Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-145322

AVC showing up when dnf-automatic is configured to send a mail on completion

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • rhel-security-selinux
    • 2
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • None
    • None
    • Unspecified Release Note Type - Unknown
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      When having dnf-automatic.service send a mail on completion, the following AVC is seen, without impacting the functionality:

      type=PROCTITLE msg=audit(01/30/2026 09:44:21.878:126) : proctitle=sendmail -i -- root@example.com root 
type=EXECVE msg=audit(01/30/2026 09:44:21.878:126) : argc=5 a0=sendmail a1=-i a2=-- a3=root@example.com a4=root 
type=SYSCALL msg=audit(01/30/2026 09:44:21.878:126) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55bbdd868160 a1=0x55bbdd869530 a2=0x55bbdd80cda0 a3=0x8 items=0 ppid=15941 pid=16034 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sendmail exe=/usr/sbin/sendmail.postfix subj=system_u:system_r:system_mail_t:s0 key=(null) 
type=AVC msg=audit(01/30/2026 09:44:21.878:126) : avc:  denied  { append } for  pid=16034 comm=sendmail path=socket:[39281] dev="sockfs" ino=39281 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0 
type=AVC msg=audit(01/30/2026 09:44:21.878:126) : avc:  denied  { append } for  pid=16034 comm=sendmail path=socket:[39281] dev="sockfs" ino=39281 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0

      The socket is the journal socket, used to redirect services's STDOUT and STDERR file descriptors.
      The AVC occurs when execve transitions from rpm_script_t to system_mail_t:

      16034 [rpm_script_t] 09:44:21.879223 execve("/usr/sbin/sendmail" [sendmail_exec_t], ["sendmail", "-i", "--", "root@example.com", "root"], ["PWD=/", "SYSTEMD_EXEC_PID=14932", "LANG=en_US.UTF-8", "INVOCATION_ID=b8e6ae76741f4cb286a7c8483901512d", "ABRT_IGNORE_PYTHON=1", "SHLVL=0", "JOURNAL_STREAM=8:39281", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin", "_=/usr/bin/mail", "LOGNAME=root", "HOME=/root", "TMPDIR=/tmp", "COLUMNS=80", "LINES=24", "MAILRC=~/.mailrc"] <unfinished ...>
16034 [system_mail_t] 09:44:21.880425 <... execve resumed>) = 0 <0.000994>

      The root cause for all this is system_mail_t has no rule to write to the journal.
      There is a rule for attribute systemprocess but system_mail_t is NOT part of that attribute:

      # sesearch -A -s systemprocess -t init_t -c unix_stream_socket -p append
[...]
allow systemprocess init_t:unix_stream_socket { append getattr ioctl read write };
[...]

# sesearch -A -s system_mail_t -t init_t -c unix_stream_socket -p append
--> nothing

      What is the impact of this issue to you?

      Cosmetic because functionality is there, but generates AVC which is always bad.

      Please provide the package NVR for which the bug is seen:

      selinux-policy-38.1.65-1.el9.noarch

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Install postfix and s-nail
      2. Configure dnf-automatic to send mails (/etc/dnf/automatic.conf) 
        apply_updates = yes
emit_via = command_email
command_format = mail -Ssendwait -s {subject} {email_from} {email_to}
      3.  Downgrade a package
      4.  Execute dnf-automatic.service

      Expected results

      No AVC

      Actual results

      AVC above.

              rhn-support-zpytela Zdenek Pytela
              rhn-support-rmetrich Renaud Métrich
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: