View Issue Details

IDProjectCategoryView StatusLast Update
0012914CentOS-7selinux-policypublic2019-02-08 15:20
Reportermjeghers 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0012914: SELinux is preventing /usr/sbin/sendmail.sendmail from 'open' accesses on the file /proc/sys/net/ipv6/conf/all/disable_ipv6.
DescriptionDescription of problem:
The notification comes up unsolicited and at randome times. Sendmail is not yet configured, but I will set it up later.
SELinux is preventing /usr/sbin/sendmail.sendmail from 'open' accesses on the file /proc/sys/net/ipv6/conf/all/disable_ipv6.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that sendmail.sendmail should be allowed open access on the disable_ipv6 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sendmail' --raw | audit2allow -M my-sendmail
# semodule -i my-sendmail.pp

Additional Information:
Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects /proc/sys/net/ipv6/conf/all/disable_ipv6 [ file ]
Source sendmail
Source Path /usr/sbin/sendmail.sendmail
Port <Unknown>
Host (removed)
Source RPM Packages sendmail-8.14.7-4.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7_3.13.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-514.6.2.el7.x86_64 #1 SMP
                              Thu Feb 23 03:04:39 UTC 2017 x86_64 x86_64
Alert Count 3
First Seen 2017-03-02 03:00:02 EST
Last Seen 2017-03-03 00:00:01 EST
Local ID dadf7124-e8be-4d2f-bb88-81ffb8019e9d

Raw Audit Messages
type=AVC msg=audit(1488517201.650:113): avc: denied { open } for pid=3438 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=11758 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file


type=SYSCALL msg=audit(1488517201.650:113): arch=x86_64 syscall=open success=no exit=EACCES a0=7f2e1e0474b0 a1=80000 a2=1b6 a3=24 items=0 ppid=3428 pid=3438 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=3 comm=sendmail exe=/usr/sbin/sendmail.sendmail subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)

Hash: sendmail,system_mail_t,sysctl_net_t,file,open

Version-Release number of selected component:
selinux-policy-3.13.1-102.el7_3.13.noarch
Additional Informationreporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-514.6.2.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.
abrt_hash5b222360e5d921a9ea3b145ea43980ab1e0f56a4874f762afb80718c79469590
URL

Activities

bkant

bkant

2017-04-23 19:16

reporter   ~0029133

Seems reproductible on a fresh updated install. Standard users can send mails, that doesn't trigger the event. But mails send from crontab generate the issue.

Could be redondant with that report ID where I already added some findings:
https://bugs.centos.org/view.php?id=12396

To solve my crontab and mail issue, seems I would need to add following rule:

allow system_mail_t sysctl_net_t:file open;


Additionnaly, I noticed ausearch is bogus (adds garbage at EOL), as described in:
https://bugzilla.redhat.com/show_bug.cgi?id=1408248
bkant

bkant

2017-04-23 19:18

reporter   ~0029134

And I now noticed also following event, triggered by my mails, sent by crontab:

setroubleshoot[16623]: failed to retrieve rpm info for /proc/sys/net/ipv6/conf/all/disable_ipv6
bkant

bkant

2017-04-23 20:01

reporter   ~0029137

Now I patched it using following own "mypolicy.te". "open" wasn't enough, triggered "SELinux is preventing /usr/sbin/sendmail.sendmail from getattr access on the file". So I added "getattr open read".

Now my crontab sends out mails without selinu/disable_ipv6 file complains...


# cat mypolicy.te
module mypolicy 1.0;

require {
        type sendmail_t;
        type sysctl_net_t;
        type system_mail_t;
        class file { getattr open read };
        class dir search;
}

allow system_mail_t sysctl_net_t:file { getattr open read };


# checkmodule -M -m -o mypolicy.mod mypolicy.te
checkmodule: loading policy configuration from mypolicy.te
checkmodule: policy configuration loaded


# semodule_package -m mypolicy.mod -o mypolicy.pp

# semodule -i mypolicy.pp
BlueH2O

BlueH2O

2019-02-08 15:20

reporter   ~0033793

Same thing here:

type=AVC msg=audit(1549609502.331:2251207): avc: denied { search } for pid=25846 comm="sendmail" name="net" dev="proc" ino=51427866 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
type=AVC msg=audit(1549609502.331:2251207): avc: denied { read } for pid=25846 comm="sendmail" name="disable_ipv6" dev="proc" ino=51427870 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1549609502.331:2251207): avc: denied { open } for pid=25846 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=51427870 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1549609502.332:2251208): avc: denied { getattr } for pid=25846 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=51427870 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file

Issue History

Date Modified Username Field Change
2017-03-03 05:22 mjeghers New Issue
2017-04-23 19:16 bkant Note Added: 0029133
2017-04-23 19:18 bkant Note Added: 0029134
2017-04-23 20:01 bkant Note Added: 0029137
2019-02-08 15:20 BlueH2O Note Added: 0033793