sendmail attempting to read to /dev/hda

Mike A. Harris mharris at mharris.ca
Wed Dec 13 12:33:24 UTC 2006 

Using FC6, I get the following SELinux warnings in /var/log/messages
every time I reboot:

Dec 13 07:18:21 localhost setroubleshoot:      SELinux is preventing 
/usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda 
(fixed_disk_device_t).      For complete SELinux messages. run sealert 
-l 334bcb59-54ff-414f-bd52-f32c49
90df4a
Dec 13 07:18:22 localhost setroubleshoot:      SELinux is preventing 
/usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda 
(fixed_disk_device_t).      For complete SELinux messages. run sealert 
-l 334bcb59-54ff-414f-bd52-f32c49
90df4a


My sendmail configuration is unmodified from Fedora Core 6 default
installation, and while sendmail is set to start at bootup, I am not
currently using sendmail for anything on this system.

Nonetheless the error is a bit alarming, and I didn't find anything
similar in a google search.  My system is fully updated to the
current updates as of just prior to my reboot, which was about 15
minutes ago.

[root at shuttle ~]# rpm -qf /usr/sbin/sendmail.sendmail
sendmail-8.13.8-2
[root at shuttle ~]# ls -al /usr/sbin/sendmail.sendmail
-rwxr-sr-x 1 root smmsp 806460 Sep  5 09:27 /usr/sbin/sendmail.sendmail


[root at shuttle ~]# sealert -l 334bcb59-54ff-414f-bd52-f32c4990df4a
Summary
     SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) 
"read" to
     /dev/hda (fixed_disk_device_t).

Detailed Description
     SELinux denied access requested by /usr/sbin/sendmail.sendmail. It 
is not
     expected that this access is required by 
/usr/sbin/sendmail.sendmail and
     this access may signal an intrusion attempt. It is also possible 
that the
     specific version or configuration of the application is causing it to
     require additional access.

Allowing Access
     Sometimes labeling problems can cause SELinux denials.  You could 
try to
     restore the default system file context for /dev/hda, restorecon -v 
/dev/hda
     If this does not work, there is currently no automatic way to allow 
this
     access. Instead,  you can generate a local policy module to allow this
     access - see 
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
     can disable SELinux protection altogether. Disabling SELinux 
protection is
     not recommended. Please file a
     http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information:

Source Context:               system_u:system_r:system_mail_t
Target Context:               system_u:object_r:fixed_disk_device_t
Target Objects:               /dev/hda [ blk_file ]
Affected RPM Packages:        sendmail-8.13.8-2 [application]
Policy RPM:                   selinux-policy-2.4.6-1.fc6
Selinux Enabled:              True
Policy Type:                  targeted
MLS Enabled:                  True
Enforcing Mode:               Enforcing
Plugin Name:                  plugins.catchall_file
Host Name:                    shuttle
Platform:                     Linux shuttle 2.6.18-1.2849.fc6 #1 SMP Fri 
Nov 10 12:45:28 EST 2006 i686 i686
Alert Count:                  2
Line Numbers:

Raw Audit Messages:

avc: denied { read } for comm="sendmail" dev=tmpfs egid=51 euid=0 
exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=0 gid=0 items=0 
name="hda" path="/dev/hda" pid=2509 
scontext=system_u:system_r:system_mail_t:s0 sgid=51 
subj=system_u:system_r:system_mail_t:s0 suid=0 tclass=blk_file 
tcontext=system_u:object_r:fixed_disk_device_t:s0 tty=(none) uid=0

More information about the fedora-selinux-list mailing list