957341 – SELinux is preventing /usr/sbin/sendmail.sendmail from using the 'net_admin' capabilities.

Bug 957341 - SELinux is preventing /usr/sbin/sendmail.sendmail from using the 'net_admin' capabilities.

Summary: SELinux is preventing /usr/sbin/sendmail.sendmail from using the 'net_admin' ...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	sendmail
Sub Component:
Version:	18
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Jaroslav Škarvada
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:32aea80999b06d8044d60a7bed3...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-04-27 11:17 UTC by steinach2810
Modified:	2023-09-14 01:43 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-02-05 21:07:00 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description steinach2810 2013-04-27 11:17:02 UTC

Description of problem:
SELinux is preventing /usr/sbin/sendmail.sendmail from using the 'net_admin' capabilities.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that sendmail.sendmail should have the net_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep newaliases /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
Target Context                unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023
Target Objects                 [ capability ]
Source                        newaliases
Source Path                   /usr/sbin/sendmail.sendmail
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           sendmail-8.14.5-15.fc18.x86_64
                              sendmail-8.14.6-4.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-66.fc18.noarch selinux-
                              policy-3.11.1-86.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.6.10-4.fc18.x86_64 #1 SMP Tue
                              Dec 11 18:01:27 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    2013-03-23 12:49:05 EET
Last Seen                     2013-03-23 12:49:05 EET
Local ID                      bf549b1c-c371-4dba-bb38-4628e7ffa03c

Raw Audit Messages
type=AVC msg=audit(1364035745.372:358): avc:  denied  { net_admin } for  pid=11668 comm="newaliases" capability=12  scontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023 tclass=capability


type=SYSCALL msg=audit(1364035745.372:358): arch=x86_64 syscall=ioctl success=no exit=ENODEV a0=4 a1=8933 a2=7fffcc8600f0 a3=1c items=0 ppid=11666 pid=11668 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=pts0 ses=1 comm=newaliases exe=/usr/sbin/sendmail.sendmail subj=unconfined_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)

Hash: newaliases,system_mail_t,system_mail_t,capability,net_admin

audit2allow

#============= system_mail_t ==============
allow system_mail_t self:capability net_admin;

audit2allow -R
require {
	type system_mail_t;
	class capability net_admin;
}

#============= system_mail_t ==============
allow system_mail_t self:capability net_admin;


Additional info:
hashmarkername: setroubleshoot
kernel:         3.8.8-203.fc18.x86_64
type:           libreport

Comment 1 Miroslav Grepl 2013-04-29 07:09:49 UTC

Does everything work correctly?

Comment 2 Miroslav Grepl 2013-04-29 07:10:19 UTC

CAP_NET_ADMIN
              Perform various network-related operations:
              * interface configuration;
              * administration of IP firewall, masquerading, and accounting
              * modify routing tables;
              * bind to any address for transparent proxying;
              * set type-of-service (TOS)
              * clear driver statistics;
              * set promiscuous mode;
              * enabling multicasting;
              * use setsockopt(2) to set the following socket options: SO_DEBUG,
                SO_MARK,  SO_PRIORITY (for a priority outside the range 0 to 6),
                SO_RCVBUFFORCE, and SO_SNDBUFFORCE

Comment 3 Jaroslav Škarvada 2013-04-29 12:04:45 UTC

No idea why the newaliases needed the CAP_NET_ADMIN. For the reporter: could you provide your /etc/aliases? Could you provide the steps that triggered this?

Comment 4 Fedora End Of Life 2013-12-21 13:16:15 UTC

This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 5 Fedora End Of Life 2014-02-05 21:07:00 UTC

Fedora 18 changed to end-of-life (EOL) status on 2014-01-14. Fedora 18 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 6 Red Hat Bugzilla 2023-09-14 01:43:49 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.