Red Hat Bugzilla – Bug 906773
SELinux drops an error after sendmail installation by yum-builddep
Last modified: 2013-11-21 05:15:22 EST
Description of problem: SELinux drop error after sendmail installation by yum-builddep. NOTE: This might be a problem of sendmail, not selinux-policy. Version-Release number of selected component (if applicable): selinux-policy-3.7.19-192.el6.noarch sendmail-8.14.4-8.el6 How reproducible: Always Steps to Reproduce: 1. Be sure that sendmail is not installed 2. Download some source package that has dependency to sendmail. 3. yum-builddep <downloaded-source-package> (I used sudo package) 4. ausearch -m SELINUX_ERR -ts recent Expected: <no matches> LOG: i:i386|m:i686 root@intel-piketon-02 [tmp]# id smmsp id: smmsp: No such user i:i386|m:i686 root@intel-piketon-02 [tmp]# ausearch -m SELINUX_ERR -ts recent <no matches> i:i386|m:i686 root@intel-piketon-02 [tmp]# yum-builddep sudo-1.8.6p3-6.el6.src.rpm Loaded plugins: product-id Getting requirements for sudo-1.8.6p3-6.el6.src --> Already installed : pam-devel-1.1.1-13.el6.i686 --> Already installed : groff-1.18.1.4-21.el6.i686 --> Already installed : openldap-devel-2.4.23-31.el6.i686 --> Already installed : flex-2.5.35-8.el6.i686 --> Already installed : bison-2.4.1-5.el6.i686 --> Already installed : automake-1.11.1-4.el6.noarch --> Already installed : autoconf-2.63-5.1.el6.noarch --> Already installed : libtool-2.2.6-15.5.el6.i686 --> Already installed : audit-libs-devel-2.2-2.el6.i686 --> Already installed : libcap-devel-2.16-5.5.el6.i686 --> Already installed : libselinux-devel-2.0.94-5.3.el6.i686 --> sendmail-8.14.4-8.el6.i686 --> Running transaction check ---> Package sendmail.i686 0:8.14.4-8.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================================================================================================================ Installing: sendmail i686 8.14.4-8.el6 beaker-Client 713 k Transaction Summary ============================================================================================================================================================================================================================================ Install 1 Package(s) Total download size: 713 k Installed size: 1.5 M Is this ok [y/N]: y Downloading Packages: sendmail-8.14.4-8.el6.i686.rpm | 713 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : sendmail-8.14.4-8.el6.i686 1/1 warning: group smmsp does not exist - using root warning: user smmsp does not exist - using root warning: group smmsp does not exist - using root Verifying : sendmail-8.14.4-8.el6.i686 1/1 Installed: sendmail.i686 0:8.14.4-8.el6 Complete! i:i386|m:i686 root@intel-piketon-02 [tmp]# ausearch -m SELINUX_ERR -ts recent ---- time->Fri Feb 1 07:53:04 2013 type=SYSCALL msg=audit(1359723184.630:86): arch=40000003 syscall=11 success=no exit=-13 a0=83891d0 a1=83874e0 a2=8387708 a3=83874e0 items=0 ppid=9145 pid=9149 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1359723184.630:86): security_compute_sid: invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process ---- time->Fri Feb 1 07:53:04 2013 type=SYSCALL msg=audit(1359723184.632:87): arch=40000003 syscall=11 success=no exit=-13 a0=8389248 a1=8388a20 a2=8387708 a3=8388a20 items=0 ppid=9145 pid=9151 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1359723184.632:87): security_compute_sid: invalid context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process ---- time->Fri Feb 1 07:53:05 2013 type=SYSCALL msg=audit(1359723185.769:88): arch=40000003 syscall=11 success=no exit=-13 a0=853e130 a1=853dfa8 a2=85367a0 a3=853dfa8 items=0 ppid=9163 pid=9165 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="make" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1359723185.769:88): security_compute_sid: invalid context unconfined_u:unconfined_r:system_mail_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process i:i386|m:i686 root@intel-piketon-02 [tmp]# rpm -q selinux-policy sendmail selinux-policy-3.7.19-192.el6.noarch sendmail-8.14.4-8.el6.i686 Additional info: Installation using yum doesn't raise the error, log: i:i386|m:i686 root@intel-piketon-02 [tmp]# date Fri Feb 1 07:59:06 EST 2013 i:i386|m:i686 root@intel-piketon-02 [tmp]# ausearch -m SELINUX_ERR -ts 7:59 <no matches> i:i386|m:i686 root@intel-piketon-02 [tmp]# yum -y install sendmail Loaded plugins: product-id, security, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package sendmail.i686 0:8.14.4-8.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================================================================================================================ Installing: sendmail i686 8.14.4-8.el6 beaker-Client 713 k Transaction Summary ============================================================================================================================================================================================================================================ Install 1 Package(s) Total download size: 713 k Installed size: 1.5 M Downloading Packages: sendmail-8.14.4-8.el6.i686.rpm | 713 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : sendmail-8.14.4-8.el6.i686 1/1 Verifying : sendmail-8.14.4-8.el6.i686 1/1 Installed: sendmail.i686 0:8.14.4-8.el6 Complete! i:i386|m:i686 root@intel-piketon-02 [tmp]# ausearch -m SELINUX_ERR -ts 7:59 <no matches>
The problem is do to /bin/yum-builddep not being labeled as rpm_exec_t. But it does point out other issues, basically that we end up with rpm_script_t running as unconfined_u:unconfined_r:rpm_script_t, where we expected this to run as system_r:rpm_script_t.
chcon -t rpm_exec_t /usr/bin/yum-builddep Should fix this for now.
Ales, could you test it with this labeling?
Greetings, I tested it with new context of yum-builddep and it didn't help. ---- time->Tue Feb 5 15:27:58 2013 type=SYSCALL msg=audit(1360096078.606:97): arch=40000003 syscall=11 success=no exit=-13 a0=812bfe8 a1=812a040 a2=812a3f0 a3=812a040 items=0 ppid=18404 pid=18408 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1360096078.606:97): security_compute_sid: invalid context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:groupadd_exec_t:s0 tclass=process ---- time->Tue Feb 5 15:27:58 2013 type=SYSCALL msg=audit(1360096078.610:98): arch=40000003 syscall=11 success=no exit=-13 a0=812c078 a1=812b850 a2=812a3f0 a3=812b850 items=0 ppid=18404 pid=18410 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="sh" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1360096078.610:98): security_compute_sid: invalid context unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=process ---- time->Tue Feb 5 15:28:00 2013 type=SYSCALL msg=audit(1360096080.315:99): arch=40000003 syscall=11 success=no exit=-13 a0=8ad3f58 a1=8ad3de8 a2=8acc488 a3=8ad3de8 items=0 ppid=18422 pid=18424 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="make" exe="/bin/bash" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1360096080.315:99): security_compute_sid: invalid context unconfined_u:unconfined_r:system_mail_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process :: [ FAIL ] :: Test: Looking for SELinux errors (Expected 1, got 0) # ls -laZ /usr/bin/yum-builddep -rwxr-xr-x. root root system_u:object_r:rpm_exec_t:s0 /usr/bin/yum-builddep
I added labeling.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html