984830 – atd directly executes sendmail

Bug 984830 - atd directly executes sendmail

Summary: atd directly executes sendmail

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	at
Sub Component:
Version:	5.10
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Marcela Mašláňová
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-07-16 07:01 UTC by Milos Malik
Modified:	2013-12-23 19:45 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-09-16 08:12:56 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Milos Malik 2013-07-16 07:01:07 UTC

Description of problem:

Version-Release number of selected component (if applicable):
at-3.1.8-84.el5
selinux-policy-2.4.6-345.el5
selinux-policy-devel-2.4.6-345.el5
selinux-policy-minimum-2.4.6-345.el5
selinux-policy-mls-2.4.6-345.el5
selinux-policy-strict-2.4.6-345.el5
selinux-policy-targeted-2.4.6-345.el5

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-5.10 machine
2. switch it from targeted policy to strict policy
3. log in as root/sysadm_r
4. # setenforce 1
5. # echo '/usr/bin/id -Z' | at now + 1 minute
6. # tail -f /var/log/messages

Actual results:
Jul 16 06:28:01 pes-guest-88 atd[5957]: Exec failed for mail command: Permission denied
Jul 16 06:31:00 pes-guest-88 atd[6034]: Exec failed for mail command: Permission denied
Jul 16 06:48:00 pes-guest-88 atd[6211]: Exec failed for mail command: Permission denied

Expected results:
 * the command is successfully executed by atd
 * no error messages
 * no AVCs

Additional info:
Because atd program contains a bug, which cannot be fixed or worked around in selinux-policy, following AVC appears in enforcing mode:
----
type=SYSCALL msg=audit(07/16/2013 06:48:00.964:105) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=2b8a651e94b9 a1=7fffc6d538b0 a2=7fffc6d560d8 a3=0 items=0 ppid=6207 pid=6211 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7 comm=atd exe=/usr/sbin/atd subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(07/16/2013 06:48:00.964:105) : avc:  denied  { entrypoint } for  pid=6211 comm=atd path=/usr/sbin/sendmail.sendmail dev=dm-0 ino=7643742 scontext=root:sysadm_r:sysadm_crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file 
----

Comment 2 Miroslav Grepl 2013-07-16 07:18:05 UTC

Yes, the problem is with

execl(ATD_MAIL_PROGRAM, ATD_MAIL_NAME, mailname, (char *) NULL);

where setexeccon is not set for the default policy behavior and it runs with

setexeccon(user_context)

Comment 3 RHEL Program Management 2013-07-24 04:03:20 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 4 Marcela Mašláňová 2013-09-13 11:50:48 UTC

Could you explain me why no-one noticed such essential fault in behaviour before? 

I don't think such bugs or components will be approved so late in RHEL-5 time frame. I would close it.

Comment 5 Milos Malik 2013-09-13 13:07:05 UTC

Maybe there is a lack of customers/users who use atd and strict policy at the same time. The problem does not exist on machines running targeted policy.

Comment 6 Marcela Mašláňová 2013-09-16 08:12:56 UTC

In that case wontfix. I won't believe at will be approved component so late in support cycle.

Although it may be good to add this test case in regression tests and verify if it doesn't fail on RHEL-6 and higher releases.

Note You need to log in before you can comment on or make changes to this bug.