-
Bug
-
Resolution: Done-Errata
-
Minor
-
rhel-9.3.0
-
None
-
selinux-policy-38.1.30-1.el9
-
None
-
Low
-
sst_security_selinux
-
ssg_security
-
20
-
None
-
QE ack
-
False
-
-
No
-
None
-
-
Pass
-
Automated
-
Release Note Not Required
-
-
All
-
None
What were you trying to do that didn't work?
I wanted to know if the following problem is reproducible on RHEL-9 too:
Please provide the package NVR for which bug is seen:
opensmtpd-6.8.0p2-7.el9.x86_64
selinux-policy-38.1.25-1.el9.noarch
selinux-policy-targeted-38.1.25-1.el9.noarch
How reproducible:
always
Steps to reproduce
- get a RHEL-9.3 machine (targeted policy is active)
- installed the openstmpd package (from EPEL repository)
- start the opensmtpd service
- search for SELinux denials
Expected results
The opensmtpd service starts and runs successfully.
No SELinux denials are triggered.
Actual results
The opensmtpd service does NOT start and the following SELinux denials appear in enforcing mode:
----
type=PROCTITLE msg=audit(11/01/2023 03:42:44.703:346) : proctitle=/usr/sbin/smtpd -x control
type=PATH msg=audit(11/01/2023 03:42:44.703:346) : item=1 name=/var/run/smtpd.sock nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(11/01/2023 03:42:44.703:346) : item=0 name=/var/run/ inode=1 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/01/2023 03:42:44.703:346) : cwd=/
type=SOCKADDR msg=audit(11/01/2023 03:42:44.703:346) : saddr={ saddr_fam=local path=/var/run/smtpd.sock }
type=SYSCALL msg=audit(11/01/2023 03:42:44.703:346) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xa a1=0x7ffc7493f170 a2=0x6e a3=0xdb items=2 ppid=4665 pid=4667 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/sbin/smtpd subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(11/01/2023 03:42:44.703:346) : avc: denied { create } for pid=4667 comm=smtpd name=smtpd.sock scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
----
type=PROCTITLE msg=audit(11/01/2023 03:42:44.704:347) : proctitle=smtpd: scheduler
type=PATH msg=audit(11/01/2023 03:42:44.704:347) : item=0 name=/var/empty/smtpd inode=27263424 dev=fd:01 mode=dir,711 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/01/2023 03:42:44.704:347) : cwd=/
type=SYSCALL msg=audit(11/01/2023 03:42:44.704:347) : arch=x86_64 syscall=chroot success=no exit=EPERM(Operation not permitted) a0=0x55cd29ff188a a1=0x7 a2=0x55cd2a00fc40 a3=0x0 items=1 ppid=4665 pid=4671 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/sbin/smtpd subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(11/01/2023 03:42:44.704:347) : avc: denied { sys_chroot } for pid=4671 comm=smtpd capability=sys_chroot scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=capability permissive=0
----
type=PROCTITLE msg=audit(11/01/2023 03:42:44.705:348) : proctitle=/usr/sbin/smtpd -x queue
type=PATH msg=audit(11/01/2023 03:42:44.705:348) : item=0 name=/var/spool/smtpd/temporary inode=6793363 dev=fd:01 mode=dir,000 ouid=smtpq ogid=root rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/01/2023 03:42:44.705:348) : cwd=/
type=SYSCALL msg=audit(11/01/2023 03:42:44.705:348) : arch=x86_64 syscall=chmod success=no exit=EPERM(Operation not permitted) a0=0x55bf27be5a69 a1=0700 a2=0x0 a3=0x0 items=1 ppid=4665 pid=4670 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/sbin/smtpd subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(11/01/2023 03:42:44.705:348) : avc: denied { fowner } for pid=4670 comm=smtpd capability=fowner scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=capability permissive=0
----
type=PROCTITLE msg=audit(11/01/2023 03:42:44.705:349) : proctitle=/usr/sbin/smtpd -x pony
type=PATH msg=audit(11/01/2023 03:42:44.705:349) : item=0 name=/var/empty/smtpd inode=27263424 dev=fd:01 mode=dir,711 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/01/2023 03:42:44.705:349) : cwd=/
type=SYSCALL msg=audit(11/01/2023 03:42:44.705:349) : arch=x86_64 syscall=chroot success=no exit=EPERM(Operation not permitted) a0=0x5597fcdef88a a1=0x7fe31cbb9703 a2=0x0 a3=0x7fe31cb9eac0 items=1 ppid=4665 pid=4669 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/sbin/smtpd subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(11/01/2023 03:42:44.705:349) : avc: denied { sys_chroot } for pid=4669 comm=smtpd capability=sys_chroot scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=capability permissive=0
----
- links to
-
RHBA-2023:121166
selinux-policy bug fix and enhancement update
- mentioned on
