Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-34135

SELinux prevents the sendmail process from searching /proc/sys/net/ipv6/conf/all/disable_ipv6

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Minor Minor
    • rhel-9.5
    • rhel-9.5
    • selinux-policy
    • None
    • selinux-policy-38.1.38-1.el9
    • None
    • None
    • rhel-sst-security-selinux
    • ssg_security
    • 12
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide

      The logwatch timer works as expected in enforcing mode. No SELinux denials are triggered during the activity of the logwatch timer.

      Show
      The logwatch timer works as expected in enforcing mode. No SELinux denials are triggered during the activity of the logwatch timer.
    • Pass
    • Automated
    • Unspecified Release Note Type - Unknown
    • ppc64le
    • None

      What were you trying to do that didn't work?

      I believe that the activated logwatch timer executes the sendmail program which then tries to find out about IPv6.

      # sesearch -s logwatch_t -t sendmail_exec_t -c process -T
type_transition logwatch_t sendmail_exec_t:process logwatch_mail_t;
#

      Please provide the package NVR for which bug is seen:

      selinux-policy-38.1.36-1.el9.noarch
      selinux-policy-devel-38.1.36-1.el9.noarch
      selinux-policy-doc-38.1.36-1.el9.noarch
      selinux-policy-mls-38.1.36-1.el9.noarch
      selinux-policy-sandbox-38.1.36-1.el9.noarch
      selinux-policy-targeted-38.1.36-1.el9.noarch

      How reproducible:

      • usually when the logwatch.timer gets activated (around midnight) on a IPv6 disabled machine

      Steps to reproduce

      Expected results

      • no SELinux denials

      Actual results

      ----
type=PROCTITLE msg=audit(04/22/2024 12:02:02.986:6442) : proctitle=sendmail -oi logcheck 
type=PATH msg=audit(04/22/2024 12:02:02.986:6442) : item=0 name=/proc/sys/net/ipv6/conf/all/disable_ipv6 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(04/22/2024 12:02:02.986:6442) : cwd=/var/lib/logcheck 
type=SYSCALL msg=audit(04/22/2024 12:02:02.986:6442) : arch=ppc64le syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fffdc7c3f80 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=697175 pid=697177 auid=logcheck uid=logcheck gid=logcheck euid=logcheck suid=logcheck fsuid=logcheck egid=smmsp sgid=smmsp fsgid=smmsp tty=(none) ses=73 comm=sendmail exe=/usr/sbin/sendmail.sendmail subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/22/2024 12:02:02.986:6442) : avc:  denied  { search } for  pid=697177 comm=sendmail name=net dev="proc" ino=18453 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
----

              rhn-support-zpytela Zdenek Pytela
              mmalik@redhat.com Milos Malik
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: