Bug 839428 - SELinux reporting denied pipe read/write for sendmail.postfix
Summary: SELinux reporting denied pipe read/write for sendmail.postfix
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-07-12 00:33 UTC by Scott Shambarger
Modified: 2012-08-11 06:49 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-10 22:35:26 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Scott Shambarger 2012-07-12 00:33:17 UTC 
Description of problem:
SELinux is reporting denied pipe read/write when executing sendmail.postfix

Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-134

How reproducible:
Always

Steps to Reproduce:
1. Setup postfix mailbox_command=/usr/libexec/dovecot/dovecot-lda
2. Setup a .forward (or sieve command) so dovecot-lda calls /usr/sbin/sendmail (which is really sendmail.postfix)
3. When sendmail.postfix is started, it causes AVC denials for fifo_file { read write }
  
Actual results:
Audit messages are created:

type=AVC msg=audit(1342048249.782:73306): avc:  denied  { write } for  pid=8356 comm="sendmail" path="pipe:[815212\
]" dev="pipefs" ino=815212 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 \
tclass=fifo_file                                                                                                   
type=AVC msg=audit(1342048249.782:73306): avc:  denied  { read } for  pid=8356 comm="sendmail" path="pipe:[815212]\
" dev="pipefs" ino=815212 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 t\
class=fifo_file                                                                                                    
type=AVC msg=audit(1342048249.782:73306): avc:  denied  { write } for  pid=8356 comm="sendmail" path="pipe:[815215\
]" dev="pipefs" ino=815215 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 \
tclass=fifo_file                                                                                                   
type=AVC msg=audit(1342048249.782:73306): avc:  denied  { write } for  pid=8356 comm="sendmail" path="pipe:[815215\
]" dev="pipefs" ino=815215 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 \
tclass=fifo_file                                                                                                   

Expected results:
No denials are logged.

Additional info:
Running strace -f on postfix's master process, it doesn't appear that sendmail.postfix actually reads or writes directly to the pipe.  I'm not sure if the pipe:[815212] inos actually correspond to the entries I see in the strace output, but if they do, this are probably just pipes leaking through from the parent [815215] and grandparent [815212] processes, and are probably not intended to remain open (ie leaks).

Since sendmail.postfix appears to function as intended without the permissions, it's probably ok to just "dontaudit" the denials, eg:

dontaudit sendmail_t postfix_local_t:fifo_file { write read };
Comment 1 Daniel Walsh 2012-07-23 16:05:10 UTC 
Added

+allow mailserver_delivery mailserver_delivery:fifo_file rw_inherited_fifo_file_

to Rawhide to allow all mail apps to use inherited fifo files.
Comment 2 Miroslav Grepl 2012-07-24 11:24:18 UTC 
Added to F17.
Comment 3 Scott Shambarger 2012-07-27 04:21:00 UTC 
Tested with selinux-policy-3.10.0-140:

type=AVC msg=audit(1343362745.333:30288): avc:  denied  { write } for  pid=1841 comm="sendmail" path="pipe:[1271669]" dev="pipefs" ino=1271669 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file

... still logged.
Comment 4 Miroslav Grepl 2012-07-27 11:09:54 UTC 
Try the lastest build from koji

http://koji.fedoraproject.org/koji/buildinfo?buildID=343797
Comment 5 Fedora Update System 2012-07-27 15:33:34 UTC 
selinux-policy-3.10.0-142.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-142.fc17
Comment 6 Scott Shambarger 2012-07-27 18:15:09 UTC 
Installed and tried selinux-policy-3.10.0-142, but still getting the same denial -- audit2why -b:

type=AVC msg=audit(1343412672.784:91): avc:  denied  { write } for  pid=2031 comm="sendmail" path="pipe:[20651]" dev="pipefs" ino=20651 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file

type=AVC msg=audit(1343412672.784:91): avc:  denied  { read } for  pid=2031 comm="sendmail" path="pipe:[20651]" dev="pipefs" ino=20651 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
Comment 7 Fedora Update System 2012-07-28 01:23:23 UTC 
Package selinux-policy-3.10.0-142.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-142.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-11215/selinux-policy-3.10.0-142.fc17
then log in and leave karma (feedback).
Comment 8 Miroslav Grepl 2012-07-30 09:35:44 UTC 
Ah, you are right. I found a bug.
Comment 9 Miroslav Grepl 2012-07-30 09:38:53 UTC 
Fixed in selinux-policy-3.10.0-143
Comment 10 Fedora Update System 2012-08-01 18:20:44 UTC 
selinux-policy-3.10.0-142.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Scott Shambarger 2012-08-01 18:21:56 UTC 
Re-opening since -142 did not include the fix
Comment 12 Miroslav Grepl 2012-08-02 10:53:03 UTC 
(In reply to comment #9)
> Fixed in selinux-policy-3.10.0-143
Comment 13 Scott Shambarger 2012-08-02 19:11:29 UTC 
Yes, but -143 seems to have a build error related to spamassassin... might want to investigate that.
Comment 14 Miroslav Grepl 2012-08-03 08:10:05 UTC 
Fixed.
Comment 15 Scott Shambarger 2012-08-03 19:30:50 UTC 
Installed -143, still exactly the same errors logged (ref comment#6)
Comment 16 Miroslav Grepl 2012-08-06 11:22:27 UTC 
Ah, I meant fixed in -144 which is now built.
Comment 17 Fedora Update System 2012-08-08 11:22:15 UTC 
selinux-policy-3.10.0-145.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-145.fc17
Comment 18 Scott Shambarger 2012-08-09 22:39:47 UTC 
Funny, -145 still hasn't shown up in the updates-testing cache (yum reports using mirror.web-ster.com) -- even if I nuke the cache, the package file is still dated Aug 5th... are the mirrors having problems?
Comment 19 Fedora Update System 2012-08-09 23:05:22 UTC 
Package selinux-policy-3.10.0-145.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-145.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-11591/selinux-policy-3.10.0-145.fc17
then log in and leave karma (feedback).
Comment 20 Fedora Update System 2012-08-10 22:35:26 UTC 
selinux-policy-3.10.0-145.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Scott Shambarger 2012-08-11 06:49:55 UTC 
Finally had a chance to test this, and yes, it's fixed in -145 :)
Note You need to log in before you can comment on or make changes to this bug.