Discussion:
selinux, sendmail, and disable_ipv6
mark
2018-11-20 15:46:01 UTC
Permalink
Just started seeing this on one server:
python: SELinux is preventing sendmail from read access on the file
disable_ipv6.

It recommends a local policy. Now, searching, I see someone filed a bug
for CentOS last year, 0012914, and they wound up creating a policy.

Cmts?

Note, btw, that the system has two IPv6 addresses - my manager has fallen
for slack. Both valid.

mark
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.o
Lukas Vrabec
2018-11-21 16:42:28 UTC
Permalink
Hi Mark,

Could you reproduce your issue and then attach output of:

# ausearch -m AVC -m USER_AVC -ts today

Thanks,
Lukas.
Post by mark
python: SELinux is preventing sendmail from read access on the file
disable_ipv6.
It recommends a local policy. Now, searching, I see someone filed a bug
for CentOS last year, 0012914, and they wound up creating a policy.
Cmts?
Note, btw, that the system has two IPv6 addresses - my manager has fallen
for slack. Both valid.
mark
_______________________________________________
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
mark
2018-11-21 18:18:24 UTC
Permalink
Hi, Lukas,
Post by Lukas Vrabec
# ausearch -m AVC -m USER_AVC -ts today
Here's an abbreviated o/p, as in this happened at 11:08 today:
time->Wed Nov 21 11:08:55 2018
type=PROCTITLE msg=audit(1542816535.125:26908):
proctitle=2F7573722F7362696E2F73656E646D61696C002D4643726F6E4461656D6F6E002D69002D6F6469002D6F656D002D6F69002D74002D6600726F6F74
type=SYSCALL msg=audit(1542816535.125:26908): arch=c000003e syscall=2
success=yes exit=3 a0=7f52d568d0b8 a1=80000 a2=1b6 a3=24 items=0
ppid=54786 pid=55276 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51
sgid=51 fsgid=51 tty=(none) ses=935 comm="sendmail"
exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1542816535.125:26908): avc: denied { open } for
pid=55276 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6"
dev="proc" ino=25607
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1542816535.125:26908): avc: denied { read } for
pid=55276 comm="sendmail" name="disable_ipv6" dev="proc" ino=25607
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
----
time->Wed Nov 21 11:08:55 2018
type=PROCTITLE msg=audit(1542816535.125:26909):
proctitle=2F7573722F7362696E2F73656E646D61696C002D4643726F6E4461656D6F6E002D69002D6F6469002D6F656D002D6F69002D74002D6600726F6F74
type=SYSCALL msg=audit(1542816535.125:26909): arch=c000003e syscall=5
success=yes exit=0 a0=3 a1=7fff06a576c0 a2=7fff06a576c0 a3=0 items=0
ppid=54786 pid=55276 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51
sgid=51 fsgid=51 tty=(none) ses=935 comm="sendmail"
exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1542816535.125:26909): avc: denied { getattr } for
pid=55276 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6"
dev="proc" ino=25607
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file

mark
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/li
Lukas Vrabec
2018-11-21 21:10:03 UTC
Permalink
Hi Mark,

I believe you'll find answer here:

https://danwalsh.livejournal.com/47118.html

Thanks,
Lukas.
Post by mark
Hi, Lukas,
Post by Lukas Vrabec
# ausearch -m AVC -m USER_AVC -ts today
time->Wed Nov 21 11:08:55 2018
proctitle=2F7573722F7362696E2F73656E646D61696C002D4643726F6E4461656D6F6E002D69002D6F6469002D6F656D002D6F69002D74002D6600726F6F74
type=SYSCALL msg=audit(1542816535.125:26908): arch=c000003e syscall=2
success=yes exit=3 a0=7f52d568d0b8 a1=80000 a2=1b6 a3=24 items=0
ppid=54786 pid=55276 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51
sgid=51 fsgid=51 tty=(none) ses=935 comm="sendmail"
exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1542816535.125:26908): avc: denied { open } for
pid=55276 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6"
dev="proc" ino=25607
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1542816535.125:26908): avc: denied { read } for
pid=55276 comm="sendmail" name="disable_ipv6" dev="proc" ino=25607
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
----
time->Wed Nov 21 11:08:55 2018
proctitle=2F7573722F7362696E2F73656E646D61696C002D4643726F6E4461656D6F6E002D69002D6F6469002D6F656D002D6F69002D74002D6600726F6F74
type=SYSCALL msg=audit(1542816535.125:26909): arch=c000003e syscall=5
success=yes exit=0 a0=3 a1=7fff06a576c0 a2=7fff06a576c0 a3=0 items=0
ppid=54786 pid=55276 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51
sgid=51 fsgid=51 tty=(none) ses=935 comm="sendmail"
exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1542816535.125:26909): avc: denied { getattr } for
pid=55276 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6"
dev="proc" ino=25607
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
mark
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
mark
2018-11-21 21:16:45 UTC
Permalink
Hi, Lukas,
Post by Lukas Vrabec
https://danwalsh.livejournal.com/47118.html
But we don't *want* to disable IPv6. We rolled it out several years ago.

mark
Post by Lukas Vrabec
Thanks,
Lukas.
Post by mark
Hi, Lukas,
Post by Lukas Vrabec
# ausearch -m AVC -m USER_AVC -ts today
time->Wed Nov 21 11:08:55 2018 type=PROCTITLE
proctitle=2F7573722F7362696E2F73656E646D61696C002D4643726F6E4461656D6F6E
002D69002D6F6469002D6F656D002D6F69002D74002D6600726F6F74
type=SYSCALL msg=audit(1542816535.125:26908): arch=c000003e syscall=2
success=yes exit=3 a0=7f52d568d0b8 a1=80000 a2=1b6 a3=24 items=0
ppid=54786 pid=55276 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51
sgid=51 fsgid=51 tty=(none) ses=935 comm="sendmail"
exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1542816535.125:26908): avc: denied { open } for
pid=55276 comm="sendmail"
path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=25607
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1542816535.125:26908): avc: denied { read } for
pid=55276 comm="sendmail" name="disable_ipv6" dev="proc" ino=25607
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
----
time->Wed Nov 21 11:08:55 2018 type=PROCTITLE
proctitle=2F7573722F7362696E2F73656E646D61696C002D4643726F6E4461656D6F6E
002D69002D6F6469002D6F656D002D6F69002D74002D6600726F6F74
type=SYSCALL msg=audit(1542816535.125:26909): arch=c000003e syscall=5
success=yes exit=0 a0=3 a1=7fff06a576c0 a2=7fff06a576c0 a3=0 items=0
ppid=54786 pid=55276 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51
sgid=51 fsgid=51 tty=(none) ses=935 comm="sendmail"
exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1542816535.125:26909): avc: denied { getattr } for
pid=55276 comm="sendmail"
path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=25607
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
mark
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.
Michael Bunk
2018-11-22 09:05:04 UTC
Permalink
Hi Mark,
Post by mark
time->Wed Nov 21 11:08:55 2018 type=PROCTITLE
proctitle=2F7573722F7362696E2F73656E646D61696C002D4643726F6E4461656D6F6E
002D69002D6F6469002D6F656D002D6F69002D74002D6600726F6F74
type=SYSCALL msg=audit(1542816535.125:26908): arch=c000003e syscall=2
success=yes exit=3 a0=7f52d568d0b8 a1=80000 a2=1b6 a3=24 items=0
ppid=54786 pid=55276 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51
sgid=51 fsgid=51 tty=(none) ses=935 comm="sendmail"
exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1542816535.125:26908): avc: denied { open } for
pid=55276 comm="sendmail"
path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=25607
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1542816535.125:26908): avc: denied { read } for
pid=55276 comm="sendmail" name="disable_ipv6" dev="proc" ino=25607
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
I think this is caused by a leaking file descriptor to
/proc/sys/net/ipv6/conf/all/disable_ipv6 from whatever cronjob you are
running, which calls sendmail.

Best regards,
Michael
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists
Loading...