Facebook
Twitter
danami
Silver Pleskian
Username:
TITLE
SELinux errors due to ARC mail handler
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Product version: Plesk Obsidian 18.0.61.5
OS version: AlmaLinux 8.10 x86_64
Build date: 2024/06/03 06:00
Revision: 2026579414e1f3771ec1d118e76d7b49d4a8a6a4
PROBLEM DESCRIPTION
We are seeing these in the SELinux audit log:
grep python3 /var/log/audit/audit.log
After some research it looks like this is because of the ARC mail handler. This gets logged with every incoming mail. The ARC mail handler launches a process like this which gets denied:
If I turn off the ARC handler then the SELinux errors are gone:
STEPS TO REPRODUCE
1. Watch the SELinux audit log with: tail -f /var/log/audit/audit.log | grep denied
2. Send an incoming email to an email address on the server with the ARC mail handler enabled. You should see the denied error.
ACTUAL RESULT
You will see the error:
EXPECTED RESULT
The ARC mail handler shouldn't log errors as it puts extra load on a busy server.
ANY ADDITIONAL INFORMATION
(DID NOT ANSWER QUESTION)
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug
TITLE
SELinux errors due to ARC mail handler
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Product version: Plesk Obsidian 18.0.61.5
OS version: AlmaLinux 8.10 x86_64
Build date: 2024/06/03 06:00
Revision: 2026579414e1f3771ec1d118e76d7b49d4a8a6a4
PROBLEM DESCRIPTION
We are seeing these in the SELinux audit log:
grep python3 /var/log/audit/audit.log
Code:
type=AVC msg=audit(1718712818.484:10151501): avc: denied { execute } for pid=1850519 comm="python3" name="ldconfig" dev="dm-0" ino=616334363 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1718712818.484:10151501): arch=c000003e syscall=59 success=no exit=-13 a0=7f6f9eee72f0 a1=7f6f9eebdb10 a2=7f6f9eebdb28 a3=18 items=0 ppid=1850518 pid=1850519 auid=4294967295 uid=30 gid=30 euid=30 suid=30 fsuid=30 egid=30 sgid=30 fsgid=30 tty=(none) ses=4294967295 comm="python3" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:sendmail_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID="unset" UID="popuser" GID="popuser" EUID="popuser" SUID="popuser" FSUID="popuser" EGID="popuser" SGID="popuser" FSGID="popuser"
type=AVC msg=audit(1718712818.494:10151502): avc: denied { execute } for pid=1850524 comm="python3" name="ldconfig" dev="dm-0" ino=616334363 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1718712818.494:10151502): arch=c000003e syscall=59 success=no exit=-13 a0=7f6f9eee72f0 a1=7f6f9eebdb10 a2=7f6f9eebdb58 a3=18 items=0 ppid=1850518 pid=1850524 auid=4294967295 uid=30 gid=30 euid=30 suid=30 fsuid=30 egid=30 sgid=30 fsgid=30 tty=(none) ses=4294967295 comm="python3" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:sendmail_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID="unset" UID="popuser" GID="popuser" EUID="popuser" SUID="popuser" FSUID="popuser" EGID="popuser" SGID="popuser" FSGID="popuser"
type=AVC msg=audit(1718712888.098:10151517): avc: denied { execute } for pid=1851609 comm="python3" name="ldconfig" dev="dm-0" ino=616334363 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1718712888.098:10151517): arch=c000003e syscall=59 success=no exit=-13 a0=7fd7485302f0 a1=7fd748506b10 a2=7fd748506b28 a3=18 items=0 ppid=1851608 pid=1851609 auid=4294967295 uid=30 gid=30 euid=30 suid=30 fsuid=30 egid=30 sgid=30 fsgid=30 tty=(none) ses=4294967295 comm="python3" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:sendmail_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID="unset" UID="popuser" GID="popuser" EUID="popuser" SUID="popuser" FSUID="popuser" EGID="popuser" SGID="popuser" FSGID="popuser"After some research it looks like this is because of the ARC mail handler. This gets logged with every incoming mail. The ARC mail handler launches a process like this which gets denied:
Code:
popuser 1849070 0.0 0.0 86104 17408 ? R 06:10 0:00 /usr/bin/python3 -Estt /usr/local/psa/handlers/hooks/arc-sign dkimsel=default sender@example.com recipient@example.comIf I turn off the ARC handler then the SELinux errors are gone:
Code:
plesk bin settings -s mail_arc_sign=false
/usr/lib64/plesk-9.0/mail_dk_restoreSTEPS TO REPRODUCE
1. Watch the SELinux audit log with: tail -f /var/log/audit/audit.log | grep denied
2. Send an incoming email to an email address on the server with the ARC mail handler enabled. You should see the denied error.
ACTUAL RESULT
You will see the error:
Code:
type=AVC msg=audit(1718712888.108:10151518): avc: denied { execute } for pid=1851614 comm="python3" name="ldconfig" dev="dm-0" ino=616334363 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:eek:bject_r:ldconfig_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1718712888.108:10151518): arch=c000003e syscall=59 success=no exit=-13 a0=7fd7485302f0 a1=7fd748506b10 a2=7fd748506b58 a3=18 items=0 ppid=1851608 pid=1851614 auid=4294967295 uid=30 gid=30 euid=30 suid=30 fsuid=30 egid=30 sgid=30 fsgid=30 tty=(none) ses=4294967295 comm="python3" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:sendmail_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID="unset" UID="popuser" GID="popuser" EUID="popuser" SUID="popuser" FSUID="popuser" EGID="popuser" SGID="popuser" FSGID="popuser"EXPECTED RESULT
The ARC mail handler shouldn't log errors as it puts extra load on a busy server.
ANY ADDITIONAL INFORMATION
(DID NOT ANSWER QUESTION)
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug
