-
Bug
-
Resolution: Unresolved
-
Minor
-
rhel-9.7
-
No
-
Low
-
rhel-security-selinux
-
2
-
False
-
False
-
-
No
-
None
-
None
-
None
-
Unspecified Release Note Type - Unknown
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
When having dnf-automatic.service send a mail on completion, the following AVC is seen, without impacting the functionality:
type=PROCTITLE msg=audit(01/30/2026 09:44:21.878:126) : proctitle=sendmail -i -- root@example.com root type=EXECVE msg=audit(01/30/2026 09:44:21.878:126) : argc=5 a0=sendmail a1=-i a2=-- a3=root@example.com a4=root type=SYSCALL msg=audit(01/30/2026 09:44:21.878:126) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55bbdd868160 a1=0x55bbdd869530 a2=0x55bbdd80cda0 a3=0x8 items=0 ppid=15941 pid=16034 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sendmail exe=/usr/sbin/sendmail.postfix subj=system_u:system_r:system_mail_t:s0 key=(null) type=AVC msg=audit(01/30/2026 09:44:21.878:126) : avc: denied { append } for pid=16034 comm=sendmail path=socket:[39281] dev="sockfs" ino=39281 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0 type=AVC msg=audit(01/30/2026 09:44:21.878:126) : avc: denied { append } for pid=16034 comm=sendmail path=socket:[39281] dev="sockfs" ino=39281 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
The socket is the journal socket, used to redirect services's STDOUT and STDERR file descriptors.
The AVC occurs when execve transitions from rpm_script_t to system_mail_t:
16034 [rpm_script_t] 09:44:21.879223 execve("/usr/sbin/sendmail" [sendmail_exec_t], ["sendmail", "-i", "--", "root@example.com", "root"], ["PWD=/", "SYSTEMD_EXEC_PID=14932", "LANG=en_US.UTF-8", "INVOCATION_ID=b8e6ae76741f4cb286a7c8483901512d", "ABRT_IGNORE_PYTHON=1", "SHLVL=0", "JOURNAL_STREAM=8:39281", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin", "_=/usr/bin/mail", "LOGNAME=root", "HOME=/root", "TMPDIR=/tmp", "COLUMNS=80", "LINES=24", "MAILRC=~/.mailrc"] <unfinished ...> 16034 [system_mail_t] 09:44:21.880425 <... execve resumed>) = 0 <0.000994>
The root cause for all this is system_mail_t has no rule to write to the journal.
There is a rule for attribute systemprocess but system_mail_t is NOT part of that attribute:
# sesearch -A -s systemprocess -t init_t -c unix_stream_socket -p append
[...]
allow systemprocess init_t:unix_stream_socket { append getattr ioctl read write };
[...]
# sesearch -A -s system_mail_t -t init_t -c unix_stream_socket -p append
--> nothing
What is the impact of this issue to you?
Cosmetic because functionality is there, but generates AVC which is always bad.
Please provide the package NVR for which the bug is seen:
selinux-policy-38.1.65-1.el9.noarch
How reproducible is this bug?:
Always
Steps to reproduce
- Install postfix and s-nail
- Configure dnf-automatic to send mails (/etc/dnf/automatic.conf)
apply_updates = yes emit_via = command_email command_format = mail -Ssendwait -s {subject} {email_from} {email_to} - Downgrade a package
- Execute dnf-automatic.service
Expected results
No AVC
Actual results
AVC above.