Request Tracker 3
Daniel J Walsh
dwalsh at redhat.com
Wed Feb 2 15:56:44 UTC 2005
Kanwar Ranbir Sandhu wrote:
>On Wed, 2005-02-02 at 10:10 -0500, Daniel J Walsh wrote:
>
>
>>Rather than going down a rathole, here could
>>you
>>setenforce 0
>>Run both test and send the avc messages.
>>
>>
>
>Okay, no problem. I'll describe the mail setups, proceeded by the
>selinux messages for each.
>
>Mail config in RT:
>------------------
>mail command: sendmailpipe
>arguements: -oi -t #(-t required, as stated in RT docs)
>path: /usr/sbin/sendmail
>
>avc messages:
>-------------
>avc: denied { read } for pid=6130 exe=/usr/sbin/httpd name=sendmail
>dev=dm-3 ino=277369 scontext=root:system_r:httpd_t
>tcontext=user_u:object_r:sbin_t tclass=lnk_file
>
>
>Mail config in RT:
>------------------
>mail command: sendmail
>arguements: -oi
>path: /usr/sbin/sendmail #(not read when mail command set to sendmail)
>
>avc messages:
>-------------
>avc: denied { search } for pid=6082 exe=/usr/bin/perl name=postfix
>dev=dm-5 ino=34833 scontext=user_u:system_r:httpd_sys_script_t
>tcontext=system_u:object_r:var_spool_t tclass=dir
>
>avc: denied { getattr } for pid=6086 exe=/usr/sbin/sendmail.postfix
>path=socket:[14139] dev=sockfs ino=14139
>scontext=root:system_r:system_mail_t tcontext=root:system_r:httpd_t
>tclass=unix_stream_socket
>
>avc: denied { execute } for pid=6087 exe=/usr/sbin/sendmail.postfix
>name=postdrop dev=dm-3 ino=276825 scontext=root:system_r:system_mail_t
>tcontext=system_u:object_r:sbin_t tclass=file
>
>avc: denied { execute_no_trans } for pid=6087
>exe=/usr/sbin/sendmail.postfix path=/usr/sbin/postdrop dev=dm-3
>ino=276825 scontext=root:system_r:system_mail_t
>tcontext=system_u:object_r:sbin_t tclass=file
>
>avc: denied { read } for pid=6087 exe=/usr/sbin/sendmail.postfix
>path=/usr/sbin/postdrop dev=dm-3 ino=276825
>scontext=root:system_r:system_mail_t tcontext=system_u:object_r:sbin_t
>tclass=file
>
>avc: denied { write } for pid=6087 exe=/usr/sbin/postdrop
>name=maildrop dev=dm-5 ino=34842 scontext=root:system_r:system_mail_t
>tcontext=system_u:object_r:var_spool_t tclass=dir
>
>avc: denied { add_name } for pid=6087 exe=/usr/sbin/postdrop
>name=1290.6087 scontext=root:system_r:system_mail_t
>tcontext=system_u:object_r:var_spool_t tclass=dir
>
>avc: denied { create } for pid=6087 exe=/usr/sbin/postdrop
>name=1290.6087 scontext=root:system_r:system_mail_t
>tcontext=root:object_r:var_spool_t tclass=file
>
>avc: denied { getattr } for pid=6087 exe=/usr/sbin/postdrop
>path=/var/spool/postfix/maildrop/1290.6087 dev=dm-5 ino=34911
>scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t
>tclass=file
>
>avc: denied { remove_name } for pid=6087 exe=/usr/sbin/postdrop
>name=1290.6087 dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t
>tcontext=system_u:object_r:var_spool_t tclass=dir
>
>avc: denied { rename } for pid=6087 exe=/usr/sbin/postdrop
>name=1290.6087 dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t
>tcontext=root:object_r:var_spool_t tclass=file
>
>avc: denied { write } for pid=6087 exe=/usr/sbin/postdrop
>path=/var/spool/postfix/maildrop/1ACA7885F dev=dm-5 ino=34911
>scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t
>tclass=file
>
>avc: denied { setattr } for pid=6087 exe=/usr/sbin/postdrop
>name=1ACA7885F dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t
>tcontext=root:object_r:var_spool_t tclass=file
>
>avc: denied { getattr } for pid=6087 exe=/usr/sbin/postdrop
>path=/var/spool/postfix/public/pickup dev=dm-5 ino=34827
>scontext=root:system_r:system_mail_t
>tcontext=user_u:object_r:var_spool_t tclass=fifo_file
>
>avc: denied { write } for pid=6087 exe=/usr/sbin/postdrop name=pickup
>dev=dm-5 ino=34827 scontext=root:system_r:system_mail_t
>tcontext=user_u:object_r:var_spool_t tclass=fifo_file
>
>Wow. Big difference in denials.
>
>Regards,
>
>Ranbir
>
>
Ok one more change.
could you d a
chcon -R -t mail_spool_t /var/spool/postfix
And try it again?
Dan
More information about the fedora-selinux-list
mailing list