SELinux problem after sendmail.mc modification.
Paul Howarth
paul at city-fan.org
Fri Oct 12 00:17:22 UTC 2007
On Thu, 11 Oct 2007 13:16:53 -0700
Doug Thistlethwaite <doug at dupreeinc.com> wrote:
> Hello,
>
> I hope somebody has seen this before. I am not sure if it is a bug or
> my not completely understanding how SELinux works.
>
> My mail server was working fine secured by SELinux running in
> enforcing mode. Our company lost connection the the Internet for a
> couple days so I edited sendmail.mc to skip the domain check for the
> duration. I edited the file ran MAKE and restarted the sendmail
> process. I also disabled spamd because all of the email would be
> internal.
>
> Well SELinux didn't like what I did and started to produce lots of
> AVC messages and provided solutions to most of them. I followed the
> suggestion in the "Allowing Access" section of the setroubleshoot
> browser and most of the messages went away. After about a dozen of
> these messages, I decided to just have the system "relabel on next
> reboot" using the SELinux management tool. When that didn't fix the
> problem, I just disabled SELinux until the Internet connection was
> fixed.
>
> So the connection was fixed, I fixed the sendmail.mc file to be
> exactly the same as before the problem. I used MAKE on the file and
> relabeled the SELinux during a reboot and reset SELinux to
> enforcement mode.
>
> Spamd will not start in enforcement mode. I get the following
> setroubleshoot message:
>
> Summary
> SELinux is preventing spamd (spamd_t) "search" to mail
> (httpd_sys_content_t).
Somehow you seem to have some important mail-related dir (and maybe
more) labelled as httpd_sys_content_t. Maybe /etc/mail?
> I was under the impression that if I relabeled the system everything
> would be reset, but obviously I am incorrect...
>
> I have also received other AVC messages all relating to sendmail
> files. I was not sure if these would help so I did not include them
> in this message (This questions is already pretty long!).
>
> Any idea how I can get spamd to run in enforcing mode -and- get
> SELinux to be happy again?
httpd_sys_content_t is a customizable type and hence not subject to
being relabelled normally.
Try:
# restorecon -FRv /etc/mail /var/spool/mail
Paul.
More information about the fedora-selinux-list
mailing list