View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0012914 | CentOS-7 | selinux-policy | public | 2017-03-03 05:22 | 2019-02-08 15:20 |
Reporter | mjeghers | ||||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | new | Resolution | open | ||
Platform | OS | OS Version | 7 | ||
Product Version | |||||
Target Version | Fixed in Version | ||||
Summary | 0012914: SELinux is preventing /usr/sbin/sendmail.sendmail from 'open' accesses on the file /proc/sys/net/ipv6/conf/all/disable_ipv6. | ||||
Description | Description of problem: The notification comes up unsolicited and at randome times. Sendmail is not yet configured, but I will set it up later. SELinux is preventing /usr/sbin/sendmail.sendmail from 'open' accesses on the file /proc/sys/net/ipv6/conf/all/disable_ipv6. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sendmail.sendmail should be allowed open access on the disable_ipv6 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sendmail' --raw | audit2allow -M my-sendmail # semodule -i my-sendmail.pp Additional Information: Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023 Target Context system_u:object_r:sysctl_net_t:s0 Target Objects /proc/sys/net/ipv6/conf/all/disable_ipv6 [ file ] Source sendmail Source Path /usr/sbin/sendmail.sendmail Port <Unknown> Host (removed) Source RPM Packages sendmail-8.14.7-4.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-102.el7_3.13.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.10.0-514.6.2.el7.x86_64 #1 SMP Thu Feb 23 03:04:39 UTC 2017 x86_64 x86_64 Alert Count 3 First Seen 2017-03-02 03:00:02 EST Last Seen 2017-03-03 00:00:01 EST Local ID dadf7124-e8be-4d2f-bb88-81ffb8019e9d Raw Audit Messages type=AVC msg=audit(1488517201.650:113): avc: denied { open } for pid=3438 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=11758 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file type=SYSCALL msg=audit(1488517201.650:113): arch=x86_64 syscall=open success=no exit=EACCES a0=7f2e1e0474b0 a1=80000 a2=1b6 a3=24 items=0 ppid=3428 pid=3438 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=3 comm=sendmail exe=/usr/sbin/sendmail.sendmail subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) Hash: sendmail,system_mail_t,sysctl_net_t,file,open Version-Release number of selected component: selinux-policy-3.13.1-102.el7_3.13.noarch | ||||
Additional Information | reporter: libreport-2.1.11.1 hashmarkername: setroubleshoot kernel: 3.10.0-514.6.2.el7.x86_64 reproducible: Not sure how to reproduce the problem type: libreport | ||||
Tags | No tags attached. | ||||
abrt_hash | 5b222360e5d921a9ea3b145ea43980ab1e0f56a4874f762afb80718c79469590 | ||||
URL | |||||
Seems reproductible on a fresh updated install. Standard users can send mails, that doesn't trigger the event. But mails send from crontab generate the issue. Could be redondant with that report ID where I already added some findings: https://bugs.centos.org/view.php?id=12396 To solve my crontab and mail issue, seems I would need to add following rule: allow system_mail_t sysctl_net_t:file open; Additionnaly, I noticed ausearch is bogus (adds garbage at EOL), as described in: https://bugzilla.redhat.com/show_bug.cgi?id=1408248 |
|
And I now noticed also following event, triggered by my mails, sent by crontab: setroubleshoot[16623]: failed to retrieve rpm info for /proc/sys/net/ipv6/conf/all/disable_ipv6 |
|
Now I patched it using following own "mypolicy.te". "open" wasn't enough, triggered "SELinux is preventing /usr/sbin/sendmail.sendmail from getattr access on the file". So I added "getattr open read". Now my crontab sends out mails without selinu/disable_ipv6 file complains... # cat mypolicy.te module mypolicy 1.0; require { type sendmail_t; type sysctl_net_t; type system_mail_t; class file { getattr open read }; class dir search; } allow system_mail_t sysctl_net_t:file { getattr open read }; # checkmodule -M -m -o mypolicy.mod mypolicy.te checkmodule: loading policy configuration from mypolicy.te checkmodule: policy configuration loaded # semodule_package -m mypolicy.mod -o mypolicy.pp # semodule -i mypolicy.pp |
|
Same thing here: type=AVC msg=audit(1549609502.331:2251207): avc: denied { search } for pid=25846 comm="sendmail" name="net" dev="proc" ino=51427866 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir type=AVC msg=audit(1549609502.331:2251207): avc: denied { read } for pid=25846 comm="sendmail" name="disable_ipv6" dev="proc" ino=51427870 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file type=AVC msg=audit(1549609502.331:2251207): avc: denied { open } for pid=25846 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=51427870 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file type=AVC msg=audit(1549609502.332:2251208): avc: denied { getattr } for pid=25846 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=51427870 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file |
|