=5002 suid=5002 fsuid=5002 egid=2 sgid=2 fsgid=2 tty=(none) ses=46 comm="submit" exe="/usr/lib/courier/libexec/courier/submit" subj=unconfined_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1347321260.427:230633): avc:  denied  { read write } for  pid=31555 comm="submit" name="D1803639" dev=dm-3 ino=1803640 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:courier_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1347321260.427:230633): arch=c000003e syscall=2 success=yes exit=6 a0=20fd4d8 a1=242 a2=1b0 a3=28 items=0 ppid=31554 pid=31555 auid=0 uid=5002 gid=2 euid=5002 suid=5002 fsuid=5002 egid=2 sgid=2 fsgid=2 tty=(none) ses=46 comm="submit" exe="/usr/lib/courier/libexec/courier/submit" subj=unconfined_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1347321260.510:230634): avc:  denied  { remove_name } for  pid=31555 comm="submit" name="1347321260.31555.mail.troutpocket.org" dev=dm-3 ino=1803639 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:courier_spool_t:s0 tclass=dir
type=AVC msg=audit(1347321260.510:230634): avc:  denied  { rename } for  pid=31555 comm="submit" name="1347321260.31555.mail.troutpocket.org" dev=dm-3 ino=1803639 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:courier_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1347321260.510:230634): arch=c000003e syscall=82 success=yes exit=0 a0=2163698 a1=2164328 a2=2163970 a3=49 items=0 ppid=31554 pid=31555 auid=0 uid=5002 gid=2 euid=5002 suid=5002 fsuid=5002 egid=2 sgid=2 fsgid=2 tty=(none) ses=46 comm="submit" exe="/usr/lib/courier/libexec/courier/submit" subj=unconfined_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1347321260.511:230635): avc:  denied  { write } for  pid=31555 comm="submit" name="trigger" dev=dm-3 ino=1405 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:courier_spool_t:s0 tclass=fifo_file
type=AVC msg=audit(1347321260.511:230635): avc:  denied  { open } for  pid=31555 comm="submit" name="trigger" dev=dm-3 ino=1405 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:courier_spool_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1347321260.511:230635): arch=c000003e syscall=2 success=yes exit=5 a0=434aa0 a1=801 a2=0 a3=344237303030302e items=0 ppid=31554 pid=31555 auid=0 uid=5002 gid=2 euid=5002 suid=5002 fsuid=5002 egid=2 sgid=2 fsgid=2 tty=(none) ses=46 comm="submit" exe="/usr/lib/courier/libexec/courier/submit" subj=unconfined_u:system_r:sendmail_t:s0 key=(null)

Comment 14 Miroslav Grepl 2012-09-11 05:42:33 UTC

(In reply to comment #12)
> # rpm -Uvh selinux-policy-*
> Preparing...                ###########################################
> [100%]
>    1:selinux-policy         ########################################### [
> 50%]
>    2:selinux-policy-targeted###########################################
> [100%]
> semodule:  Failed on #pkcsslotd.pp.bz2!
> 
> I'm not sure if that's a concern.  I'll follow up if there are continued
> AVCs.  Thanks, Milos.

I apologize for this error. It is going to be fixed in -162 release.

Comment 15 Miroslav Grepl 2012-09-11 05:43:55 UTC

(In reply to comment #13)
> Actually, yes.  This remains a problem, and the problem seems to be the one
> I originally suggested.  The sendmail security policy does not describe the
> behavior of Courier's sendmail, so it's not appropriate to label Courier's
> sendmail with that type.
> 
> Courier's sendmail calls Courier's submit, which writes to Courier's spool. 
> None of this appears to be described as appropriate behavior for
> sendmail_exec_t.  The service only works correctly if I "chcon
> system_u:object_r:bin_t:s0 /usr/lib/courier/bin/sendmail"
> 
> Please remove this rule from
> /etc/selinux/targeted/contexts/files/file_contexts
> /usr/lib/courier/bin/sendmail	--	system_u:object_r:sendmail_exec_t:s0
> 

Gordon,
what does

# ps -eZ |grep initrc

then with your change. Thank you.

Comment 16 Gordon Messmer 2012-09-11 14:50:10 UTC

I'm not sure that I understand your request.  Courier's sendmail doesn't run as a daemon.  I wouldn't expect to see it in the process list, except maybe while cron were running a job whose output was being fed to sendmail.

Comment 17 Michal Trunecka 2012-09-26 07:38:35 UTC

I discovered another AVCs during some non-related test, while courierd and logwatch was running.

selinux-policy-3.7.19-162.el6.noarch
courier-0.66.3-1.el6.x86_64
logwatch-7.3.6-49.el6.noarch

----
type=PATH msg=audit(09/26/2012 09:05:01.865:143) : item=0 name=(null) inode=155487 dev=fd:00 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:courier_spool_t:s0 
type=SOCKADDR msg=audit(09/26/2012 09:05:01.865:143) : saddr=local /var/spool/authdaemon/socket 
type=SYSCALL msg=audit(09/26/2012 09:05:01.865:143) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=8 a1=7fff4f39b440 a2=6e a3=7fff4f39b120 items=1 ppid=4304 pid=4305 auid=root uid=daemon gid=daemon euid=daemon suid=daemon fsuid=daemon egid=daemon sgid=daemon fsgid=daemon tty=(none) ses=18 comm=submit exe=/usr/lib/courier/libexec/courier/submit subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/26/2012 09:05:01.865:143) : avc:  denied  { connectto } for  pid=4305 comm=submit path=/var/spool/authdaemon/socket scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket 
----
type=PATH msg=audit(09/26/2012 09:06:01.825:152) : item=0 name=(null) inode=155487 dev=fd:00 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:courier_spool_t:s0 
type=SOCKADDR msg=audit(09/26/2012 09:06:01.825:152) : saddr=local /var/spool/authdaemon/socket 
type=SYSCALL msg=audit(09/26/2012 09:06:01.825:152) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=8 a1=7fffa0b4b460 a2=6e a3=7fffa0b4b140 items=1 ppid=4403 pid=4404 auid=root uid=daemon gid=daemon euid=daemon suid=daemon fsuid=daemon egid=daemon sgid=daemon fsgid=daemon tty=(none) ses=19 comm=submit exe=/usr/lib/courier/libexec/courier/submit subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/26/2012 09:06:01.825:152) : avc:  denied  { connectto } for  pid=4404 comm=submit path=/var/spool/authdaemon/socket scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket 
----
type=SYSCALL msg=audit(09/26/2012 09:06:03.495:155) : arch=x86_64 syscall=fstat success=no exit=-13(Permission denied) a0=4 a1=7fff5fa3a9f0 a2=7fff5fa3a9f0 a3=238 items=0 ppid=4399 pid=4473 auid=root uid=root gid=daemon euid=root suid=root fsuid=root egid=daemon sgid=daemon fsgid=daemon tty=(none) ses=16 comm=sendmail exe=/usr/lib/courier/bin/sendmail subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/26/2012 09:06:03.495:155) : avc:  denied  { getattr } for  pid=4473 comm=sendmail path=pipe:[22379] dev=pipefs ino=22379 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tclass=fifo_file 
----
type=SYSCALL msg=audit(09/26/2012 09:06:03.497:156) : arch=x86_64 syscall=fstat success=no exit=-13(Permission denied) a0=5 a1=7fff5fa3a9f0 a2=7fff5fa3a9f0 a3=238 items=0 ppid=4399 pid=4473 auid=root uid=root gid=daemon euid=root suid=root fsuid=root egid=daemon sgid=daemon fsgid=daemon tty=(none) ses=16 comm=sendmail exe=/usr/lib/courier/bin/sendmail subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/26/2012 09:06:03.497:156) : avc:  denied  { getattr } for  pid=4473 comm=sendmail path=pipe:[22380] dev=pipefs ino=22380 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tclass=fifo_file 
----
type=SYSCALL msg=audit(09/26/2012 09:06:03.497:157) : arch=x86_64 syscall=write success=no exit=-13(Permission denied) a0=4 a1=7f5493ec9000 a2=5 a3=7fff5fa3a980 items=0 ppid=4399 pid=4473 auid=root uid=root gid=daemon euid=root suid=root fsuid=root egid=daemon sgid=daemon fsgid=daemon tty=(none) ses=16 comm=sendmail exe=/usr/lib/courier/bin/sendmail subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/26/2012 09:06:03.497:157) : avc:  denied  { write } for  pid=4473 comm=sendmail path=pipe:[22379] dev=pipefs ino=22379 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tclass=fifo_file 
----
type=PATH msg=audit(09/26/2012 09:06:17.614:168) : item=0 name=(null) inode=155487 dev=fd:00 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:courier_spool_t:s0 
type=SOCKADDR msg=audit(09/26/2012 09:06:17.614:168) : saddr=local /var/spool/authdaemon/socket 
type=SYSCALL msg=audit(09/26/2012 09:06:17.614:168) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=5 a1=7fff8ca875b0 a2=6e a3=7fff8ca87290 items=1 ppid=5637 pid=5638 auid=root uid=daemon gid=daemon euid=daemon suid=daemon fsuid=daemon egid=daemon sgid=daemon fsgid=daemon tty=(none) ses=16 comm=submit exe=/usr/lib/courier/libexec/courier/submit subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/26/2012 09:06:17.614:168) : avc:  denied  { connectto } for  pid=5638 comm=submit path=/var/spool/authdaemon/socket scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket

Comment 18 Miroslav Grepl 2012-09-26 09:08:00 UTC

Michal,
are you able to get output of

# ps -efZ |grep initrc

during testing?

Comment 19 Michal Trunecka 2012-09-26 09:40:11 UTC

Created attachment 617483 [details]
output of ps -efZ |grep initrc

Comment 20 Gordon Messmer 2012-09-28 06:42:49 UTC

Michal, I'm pretty sure all of those AVCs were also found in my last update.

Miroslav, as I mentioned before, /usr/lib/courier/bin/sendmail does not appear in the process list.  Changing its label will not change the output of 'ps -efZ |grep initrc' in any way.

The problem here is that selinux-policy has a policy written to properly confine Sendmail (TM).  That policy is mistakenly being applied to a completely different program, that operates in a completely different way.  Courier's sendmail doesn't write to a directory labeled sendmail_tmp_t, it writes to a directory labled courier_spool_t.  That's not allowed by policy.

There is currently no policy in place that even attempts to describe the normal operation of Courier's sendmail binary.  Until there is, the path should be labelled bin_t, just like all of the other paths for which there is no targeted policy.

Applying the label for Sendmail (TM)'s sendmail to Courier's sendmail was a simple mistake.  Please remove the label.

Comment 21 Miroslav Grepl 2012-10-15 18:23:43 UTC

Ok so it works with

# chcon -t bin_t /usr/lib/courier/bin/sendmail

I believe no big deal to allow sendmail_t to allow courier_spool_t. The problem is /usr/lib/courier/bin/sendmail is trying to communicate with other courier services.

I would agree with Gordon and switch /usr/lib/courier/bin/sendmail to bin_t for now.

Michal,
could you play with this solution?

Comment 22 Gordon Messmer 2012-10-16 16:19:16 UTC

Thanks, Miroslav.

I agree that allowing sendmail_t access to courier_spool_t would not be problematic, but it also wouldn't solve the problem entirely.  Other AVCs reported here include access to logwatch_mail_t (an input pipe) and initrc_t.

Courier's sendmail binary operates in a fashion completely unlike Sendmail's sendmail binary, so while it may be useful for Courier's sendmail binary to have a security policy, mixing the two into a single policy would be very ugly, and difficult to correct later.  When Courier's sendmail is restricted by policy, it should have a policy that is specific to Courier.

More importantly, though, Courier's sendmail is not a network daemon.  It is only used for compatibility with applications that expect a local "sendmail" binary in their path to send messages.  Since it is only used by local processes, the value of an SELinux policy is relatively low compared to Sendmail's sendmail binary.

Thanks for removing the sendmail_t context from Courier's sendmail.

Comment 24 Milos Malik 2013-01-08 08:01:57 UTC

# rpm -qa selinux-policy\*
selinux-policy-3.7.19-191.el6.noarch
selinux-policy-mls-3.7.19-191.el6.noarch
selinux-policy-minimum-3.7.19-191.el6.noarch
selinux-policy-doc-3.7.19-191.el6.noarch
selinux-policy-targeted-3.7.19-191.el6.noarch
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
# ausearch -m avc -m selinux_err -i -ts today
----
type=PATH msg=audit(01/08/2013 03:29:03.728:10549) : item=0 name=(null) inode=1315133 dev=08:03 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:courier_spool_t:s0 
type=SOCKADDR msg=audit(01/08/2013 03:29:03.728:10549) : saddr=local /var/spool/authdaemon/socket 
type=SYSCALL msg=audit(01/08/2013 03:29:03.728:10549) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=7 a1=7fff298e7c50 a2=6e a3=7fff298e7930 items=1 ppid=19170 pid=19172 auid=root uid=daemon gid=daemon euid=daemon suid=daemon fsuid=daemon egid=daemon sgid=daemon fsgid=daemon tty=(none) ses=1583 comm=submit exe=/usr/lib/courier/libexec/courier/submit subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/08/2013 03:29:03.728:10549) : avc:  denied  { write } for  pid=19172 comm=submit name=socket dev=sda3 ino=1315133 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_spool_t:s0 tclass=sock_file 
----

Comment 25 Gordon Messmer 2013-01-15 02:14:45 UTC

Thanks for the update, Milos.  Is there a reason that sendmail doesn't transition to an unconfined domain when called by logwatch?

Comment 26 Lukas Vrabec 2014-06-11 09:41:27 UTC

send patch.

Comment 27 Gordon Messmer 2014-06-12 05:52:23 UTC

I mentioned previously that the problem can be corrected by removing this rule from /etc/selinux/targeted/contexts/files/file_contexts
/usr/lib/courier/bin/sendmail	--	system_u:object_r:sendmail_exec_t:s0

Would you like a patch to remove that one line?

Comment 30 Lukas Vrabec 2014-09-08 12:19:09 UTC

Removed line: /usr/lib/courier/bin/sendmail	--	system_u:object_r:sendmail_exec_t:s0

patch sent.

Comment 32 Lukas Vrabec 2014-09-11 13:58:04 UTC

Milos,
What about permissive mode?

Comment 34 Lukas Vrabec 2014-09-11 14:50:34 UTC

patch sent.

Comment 35 Milos Malik 2014-09-12 11:20:26 UTC

Following packages are product of rebuilding from tar.bz2 files downloaded from http://www.courier-mta.org/download.html. Unfortunately, a lot of binaries and scripts is located in unusual directories, which are not expected by selinux-policy.

# rpm -qa courier\*
courier-authlib-0.66.1-1.el6.x86_64
courier-unicode-1.1-1.el6.x86_64
courier-0.73.2-1.el6.x86_64
# rpm -qla courier\* | grep -v -e /usr/share/doc -e /usr/share/man -e /usr/lib/courier/share
/etc/authlib
/etc/authlib/authdaemonrc.dist
/etc/authlib/authldaprc.dist
/etc/authlib/authmysqlrc.dist
/etc/authlib/authpgsqlrc.dist
/etc/authlib/authsqliterc.dist
/etc/rc.d/init.d/courier-authlib
/usr/lib64/courier-authlib
/usr/lib64/courier-authlib/libauthcustom.so
/usr/lib64/courier-authlib/libauthpam.so
/usr/lib64/courier-authlib/libcourierauth.so
/usr/lib64/courier-authlib/libcourierauthcommon.so
/usr/lib64/courier-authlib/libcourierauthsasl.so
/usr/lib64/courier-authlib/libcourierauthsaslclient.so
/usr/libexec/courier-authlib
/usr/libexec/courier-authlib/authdaemond
/usr/libexec/courier-authlib/authsystem.passwd
/usr/libexec/courier-authlib/makedatprog
/usr/libexec/courier-authlib/sysconftool
/usr/sbin/authdaemond
/usr/sbin/authenumerate
/usr/sbin/authpasswd
/usr/sbin/authtest
/usr/sbin/courierlogger
/var/spool/authdaemon
/var/spool/authdaemon/pid
/var/spool/authdaemon/pid.lock
/var/spool/authdaemon/socket
/usr/lib64/libunicode.so.1
/usr/lib64/libunicode.so.1.0.0
/etc/courier
/etc/courier/aliasdir
/etc/courier/aliases
/etc/courier/aliases/system
/etc/courier/courierd.dist
/etc/courier/dsndelayed.txt
/etc/courier/dsndelivered.txt
/etc/courier/dsnfailed.txt
/etc/courier/dsnfooter.txt
/etc/courier/dsnheader.txt
/etc/courier/dsnrelayed.txt
/etc/courier/dsnsubjectnotice.txt
/etc/courier/dsnsubjectwarn.txt
/etc/courier/enablefiltering
/etc/courier/esmtpacceptmailfor.dir
/etc/courier/esmtpauthclient
/etc/courier/esmtpd-msa.dist
/etc/courier/esmtpd-ssl.dist
/etc/courier/esmtpd.cnf
/etc/courier/esmtpd.dist
/etc/courier/esmtppercentrelay.dir
/etc/courier/faxcoverpage.tr.dist
/etc/courier/faxnotifyrc.dist
/etc/courier/faxrc.dist
/etc/courier/filters
/etc/courier/filters/active
/etc/courier/ldapaliasrc.dist
/etc/courier/module.dsn
/etc/courier/module.esmtp
/etc/courier/module.fax
/etc/courier/module.local
/etc/courier/module.uucp
/etc/courier/quotawarnmsg.example
/etc/courier/shared
/etc/courier/shared.tmp
/etc/courier/smtpaccess
/etc/courier/smtpaccess/default
/etc/courier/webadmin
/etc/courier/webadmin/added
/etc/courier/webadmin/removed
/etc/cron.monthly/courier-mkdhparams
/etc/init.d/courier
/etc/pam.d/esmtp
/etc/profile.d/courier.csh
/etc/profile.d/courier.sh
/etc/skel/Maildir
/etc/skel/Maildir/cur
/etc/skel/Maildir/new
/etc/skel/Maildir/tmp
/usr/bin/sendmail
/usr/lib/courier
/usr/lib/courier/bin
/usr/lib/courier/bin/addcr
/usr/lib/courier/bin/cancelmsg
/usr/lib/courier/bin/courier-config
/usr/lib/courier/bin/couriertls
/usr/lib/courier/bin/deliverquota
/usr/lib/courier/bin/dotforward
/usr/lib/courier/bin/lockmail
/usr/lib/courier/bin/maildiracl
/usr/lib/courier/bin/maildirkw
/usr/lib/courier/bin/maildirmake
/usr/lib/courier/bin/mailq
/usr/lib/courier/bin/makedat
/usr/lib/courier/bin/makemime
/usr/lib/courier/bin/mimegpg
/usr/lib/courier/bin/preline
/usr/lib/courier/bin/reformime
/usr/lib/courier/bin/rmail
/usr/lib/courier/bin/sendmail
/usr/lib/courier/bin/testmxlookup
/usr/lib/courier/libexec
/usr/lib/courier/libexec/courier
/usr/lib/courier/libexec/courier/aliascombine
/usr/lib/courier/libexec/courier/aliascreate
/usr/lib/courier/libexec/courier/aliasexp
/usr/lib/courier/libexec/courier/courierd
/usr/lib/courier/libexec/courier/makedatprog
/usr/lib/courier/libexec/courier/modules
/usr/lib/courier/libexec/courier/modules/dsn
/usr/lib/courier/libexec/courier/modules/dsn/courierdsn
/usr/lib/courier/libexec/courier/modules/esmtp
/usr/lib/courier/libexec/courier/modules/esmtp/addcr
/usr/lib/courier/libexec/courier/modules/esmtp/courieresmtp
/usr/lib/courier/libexec/courier/modules/esmtp/courieresmtpd
/usr/lib/courier/libexec/courier/modules/fax
/usr/lib/courier/libexec/courier/modules/fax/courierfax
/usr/lib/courier/libexec/courier/modules/local
/usr/lib/courier/libexec/courier/modules/local/courierdeliver
/usr/lib/courier/libexec/courier/modules/local/courierlocal
/usr/lib/courier/libexec/courier/modules/uucp
/usr/lib/courier/libexec/courier/modules/uucp/courieruucp
/usr/lib/courier/libexec/courier/sqwebpasswd
/usr/lib/courier/libexec/courier/submit
/usr/lib/courier/libexec/courier/submitmkdir
/usr/lib/courier/libexec/filters
/usr/lib/courier/libexec/filters/dupfilter
/usr/lib/courier/libexec/filters/perlfilter
/usr/lib/courier/libexec/filters/ratefilter
/usr/lib/courier/sbin
/usr/lib/courier/sbin/aliaslookup
/usr/lib/courier/sbin/courier
/usr/lib/courier/sbin/courieresmtpd
/usr/lib/courier/sbin/courierfilter
/usr/lib/courier/sbin/couriertcpd
/usr/lib/courier/sbin/esmtpd
/usr/lib/courier/sbin/esmtpd-msa
/usr/lib/courier/sbin/esmtpd-ssl
/usr/lib/courier/sbin/filterctl
/usr/lib/courier/sbin/makeacceptmailfor
/usr/lib/courier/sbin/makealiases
/usr/lib/courier/sbin/makehosteddomains
/usr/lib/courier/sbin/makepercentrelay
/usr/lib/courier/sbin/makesmtpaccess
/usr/lib/courier/sbin/makesmtpaccess-msa
/usr/lib/courier/sbin/makeuucpneighbors
/usr/lib/courier/sbin/mkdhparams
/usr/lib/courier/sbin/mkesmtpdcert
/usr/lib/courier/sbin/sharedindexinstall
/usr/lib/courier/sbin/sharedindexsplit
/usr/lib/courier/sbin/showconfig
/usr/lib/courier/sbin/showmodules
/usr/lib/courier/sbin/webgpg
/usr/lib/sendmail
/var/spool/courier
/var/spool/courier/allfilters
/var/spool/courier/faxtmp
/var/spool/courier/filters
/var/spool/courier/msgq
/var/spool/courier/msgs
/var/spool/courier/tmp
/var/spool/courier/track
#

For example:
# matchpathcon /usr/lib/courier/sbin/couriertcpd
/usr/lib/courier/sbin/couriertcpd	system_u:object_r:bin_t:s0
# matchpathcon /usr/lib/courier/couriertcpd
/usr/lib/courier/couriertcpd	system_u:object_r:courier_tcpd_exec_t:s0
#

Comment 37 Gordon Messmer 2014-09-14 21:41:59 UTC

I guess it's less fortunate that there isn't a proper policy for Courier than it would be for one to be in place, but unconfined is a lot better than confined to a set of rules that describe the behavior of a completely different piece of software.  Thanks, guys.  Once -255 is available, I'll test it.

Comment 41 Gordon Messmer 2014-11-05 17:28:06 UTC

Just a note that this bug affects RHEL 7 as well.  Same fix applies.

Comment 42 Miroslav Grepl 2014-11-06 14:38:55 UTC

(In reply to Gordon Messmer from comment #41)
> Just a note that this bug affects RHEL 7 as well.  Same fix applies.

Could you open a bug for RHEL7? 

Thank you.

Comment 43 Miroslav Grepl 2015-02-25 10:41:55 UTC

I believe we can leave these domains in this state and it can be fixed with a local policy for RHEL6.

Closing this bug as WONTFIX for RHEL6.

Note You need to log in before you can comment on or make changes to this bug.