Bug 852988 - Unexpected AVC because of SELinux denied access by procmail
Unexpected AVC because of SELinux denied access by procmail
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.5
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-30 03:54 EDT by Miguel González Laredo
Modified: 2013-01-07 22:34 EST (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-332.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-07 22:34:21 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Miguel González Laredo 2012-08-30 03:54:51 EDT
Description of problem: unexpected AVC because of SELinux denied access by procmail


Version-Release number of selected component (if applicable):
OS - Red Hat Enterprise Linux Server release 5, CentOS release 5.5 (Final)
SELinux Packages installed:
 selinux-policy-2.4.6-279.el5
 selinux-policy-targeted-2.4.6-279.el5
 libselinux-1.33.4-5.5.el5
 libselinux-1.33.4-5.5.el5
 libselinux-utils-1.33.4-5.5.el5
 libselinux-devel-1.33.4-5.5.el5
 libselinux-devel-1.33.4-5.5.el5
 libselinux-python-1.33.4-5.5.el5

How reproducible: Deactivating "dontaudit" and analyzing AVC messages on audit.log


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Resúmen:

SELinux is preventing procmail (procmail_t) "read" to
/var/spool/mqueue/dfq7U6F1eB011489 (mqueue_spool_t).

Descripción Detallada:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by procmail. It is not expected that this access
is required by procmail and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Permitiendo Acceso:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/spool/mqueue/dfq7U6F1eB011489,

restorecon -v '/var/spool/mqueue/dfq7U6F1eB011489'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Información Adicional:

Contexto Fuente               system_u:system_r:procmail_t
Contexto Destino              system_u:object_r:mqueue_spool_t
Objetos Destino               /var/spool/mqueue/dfq7U6F1eB011489 [ file ]
Source                        procmail
Source Path                   /usr/bin/procmail
Port                          <Desconocido>
Host                          <Desconocido>
Source RPM Packages           procmail-3.22-17.1.el5.centos
Target RPM Packages           
RPM de Políticas             selinux-policy-2.4.6-279.el5
SELinux Activado              True
Tipo de Política             targeted
MLS Activado                  True
Modo Obediente                Permissive
Nombre de Plugin              catchall_file
Nombre de Equipo              agenda.ugr.es
Plataforma                    Linux agenda.ugr.es 2.6.18-194.el5 #1 SMP Fri Apr
                              2 14:58:14 EDT 2010 x86_64 x86_64
Cantidad de Alertas           1
First Seen                    Thu Aug 30 08:15:01 2012
Last Seen                     Thu Aug 30 08:15:01 2012
Local ID                      e4e2eb9a-9bde-45c2-a53d-9c53d7ab745d
Números de Línea            25458, 25459

Mensajes de Auditoría Crudos 

type=AVC msg=audit(1346307301.709:6027): avc:  denied  { read } for  pid=11491 comm="procmail" path="/var/spool/mqueue/dfq7U6F1eB011489" dev=dm-1 ino=40698487 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=file

type=SYSCALL msg=audit(1346307301.709:6027): arch=c000003e syscall=59 success=yes exit=0 a0=2b85df30cbe0 a1=7fff1079c150 a2=2b85c02700c0 a3=0 items=0 ppid=11490 pid=11491 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null)
Comment 2 RHEL Product and Program Management 2012-08-30 09:47:06 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 3 Miguel González Laredo 2012-08-31 04:45:02 EDT
I'm waiting if you need some additional feedback about the case.

Thanks a lots!
Comment 8 errata-xmlrpc 2013-01-07 22:34:21 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0060.html

Note You need to log in before you can comment on or make changes to this bug.