SELinux problem after sendmail.mc modification.
Doug Thistlethwaite
doug at dupreeinc.com
Fri Oct 12 20:40:25 UTC 2007
David, Thanks for the quick reply. I answered your questions in-line
below:
David Caplan wrote:
> Doug,
>
>
> ...
>> My mail server was working fine secured by SELinux running in enforcing mode. Our company lost connection the the Internet for a couple days so I edited sendmail.mc to skip the domain check for the duration. I edited the file ran MAKE and restarted the sendmail process. I also disabled spamd because all of the email would be internal.
>>
>>
>
> Did you do all of the above as root/unconfined_t? The most likely
> problem (at least at that point) was a labeling problem. As you are
> running targeted policy it should not have caused a problem.
>
>
I assume that I did. I was logged in as root and did not even know
until know that something called unconfirmed_t existed. Initially, I
entered the commands suggested by setroubleshoot.
>
>> Well SELinux didn't like what I did and started to produce lots of AVC
>> messages and provided solutions to most of them. I followed the
>> suggestion in the "Allowing Access" section of the setroubleshoot
>> browser and most of the messages went away.
>>
>
> Does that mean you added a local policy module?
>
I don't think so. I entered commands like the following: (Copied from
my command buffer)
chcon -t httpd_sys_content_t /etc/mail/local-host-names
chcon -t httpd_sys_content_t /etc/mail/trusted-users
chcon -t httpd_sys_content_t submit.cf
chcon -t httpd_sys_content_t clientmqueue
chcon -t httpd_sys_content_t anon_inode:[eventpoll]
The last one wouldn't work and this is when I decided to just disable SELinux until my internet connection was restored.
>
>> After about a dozen of these
>> messages, I decided to just have the system "relabel on next reboot"
>> using the SELinux management tool. When that didn't fix the problem, I
>> just disabled SELinux until the Internet connection was fixed.
>>
>> So the connection was fixed, I fixed the sendmail.mc file to be exactly the same as before the problem. I used MAKE on the file and relabeled
>> the SELinux during a reboot and reset SELinux to enforcement mode. Spamd will not start in enforcement mode. I get the following
>> setroubleshoot message:
>>
>>
>
> The indication below (in the "Additional Information" section) says that
> you are in Permissive, not Enforcing. Of course, things should work in
> Permissive mode.
>
>
Yes, I switch to Permissive mode so my users were not burried in spam.
The same messages were there in Enforcing mode.
>> Summary
>> SELinux is preventing spamd (spamd_t) "search" to mail
>> (httpd_sys_content_t).
>>
>>
>
> It doesn't seem like spamd should need access to httpd* files. If you
> are in Permissive mode that may not be what your problem is. What is the
> file related to this message (i.e., the path of the target directory
> that is labeled with httpd_sys_content_t)?
>
I have no idea. The information in my first message is everything that
was dsiplayed in setroubleshoot window. Other messages in the
setroubleshoot window show file names, but this one doesn't. How would
I find this out?
>
>> Detailed Description
>> SELinux denied access requested by spamd. It is not expected that this
>> access is required by spamd and this access may signal an intrusion
>> attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
>>
>> Allowing Access
>> Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for mail, restorecon -v mail If
>>
>> this does not work, there is currently no automatic way to allow this
>> access. Instead, you can generate a local policy module to allow this
>> access - see FAQ Or you can disable SELinux protection altogether.
>> Disabling SELinux protection is not recommended. Please file a bug
>> report against this package.
>>
>> Additional Information
>> Source Context: system_u:system_r:spamd_t
>> Target Context: system_u:object_r:httpd_sys_content_t
>> Target Objects: mail [ dir ]
>> Affected RPM Packages:
>> Policy RPM: selinux-policy-2.6.4-46.fc7
>> Selinux Enabled: TruePolicy Type: targetedMLS Enabled: True
>> Enforcing Mode: Permissive
>> Plugin Name: plugins.catchall_file
>>
>>
>> When I ran the suggested fix "restorecon -v mail" I get the following
>> error message:
>> lstat(mail) failed: No such file or directory
>>
>>
>
> I think you want to run this in the directory above the mail directory
> (e.g., this is typically /etc). Everything in /etc/mail should be
> labeled with etc_mail_t. You should also run it with -R. For example:
> # restorecon -v mail
> lstat(mail) failed: No such file or directory
> # cd /etc
> # restorecon -v mail
> # chcon -t file_t mail/sendmail.mc
> # restorecon -v mail
> # ls -Z mail/sendmail.mc
> -rw-r--r-- root root system_u:object_r:file_t mail/sendmail.mc
> # restorecon -Rv mail
> restorecon reset /etc/mail/sendmail.mc context
> system_u:object_r:file_t:s0->system_u:object_r:etc_mail_t:s0
> #
>
>
I ran the suggested commands and restarted sendmail, spamassassin and I
did the same restorecon command for any file listed in the error
messages. After this I sent an email through a web interface. I got
the following errors in setroubleshoot:
#1
Summary
SELinux is preventing spamd (spamd_t) "search" to mail(httpd_sys_content_t).
Detailed Description
SELinux denied access requested by spamd. It is not expected that this access is required by spamd and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for mail, restorecon -v mail If this
does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context root:system_r:spamd_t
Target Context system_u:object_r:httpd_sys_content_t
Target Objects mail [ dir ]
Affected RPM Packages
Policy RPM selinux-policy-2.6.4-46.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall_file
Host Name mail.dupreeinc.com
Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7
#1 SMP
Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
Alert Count 1
First Seen Thu 11 Oct 2007 03:32:24 PM PDT
Last Seen Thu 11 Oct 2007 03:32:24 PM PDT
Local ID d478c85c-d36f-4fa3-9371-2ab3f4bb05f5
Line Numbers
Raw Audit Messages
avc: denied { search } for comm="spamd" dev=dm-0 egid=0 euid=0
exe="/usr/bin/perl" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="mail"
pid=31883
scontext=root:system_r:spamd_t:s0 sgid=0 subj=root:system_r:spamd_t:s0
suid=0
tclass=dir tcontext=system_u:object_r:httpd_sys_content_t:s0 tty=pts1
uid=0
#2
Summary
SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially mislabeled files submit.cf (etc_mail_t).
Detailed Description
SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially mislabeled files submit.cf. This means that SELinux will not allow http to
use these files. Many third party apps install html files in directories that SELinux policy can not predict. These directories have to be labeled
with a file context which httpd can accesss.
Allowing Access
If you want to change the file context of submit.cf so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t
submit.cf. You can look at the httpd_selinux man page for additional information.
Additional Information
Source Context system_u:system_r:httpd_sys_script_t
Target Context system_u:object_r:etc_mail_t
Target Objects submit.cf [ file ]
Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application]
Policy RPM selinux-policy-2.6.4-46.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.httpd_bad_labels
Host Name mail.dupreeinc.com
Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7
#1 SMP
Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
Alert Count 1
First Seen Thu 11 Oct 2007 03:33:03 PM PDT
Last Seen Thu 11 Oct 2007 03:33:03 PM PDT
Local ID e67e0ecc-909e-44ba-8a80-106228c8e348
Line Numbers
Raw Audit Messages
avc: denied { read } for comm="sendmail" dev=dm-0 egid=51 euid=48
exe="/usr/sbin/sendmail.sendmail" exit=3 fsgid=51 fsuid=48 gid=48
items=0
name="submit.cf" pid=31906
scontext=system_u:system_r:httpd_sys_script_t:s0
sgid=51 subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file
tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48
#3
Summary
SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially mislabeled files /etc/mail/submit.cf (etc_mail_t).
Detailed Description
SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially
mislabeled files /etc/mail/submit.cf. This means that SELinux will not
allow http to use these files. Many third party apps install html files in
directories that SELinux policy can not predict. These directories have to
be labeled with a file context which httpd can accesss.
Allowing Access
If you want to change the file context of /etc/mail/submit.cf so that the
httpd daemon can access it, you need to execute it using chcon -t
httpd_sys_content_t /etc/mail/submit.cf. You can look at the httpd_selinux
man page for additional information.
Additional Information
Source Context system_u:system_r:httpd_sys_script_t
Target Context system_u:object_r:etc_mail_t
Target Objects /etc/mail/submit.cf [ file ]
Affected RPM Packages sendmail-8.14.1-4.2.fc7
[application]sendmail-8.14.1-4.2.fc7
[target]
Policy RPM selinux-policy-2.6.4-46.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.httpd_bad_labels
Host Name mail.dupreeinc.com
Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7
#1 SMP
Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
Alert Count 1
First Seen Thu 11 Oct 2007 03:33:03 PM PDT
Last Seen Thu 11 Oct 2007 03:33:03 PM PDT
Local ID 10bd0547-6b5c-4b86-96e6-6bb16af2a64d
Line Numbers
Raw Audit Messages
avc: denied { getattr } for comm="sendmail" dev=dm-0 egid=51 euid=48
exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48
items=0
name="submit.cf" path="/etc/mail/submit.cf" pid=31906
scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file
tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48
#4
Summary
SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t)
"create" to <Unknown> (httpd_sys_script_t).
Detailed Description
SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not
expected that this access is required by /usr/sbin/sendmail.sendmail and
this access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access.
Allowing Access
You can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context system_u:system_r:httpd_sys_script_t
Target Context system_u:system_r:httpd_sys_script_t
Target Objects None [ unix_dgram_socket ]
Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application]
Policy RPM selinux-policy-2.6.4-46.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall
Host Name mail.dupreeinc.com
Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7
#1 SMP
Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
Alert Count 1
First Seen Thu 11 Oct 2007 03:33:03 PM PDT
Last Seen Thu 11 Oct 2007 03:33:03 PM PDT
Local ID ef574580-2190-4edc-8e54-b92181831531
Line Numbers
Raw Audit Messages
avc: denied { create } for comm="sendmail" egid=51 euid=48
exe="/usr/sbin/sendmail.sendmail" exit=3 fsgid=51 fsuid=48 gid=48
items=0
pid=31906 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
subj=system_u:system_r:httpd_sys_script_t:s0 suid=48
tclass=unix_dgram_socket
tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48
#5
Summary
SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t)
"sendto" to /dev/log (syslogd_t).
Detailed Description
SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not
expected that this access is required by /usr/sbin/sendmail.sendmail and
this access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access.
Allowing Access
You can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context system_u:system_r:httpd_sys_script_t
Target Context system_u:system_r:syslogd_t
Target Objects /dev/log [ unix_dgram_socket ]
Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application]
Policy RPM selinux-policy-2.6.4-46.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall
Host Name mail.dupreeinc.com
Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7
#1 SMP
Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
Alert Count 1
First Seen Thu 11 Oct 2007 03:33:03 PM PDT
Last Seen Thu 11 Oct 2007 03:33:03 PM PDT
Local ID 831be357-c006-4d42-8ab7-1634e2035ef4
Line Numbers
Raw Audit Messages
avc: denied { sendto } for comm="sendmail" dev=tmpfs egid=51 euid=48
exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48
items=0
name="log" path="/dev/log" pid=31906
scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
subj=system_u:system_r:httpd_sys_script_t:s0 suid=48
tclass=unix_dgram_socket
tcontext=system_u:system_r:syslogd_t:s0 tty=(none) uid=48
#6
Summary
SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t)
"write" to <Unknown> (httpd_sys_script_t).
Detailed Description
SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not
expected that this access is required by /usr/sbin/sendmail.sendmail and
this access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access.
Allowing Access
You can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context system_u:system_r:httpd_sys_script_t
Target Context system_u:system_r:httpd_sys_script_t
Target Objects None [ unix_dgram_socket ]
Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application]
Policy RPM selinux-policy-2.6.4-46.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall
Host Name mail.dupreeinc.com
Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7
#1 SMP
Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
Alert Count 1
First Seen Thu 11 Oct 2007 03:33:03 PM PDT
Last Seen Thu 11 Oct 2007 03:33:03 PM PDT
Local ID a793410a-36e5-4685-b82a-c7a0ddee7c44
Line Numbers
Raw Audit Messages
avc: denied { write } for comm="sendmail" egid=51 euid=48
exe="/usr/sbin/sendmail.sendmail" exit=141 fsgid=51 fsuid=48 gid=48
items=0
pid=31906 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
subj=system_u:system_r:httpd_sys_script_t:s0 suid=48
tclass=unix_dgram_socket
tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48
#7
Summary
SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially
mislabeled files anon_inode:[eventpoll] (anon_inodefs_t).
Detailed Description
SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially
mislabeled files anon_inode:[eventpoll]. This means that SELinux will not
allow http to use these files. Many third party apps install html files in
directories that SELinux policy can not predict. These directories have to
be labeled with a file context which httpd can accesss.
Allowing Access
If you want to change the file context of anon_inode:[eventpoll] so that the
httpd daemon can access it, you need to execute it using chcon -t
httpd_sys_content_t anon_inode:[eventpoll]. You can look at the
httpd_selinux man page for additional information.
Additional Information
Source Context system_u:system_r:httpd_sys_script_t
Target Context system_u:object_r:anon_inodefs_t
Target Objects anon_inode:[eventpoll] [ file ]
Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application]
Policy RPM selinux-policy-2.6.4-46.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.httpd_bad_labels
Host Name mail.dupreeinc.com
Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7
#1 SMP
Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
Alert Count 1
First Seen Thu 11 Oct 2007 03:33:03 PM PDT
Last Seen Thu 11 Oct 2007 03:33:03 PM PDT
Local ID 5c2f5b86-899e-44d6-ba25-906180a5731d
Line Numbers
Raw Audit Messages
avc: denied { read, write } for comm="sendmail" dev=anon_inodefs egid=51
euid=48
exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48
items=0
name="[eventpoll]" path="anon_inode:[eventpoll]" pid=31906
scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file
tcontext=system_u:object_r:anon_inodefs_t:s0 tty=(none) uid=48
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20071012/7d3f9a2e/attachment.htm>
More information about the fedora-selinux-list
mailing list