Hello, I run a Fedora 35 server and would like setroubleshootd to send email alerts for avc denials, but I'm having trouble configuring this due to the apparent lack of support for configuring an smtp password.
The out of the box setroubleshoot.conf sets
smtp_host = localhost smtp_port = 25 from_address = SELinux_Troubleshoot
, but there is no config parameter for smtp password.
For this to actually work on a machine acting as an MTA (I have postfix running locally), the mail server would have to be configured to allow unauthenticated port 25 connections to masquerade as any local system user, which no decent postfix setup would allow.
I am not a python programmer, but in my reading of https://pagure.io/setroubleshoot/blob/main/f/framework/src/setroubleshoot/em..., it doesn't appear there is any built in way to support authenticated email sending despite the underlying smtplib being able to do it.
I would suggest either a) adding password support for smtplib, or/and b) adding an option to send mail using the sendmail binary, which allows postfix to recognize the running user without any password needed.
Has anyone else run into problems deploying the setroubleshootd email alerts in practice? email_alert.py appears simple enough to hack in password support, but I feel a security oriented project like selinux shouldn't require an insecure mail setup in order to send its alerts.
Any tips are welcome, Thanks, Matt
Matt Kinni matt@cipixia.com writes:
Hello, I run a Fedora 35 server and would like setroubleshootd to send email alerts for avc denials, but I'm having trouble configuring this due to the apparent lack of support for configuring an smtp password.
The out of the box setroubleshoot.conf sets
smtp_host = localhost smtp_port = 25 from_address = SELinux_Troubleshoot
, but there is no config parameter for smtp password.
For this to actually work on a machine acting as an MTA (I have postfix running locally), the mail server would have to be configured to allow unauthenticated port 25 connections to masquerade as any local system user, which no decent postfix setup would allow.
I am not a python programmer, but in my reading of https://pagure.io/setroubleshoot/blob/main/f/framework/src/setroubleshoot/em..., it doesn't appear there is any built in way to support authenticated email sending despite the underlying smtplib being able to do it.
I would suggest either a) adding password support for smtplib, or/and b) adding an option to send mail using the sendmail binary, which allows postfix to recognize the running user without any password needed.
Has anyone else run into problems deploying the setroubleshootd email alerts in practice? email_alert.py appears simple enough to hack in password support, but I feel a security oriented project like selinux shouldn't require an insecure mail setup in order to send its alerts.
Hello,
I'd rather avoid storing or using passwords directly in setroubleshoot but it's simple to add another option to setroubleshoot.conf which would enforce using local 'sendmail' binary instead of smtp_host.
Please take a look at https://gitlab.com/setroubleshoot/setroubleshoot/-/merge_requests/15 and let me know if this would be acceptable for you.
Thanks,
Petr
On 2022-03-14 08:56, Petr Lautrbach wrote:
Hello,
I'd rather avoid storing or using passwords directly in setroubleshoot but it's simple to add another option to setroubleshoot.conf which would enforce using local 'sendmail' binary instead of smtp_host.
Please take a look at https://gitlab.com/setroubleshoot/setroubleshoot/-/merge_requests/15 and let me know if this would be acceptable for you.
Thanks,
Petr
Hi Petr, that would work fine for me, and also is what Wietse suggested on the postfix mailing list
Thanks
-- Matt
Matt Kinni matt@cipixia.com writes:
On 2022-03-14 08:56, Petr Lautrbach wrote:
Hello,
I'd rather avoid storing or using passwords directly in setroubleshoot but it's simple to add another option to setroubleshoot.conf which would enforce using local 'sendmail' binary instead of smtp_host.
Please take a look at https://gitlab.com/setroubleshoot/setroubleshoot/-/merge_requests/15 and let me know if this would be acceptable for you.
Thanks,
Petr
Hi Petr, that would work fine for me, and also is what Wietse suggested on the postfix mailing list
Great. We're going to merge it soon and it'll be part of the next update in Fedora. In the mean time you can test and use it from my COPR repository https://copr.fedorainfracloud.org/coprs/plautrba/setroubleshoot/build/371915...
Petr
-- Matt
On 2022-03-16 06:04, Petr Lautrbach wrote:
Great. We're going to merge it soon and it'll be part of the next update in Fedora. In the mean time you can test and use it from my COPR repository https://copr.fedorainfracloud.org/coprs/plautrba/setroubleshoot/build/371915...
Sorry to necrobump this ancient thread - just wanted to point out that the default selinux-policy-targeted in F40 doesn't actually allow sendmail to be used by setroubleshootd. I've submitted bug #2291090 for this.
Thanks, Matt
selinux@lists.fedoraproject.org