Problems with sendmail after upgrade to F8

Adam Huffman adam.huffman at gmail.com
Tue Nov 20 12:33:02 UTC 2007 

After yum upgrading from F7 to F8, I'm seeing alerts whenever
fetchmail brings in new mail, even after a complete relabelling of the
system:



Summary
    SELinux is preventing sendmail (sendmail_t) "search" to <Unknown>
    (unconfined_home_dir_t).

Detailed Description
    SELinux denied access requested by sendmail. It is not expected that this
    access is required by sendmail and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information

Source Context                system_u:system_r:sendmail_t
Target Context                unconfined_u:object_r:unconfined_home_dir_t
Target Objects                None [ dir ]
Affected RPM Packages
Policy RPM                    selinux-policy-3.0.8-56.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     saintloup.smith.man.ac.uk
Platform                      Linux saintloup.smith.man.ac.uk 2.6.23.1-49.fc8 #1
                              SMP Thu Nov 8 22:14:09 EST 2007 x86_64 x86_64
Alert Count                   18
First Seen                    Tue Nov 20 12:15:53 2007
Last Seen                     Tue Nov 20 12:30:59 2007
Local ID                      3c789a3b-b8f8-4b21-a34a-bc198b90be73
Line Numbers

Raw Audit Messages

avc: denied { search } for comm=sendmail dev=dm-1 name=adam pid=5161
scontext=system_u:system_r:sendmail_t:s0 tclass=dir
tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0

Summary
    SELinux is preventing /usr/sbin/sendmail.sendmail (sendmail_t) "getattr" to
    /home/adam (unconfined_home_dir_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not
    expected that this access is required by /usr/sbin/sendmail.sendmail and
    this access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /home/adam, restorecon -v
    /home/adam If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information

Source Context                system_u:system_r:sendmail_t
Target Context                unconfined_u:object_r:unconfined_home_dir_t
Target Objects                /home/adam [ dir ]
Affected RPM Packages         sendmail-8.14.1-4.2.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-56.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     saintloup.smith.man.ac.uk
Platform                      Linux saintloup.smith.man.ac.uk 2.6.23.1-49.fc8 #1
                              SMP Thu Nov 8 22:14:09 EST 2007 x86_64 x86_64
Alert Count                   66
First Seen                    Tue Nov 20 12:15:53 2007
Last Seen                     Tue Nov 20 12:30:59 2007
Local ID                      a9ca1470-2510-4d05-baa4-48f8aa3b4474
Line Numbers

Raw Audit Messages

avc: denied { getattr } for comm=sendmail dev=dm-1 egid=500 euid=500
exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=500 fsuid=500 gid=500 items=0
path=/home/adam pid=5161 scontext=system_u:system_r:sendmail_t:s0 sgid=500
subj=system_u:system_r:sendmail_t:s0 suid=500 tclass=dir
tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tty=(none) uid=0


I've not seen anything about sendmail in recent selinux-policy builds
- is something else wrong here?

More information about the fedora-selinux-list mailing list