View Issue Details

IDProjectCategoryView StatusLast Update
0012396CentOS-7selinux-policypublic2019-08-29 08:20
Reporterfbures 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0012396: SELinux is preventing /usr/sbin/sendmail.sendmail from 'read' accesses on the file disable_ipv6.
DescriptionDescription of problem:
SELinux is preventing /usr/sbin/sendmail.sendmail from 'read' accesses on the file disable_ipv6.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that sendmail.sendmail should be allowed read access on the disable_ipv6 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sendmail' --raw | audit2allow -M my-sendmail
# semodule -i my-sendmail.pp

Additional Information:
Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects disable_ipv6 [ file ]
Source sendmail
Source Path /usr/sbin/sendmail.sendmail
Port <Unknown>
Host (removed)
Source RPM Packages sendmail-8.14.7-4.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-514.2.2.el7.x86_64 #1 SMP
                              Tue Dec 6 23:06:41 UTC 2016 x86_64 x86_64
Alert Count 2
First Seen 2016-12-15 06:00:05 EST
Last Seen 2016-12-15 06:00:06 EST
Local ID b736bf54-ebb9-4b71-9b65-b110bfc83ba4

Raw Audit Messages
type=AVC msg=audit(1481799606.650:24600): avc: denied { read } for pid=28194 comm="sendmail" name="disable_ipv6" dev="proc" ino=12488218 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file


type=SYSCALL msg=audit(1481799606.650:24600): arch=x86_64 syscall=open success=no exit=EACCES a0=7fe7bd71e4b0 a1=80000 a2=1b6 a3=24 items=0 ppid=30546 pid=28194 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=748 comm=sendmail exe=/usr/sbin/sendmail.sendmail subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)

Hash: sendmail,system_mail_t,sysctl_net_t,file,read

Version-Release number of selected component:
selinux-policy-3.13.1-102.el7_3.7.noarch
Additional Informationreporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-514.2.2.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.
abrt_hashb6ef8fc6543e97b24c2bee8b2b45d2aa1fc9149d157e0f23532be500eafbfc4a
URL

Activities

bkant

bkant

2017-04-23 17:48

reporter   ~0029128

Hello,

I have the same issue when I try to send mails from crontab jobs. Users can send mails to the outside world. Mails from crontab are delivered, but for such, I each time get SE Linux errors.

Journal content suggests to run sealert -l ce0f0139-a4f2-4d35-8cc2-fb5368364254, then ausearch, which seems to fail:

# ausearch -c 'sendmail' --raw | audit2allow -M my-sendmail
libsepol.sepol_string_to_security_class: unrecognized class dir
libsepol.sepol_string_to_security_class: unrecognized class file
libsepol.sepol_string_to_security_class: unrecognized class file
libsepol.sepol_string_to_security_class: unrecognized class dir
libsepol.sepol_string_to_security_class: unrecognized class file
libsepol.sepol_string_to_security_class: unrecognized class file
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-sendmail.pp


Are some rules missing to allow crontab to send mails? sestatus shows no such option:

# sestatus -b | grep -i sendmail
gitosis_can_sendmail off
httpd_can_sendmail off
logging_syslogd_can_sendmail off
bkant

bkant

2017-04-23 18:35

reporter   ~0029130

An additionnal input, could be use full. Still not knowing what "unrecognized class" outputs mean... So, this AVC is logged for emails sent by crontab, related to "read access on the disable_ipv6 file":

----
time->Sun Apr 23 20:26:01 2017
type=SYSCALL msg=audit(1492971961.983:264): arch=c000003e syscall=2 success=no exit=-13 a0=7fe2a46e84b0 a1=80000 a2=1b6 a3=24 items=0 ppid=15080 pid=15085 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=51 sgid=51 fsgid=51 tty=(none) ses=8 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1492971961.983:264): avc: denied { read } for pid=15085 comm="sendmail" name="disable_ipv6" dev="proc" ino=13341 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file



# ausearch -c 'sendmail' --raw | audit2allow
libsepol.sepol_string_to_security_class: unrecognized class dir
libsepol.sepol_string_to_security_class: unrecognized class file
libsepol.sepol_string_to_security_class: unrecognized class file
libsepol.sepol_string_to_security_class: unrecognized class dir
libsepol.sepol_string_to_security_class: unrecognized class file
libsepol.sepol_string_to_security_class: unrecognized class file


#============= sendmail_t ==============
allow sendmail_t sysctl_net_t:dir search;
allow sendmail_t sysctl_net_t:file { getattr open read };

#============= system_mail_t ==============
allow system_mail_t sysctl_net_t:dir search;
allow system_mail_t sysctl_net_t:file read;
bkant

bkant

2017-04-23 19:00

reporter   ~0029131

Now I see two issues...

Sendmail "read access on the disable_ipv6 file" when cron jobs send mail, as I just described.

Plus another one, triggering "unrecognized class capability" errors. My "ausearch --raw" fails as described here (adding garbage at end of lines):
https://bugzilla.redhat.com/show_bug.cgi?id=1408248

When I remove the ausearch garbage, I still cannot apply the required rules to sendmail:

# cat raw | audit2allow -m sendmail

module sendmail 1.0;

require {
        type sendmail_t;
        type sysctl_net_t;
        type system_mail_t;
        class file { getattr open read };
        class dir search;
}

#============= sendmail_t ==============

#!!!! This avc is allowed in the current policy
allow sendmail_t sysctl_net_t:dir search;

#!!!! This avc is allowed in the current policy
allow sendmail_t sysctl_net_t:file { getattr open read };

#============= system_mail_t ==============

#!!!! This avc is allowed in the current policy
allow system_mail_t sysctl_net_t:dir search;
allow system_mail_t sysctl_net_t:file open;

#!!!! This avc is allowed in the current policy
allow system_mail_t sysctl_net_t:file read;


# cat raw | audit2allow -M sendmail
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i sendmail.pp

# semodule -i sendmail.pp
libsemanage.semanage_direct_install_info: Overriding sendmail module at lower priority 100 with module at priority 400.
Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/my-sendmail/cil:1
semodule: Failed!
bkant

bkant

2017-04-23 19:11

reporter   ~0029132

My system was just fresh installed, then updated, today.

Looks now redundant with:
https://bugs.centos.org/view.php?id=12914

Keep in mind ausearch is bogus (adds garbage at EOL), as described in:
https://bugzilla.redhat.com/show_bug.cgi?id=1408248

My issue (and the way to reproduce) seems to be mails sent by crontab, requireing following additionnal rule:

allow system_mail_t sysctl_net_t:file open;

Have to figure out how to do that, if its safe...

Best regards
bkant

bkant

2017-04-23 19:27

reporter   ~0029135

And I now noticed also following event, triggered by my mails, sent by crontab:

setroubleshoot[16623]: failed to retrieve rpm info for /proc/sys/net/ipv6/conf/all/disable_ipv6
bkant

bkant

2017-04-23 20:01

reporter   ~0029136

Now I patched it using following own "mypolicy.te". "open" wasn't enough, triggered "SELinux is preventing /usr/sbin/sendmail.sendmail from getattr access on the file". So I added "getattr open read".

Now my crontab sends out mails without selinu/disable_ipv6 file complains...


# cat mypolicy.te
module mypolicy 1.0;

require {
        type sendmail_t;
        type sysctl_net_t;
        type system_mail_t;
        class file { getattr open read };
        class dir search;
}

allow system_mail_t sysctl_net_t:file { getattr open read };


# checkmodule -M -m -o mypolicy.mod mypolicy.te
checkmodule: loading policy configuration from mypolicy.te
checkmodule: policy configuration loaded


# semodule_package -m mypolicy.mod -o mypolicy.pp

# semodule -i mypolicy.pp
yogirana416

yogirana416

2019-08-29 08:20

reporter   ~0035030

Another user experienced a similar problem:

dont know the reason

reporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-957.27.2.el7.x86_64
package: selinux-policy-3.13.1-229.el7_6.15.noarch
reason: SELinux is preventing /usr/sbin/sendmail.sendmail from 'read' accesses on the file disable_ipv6.
reproducible: Not sure how to reproduce the problem
type: libreport

Issue History

Date Modified Username Field Change
2016-12-15 21:28 fbures New Issue
2017-04-23 17:48 bkant Note Added: 0029128
2017-04-23 18:35 bkant Note Added: 0029130
2017-04-23 19:00 bkant Note Added: 0029131
2017-04-23 19:11 bkant Note Added: 0029132
2017-04-23 19:27 bkant Note Added: 0029135
2017-04-23 20:01 bkant Note Added: 0029136
2019-08-29 08:20 yogirana416 Note Added: 0035030