0012914: SELinux is preventing /usr/sbin/sendmail.sendmail from 'open' accesses on the file /proc/sys/net/ipv6/conf/all/disable_ipv6. - CentOS Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0012914	CentOS-7	selinux-policy	public	2017-03-03 05:22	2019-02-08 15:20

Reporter	mjeghers
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	new	Resolution	open
Platform		OS		OS Version	7
Product Version
Target Version		Fixed in Version

Summary	0012914: SELinux is preventing /usr/sbin/sendmail.sendmail from 'open' accesses on the file /proc/sys/net/ipv6/conf/all/disable_ipv6.
Description	Description of problem: The notification comes up unsolicited and at randome times. Sendmail is not yet configured, but I will set it up later. SELinux is preventing /usr/sbin/sendmail.sendmail from 'open' accesses on the file /proc/sys/net/ipv6/conf/all/disable_ipv6. *** Plugin catchall (100. confidence) suggests ************************ If you believe that sendmail.sendmail should be allowed open access on the disable_ipv6 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sendmail' --raw \| audit2allow -M my-sendmail # semodule -i my-sendmail.pp Additional Information: Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023 Target Context system_u:object_r:sysctl_net_t:s0 Target Objects /proc/sys/net/ipv6/conf/all/disable_ipv6 [ file ] Source sendmail Source Path /usr/sbin/sendmail.sendmail Port <Unknown> Host (removed) Source RPM Packages sendmail-8.14.7-4.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-102.el7_3.13.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.10.0-514.6.2.el7.x86_64 #1 SMP Thu Feb 23 03:04:39 UTC 2017 x86_64 x86_64 Alert Count 3 First Seen 2017-03-02 03:00:02 EST Last Seen 2017-03-03 00:00:01 EST Local ID dadf7124-e8be-4d2f-bb88-81ffb8019e9d Raw Audit Messages type=AVC msg=audit(1488517201.650:113): avc: denied { open } for pid=3438 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=11758 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file type=SYSCALL msg=audit(1488517201.650:113): arch=x86_64 syscall=open success=no exit=EACCES a0=7f2e1e0474b0 a1=80000 a2=1b6 a3=24 items=0 ppid=3428 pid=3438 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=3 comm=sendmail exe=/usr/sbin/sendmail.sendmail subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) Hash: sendmail,system_mail_t,sysctl_net_t,file,open Version-Release number of selected component: selinux-policy-3.13.1-102.el7_3.13.noarch
Additional Information	reporter: libreport-2.1.11.1 hashmarkername: setroubleshoot kernel: 3.10.0-514.6.2.el7.x86_64 reproducible: Not sure how to reproduce the problem type: libreport
Tags	No tags attached.

abrt_hash	5b222360e5d921a9ea3b145ea43980ab1e0f56a4874f762afb80718c79469590
URL

bkant 2017-04-23 19:16 reporter ~0029133	Seems reproductible on a fresh updated install. Standard users can send mails, that doesn't trigger the event. But mails send from crontab generate the issue. Could be redondant with that report ID where I already added some findings: https://bugs.centos.org/view.php?id=12396 To solve my crontab and mail issue, seems I would need to add following rule: allow system_mail_t sysctl_net_t:file open; Additionnaly, I noticed ausearch is bogus (adds garbage at EOL), as described in: https://bugzilla.redhat.com/show_bug.cgi?id=1408248

bkant 2017-04-23 19:18 reporter ~0029134	And I now noticed also following event, triggered by my mails, sent by crontab: setroubleshoot[16623]: failed to retrieve rpm info for /proc/sys/net/ipv6/conf/all/disable_ipv6

bkant 2017-04-23 20:01 reporter ~0029137	Now I patched it using following own "mypolicy.te". "open" wasn't enough, triggered "SELinux is preventing /usr/sbin/sendmail.sendmail from getattr access on the file". So I added "getattr open read". Now my crontab sends out mails without selinu/disable_ipv6 file complains... # cat mypolicy.te module mypolicy 1.0; require { type sendmail_t; type sysctl_net_t; type system_mail_t; class file { getattr open read }; class dir search; } allow system_mail_t sysctl_net_t:file { getattr open read }; # checkmodule -M -m -o mypolicy.mod mypolicy.te checkmodule: loading policy configuration from mypolicy.te checkmodule: policy configuration loaded # semodule_package -m mypolicy.mod -o mypolicy.pp # semodule -i mypolicy.pp

BlueH2O 2019-02-08 15:20 reporter ~0033793	Same thing here: type=AVC msg=audit(1549609502.331:2251207): avc: denied { search } for pid=25846 comm="sendmail" name="net" dev="proc" ino=51427866 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir type=AVC msg=audit(1549609502.331:2251207): avc: denied { read } for pid=25846 comm="sendmail" name="disable_ipv6" dev="proc" ino=51427870 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file type=AVC msg=audit(1549609502.331:2251207): avc: denied { open } for pid=25846 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=51427870 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file type=AVC msg=audit(1549609502.332:2251208): avc: denied { getattr } for pid=25846 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=51427870 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file

Date Modified	Username	Field	Change
2017-03-03 05:22	mjeghers	New Issue
2017-04-23 19:16	bkant	Note Added: 0029133
2017-04-23 19:18	bkant	Note Added: 0029134
2017-04-23 20:01	bkant	Note Added: 0029137
2019-02-08 15:20	BlueH2O	Note Added: 0033793