SELinux problem after sendmail.mc modification.
Daniel J Walsh
dwalsh at redhat.com
Mon Oct 15 19:34:02 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Doug Thistlethwaite wrote:
> David, Thanks for the quick reply. I answered your questions in-line
> below:
>
> David Caplan wrote:
>> Doug,
>>
>> ...
>>> My mail server was working fine secured by SELinux running in
>>> enforcing mode. Our company lost connection the the Internet for a
>>> couple days so I edited sendmail.mc to skip the domain check for the
>>> duration. I edited the file ran MAKE and restarted the sendmail
>>> process. I also disabled spamd because all of the email would be
>>> internal.
>>>
>>>
>>
>> Did you do all of the above as root/unconfined_t? The most likely
>> problem (at least at that point) was a labeling problem. As you are
>> running targeted policy it should not have caused a problem.
>>
>>
> I assume that I did. I was logged in as root and did not even know
> until know that something called unconfirmed_t existed. Initially, I
> entered the commands suggested by setroubleshoot.
>>
>>> Well SELinux didn't like what I did and started to produce lots of AVC
>>> messages and provided solutions to most of them. I followed the
>>> suggestion in the "Allowing Access" section of the setroubleshoot
>>> browser and most of the messages went away.
>>
>> Does that mean you added a local policy module?
>>
>
> I don't think so. I entered commands like the following: (Copied from
> my command buffer)
>
> chcon -t httpd_sys_content_t /etc/mail/local-host-names
> chcon -t httpd_sys_content_t /etc/mail/trusted-users
> chcon -t httpd_sys_content_t submit.cf
> chcon -t httpd_sys_content_t clientmqueue
> chcon -t httpd_sys_content_t anon_inode:[eventpoll]
>
> The last one wouldn't work and this is when I decided to just disable
> SELinux until my internet connection was restored.
>
>
>>
>>> After about a dozen of these
>>> messages, I decided to just have the system "relabel on next reboot"
>>> using the SELinux management tool. When that didn't fix the problem, I
>>> just disabled SELinux until the Internet connection was fixed.
>>>
>>> So the connection was fixed, I fixed the sendmail.mc file to be
>>> exactly the same as before the problem. I used MAKE on the file and
>>> relabeled
>>> the SELinux during a reboot and reset SELinux to enforcement mode.
>>> Spamd will not start in enforcement mode. I get the following
>>> setroubleshoot message:
>>>
>>>
>>
>> The indication below (in the "Additional Information" section) says that
>> you are in Permissive, not Enforcing. Of course, things should work in
>> Permissive mode.
>>
>>
> Yes, I switch to Permissive mode so my users were not burried in spam.
> The same messages were there in Enforcing mode.
>>> Summary
>>> SELinux is preventing spamd (spamd_t) "search" to mail
>>> (httpd_sys_content_t).
>>>
>>>
>>
>> It doesn't seem like spamd should need access to httpd* files. If you
>> are in Permissive mode that may not be what your problem is. What is the
>> file related to this message (i.e., the path of the target directory
>> that is labeled with httpd_sys_content_t)?
>>
> I have no idea. The information in my first message is everything that
> was dsiplayed in setroubleshoot window. Other messages in the
> setroubleshoot window show file names, but this one doesn't. How would
> I find this out?
>>
>>> Detailed Description
>>> SELinux denied access requested by spamd. It is not expected that this
>>> access is required by spamd and this access may signal an intrusion
>>> attempt. It is also possible that the specific version or
>>> configuration of the application is causing it to require additional
>>> access.
>>>
>>> Allowing Access
>>> Sometimes labeling problems can cause SELinux denials. You could try
>>> to restore the default system file context for mail, restorecon -v
>>> mail If
>>> this does not work, there is currently no automatic way to allow
>>> this
>>> access. Instead, you can generate a local policy module to allow this
>>> access - see FAQ Or you can disable SELinux protection altogether.
>>> Disabling SELinux protection is not recommended. Please file a bug
>>> report against this package.
>>>
>>> Additional Information
>>> Source Context: system_u:system_r:spamd_t
>>> Target Context: system_u:object_r:httpd_sys_content_t
>>> Target Objects: mail [ dir ]
>>> Affected RPM Packages:
>>> Policy RPM: selinux-policy-2.6.4-46.fc7
>>> Selinux Enabled: TruePolicy Type: targetedMLS Enabled: True
>>> Enforcing Mode: Permissive
>>> Plugin Name: plugins.catchall_file
>>>
>>>
>>> When I ran the suggested fix "restorecon -v mail" I get the following
>>> error message:
>>> lstat(mail) failed: No such file or directory
>>>
>>>
>>
>> I think you want to run this in the directory above the mail directory
>> (e.g., this is typically /etc). Everything in /etc/mail should be
>> labeled with etc_mail_t. You should also run it with -R. For example:
>> # restorecon -v mail
>> lstat(mail) failed: No such file or directory
>> # cd /etc
>> # restorecon -v mail
>> # chcon -t file_t mail/sendmail.mc
>> # restorecon -v mail
>> # ls -Z mail/sendmail.mc
>> -rw-r--r-- root root system_u:object_r:file_t mail/sendmail.mc
>> # restorecon -Rv mail
>> restorecon reset /etc/mail/sendmail.mc context
>> system_u:object_r:file_t:s0->system_u:object_r:etc_mail_t:s0
>> #
>>
>>
> I ran the suggested commands and restarted sendmail, spamassassin and I
> did the same restorecon command for any file listed in the error
> messages. After this I sent an email through a web interface. I got
> the following errors in setroubleshoot:
>
> #1
>
> Summary
> SELinux is preventing spamd (spamd_t) "search" to
> mail(httpd_sys_content_t).
>
> Detailed Description
> SELinux denied access requested by spamd. It is not expected that
> this access is required by spamd and this access may signal an intrusion
> attempt.
> It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could try
> to restore the default system file context for mail, restorecon -v mail
> If this
> does not work, there is currently no automatic way to allow this access.
> Instead, you can generate a local policy module to allow this access
> - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
> can disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
> against this package.
>
> Additional Information
> Source Context root:system_r:spamd_t
> Target Context system_u:object_r:httpd_sys_content_t
> Target Objects mail [ dir ]
> Affected RPM Packages Policy RPM
> selinux-policy-2.6.4-46.fc7
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Permissive
> Plugin Name plugins.catchall_file
> Host Name mail.dupreeinc.com
> Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7
> #1 SMP
> Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
> Alert Count 1
> First Seen Thu 11 Oct 2007 03:32:24 PM PDT
> Last Seen Thu 11 Oct 2007 03:32:24 PM PDT
> Local ID d478c85c-d36f-4fa3-9371-2ab3f4bb05f5
> Line Numbers
> Raw Audit Messages
> avc: denied { search } for comm="spamd" dev=dm-0 egid=0 euid=0
> exe="/usr/bin/perl" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="mail"
> pid=31883
> scontext=root:system_r:spamd_t:s0 sgid=0 subj=root:system_r:spamd_t:s0
> suid=0
> tclass=dir tcontext=system_u:object_r:httpd_sys_content_t:s0 tty=pts1
> uid=0
>
> #2
>
> Summary
> SELinux is preventing the /usr/sbin/sendmail.sendmail from using
> potentially mislabeled files submit.cf (etc_mail_t).
>
> Detailed Description
> SELinux has denied the /usr/sbin/sendmail.sendmail access to
> potentially mislabeled files submit.cf. This means that SELinux will
> not allow http to
> use these files. Many third party apps install html files in
> directories that SELinux policy can not predict. These directories have
> to be labeled
> with a file context which httpd can accesss.
>
> Allowing Access
> If you want to change the file context of submit.cf so that the httpd
> daemon can access it, you need to execute it using chcon -t
> httpd_sys_content_t
> submit.cf. You can look at the httpd_selinux man page for additional
> information.
>
> Additional Information
> Source Context system_u:system_r:httpd_sys_script_t
> Target Context system_u:object_r:etc_mail_t
> Target Objects submit.cf [ file ]
> Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application]
> Policy RPM selinux-policy-2.6.4-46.fc7
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Permissive
> Plugin Name plugins.httpd_bad_labels
> Host Name mail.dupreeinc.com
> Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7
> #1 SMP
> Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
> Alert Count 1
> First Seen Thu 11 Oct 2007 03:33:03 PM PDT
> Last Seen Thu 11 Oct 2007 03:33:03 PM PDT
> Local ID e67e0ecc-909e-44ba-8a80-106228c8e348
> Line Numbers
> Raw Audit Messages
> avc: denied { read } for comm="sendmail" dev=dm-0 egid=51 euid=48
> exe="/usr/sbin/sendmail.sendmail" exit=3 fsgid=51 fsuid=48 gid=48
> items=0
> name="submit.cf" pid=31906
> scontext=system_u:system_r:httpd_sys_script_t:s0
> sgid=51 subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file
> tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48
>
>
> #3
> Summary
> SELinux is preventing the /usr/sbin/sendmail.sendmail from using
> potentially mislabeled files /etc/mail/submit.cf (etc_mail_t).
>
> Detailed Description
> SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially
> mislabeled files /etc/mail/submit.cf. This means that SELinux will not
> allow http to use these files. Many third party apps install html
> files in
> directories that SELinux policy can not predict. These directories
> have to
> be labeled with a file context which httpd can accesss.
>
> Allowing Access
> If you want to change the file context of /etc/mail/submit.cf so that
> the
> httpd daemon can access it, you need to execute it using chcon -t
> httpd_sys_content_t /etc/mail/submit.cf. You can look at the
> httpd_selinux
> man page for additional information.
>
> Additional Information
> Source Context system_u:system_r:httpd_sys_script_t
> Target Context system_u:object_r:etc_mail_t
> Target Objects /etc/mail/submit.cf [ file ]
> Affected RPM Packages sendmail-8.14.1-4.2.fc7
> [application]sendmail-8.14.1-4.2.fc7
> [target]
> Policy RPM selinux-policy-2.6.4-46.fc7
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Permissive
> Plugin Name plugins.httpd_bad_labels
> Host Name mail.dupreeinc.com
> Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7
> #1 SMP
> Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
> Alert Count 1
> First Seen Thu 11 Oct 2007 03:33:03 PM PDT
> Last Seen Thu 11 Oct 2007 03:33:03 PM PDT
> Local ID 10bd0547-6b5c-4b86-96e6-6bb16af2a64d
> Line Numbers
> Raw Audit Messages
> avc: denied { getattr } for comm="sendmail" dev=dm-0 egid=51 euid=48
> exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48
> items=0
> name="submit.cf" path="/etc/mail/submit.cf" pid=31906
> scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
> subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file
> tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48
>
>
> #4
> Summary
> SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t)
> "create" to <Unknown> (httpd_sys_script_t).
>
> Detailed Description
> SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is
> not
> expected that this access is required by /usr/sbin/sendmail.sendmail and
> this access may signal an intrusion attempt. It is also possible that
> the
> specific version or configuration of the application is causing it to
> require additional access.
>
> Allowing Access
> You can generate a local policy module to allow this access - see
> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
>
> Additional Information
> Source Context system_u:system_r:httpd_sys_script_t
> Target Context system_u:system_r:httpd_sys_script_t
> Target Objects None [ unix_dgram_socket ]
> Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application]
> Policy RPM selinux-policy-2.6.4-46.fc7
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Permissive
> Plugin Name plugins.catchall
> Host Name mail.dupreeinc.com
> Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7
> #1 SMP
> Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
> Alert Count 1
> First Seen Thu 11 Oct 2007 03:33:03 PM PDT
> Last Seen Thu 11 Oct 2007 03:33:03 PM PDT
> Local ID ef574580-2190-4edc-8e54-b92181831531
> Line Numbers
> Raw Audit Messages
> avc: denied { create } for comm="sendmail" egid=51 euid=48
> exe="/usr/sbin/sendmail.sendmail" exit=3 fsgid=51 fsuid=48 gid=48
> items=0
> pid=31906 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
> subj=system_u:system_r:httpd_sys_script_t:s0 suid=48
> tclass=unix_dgram_socket
> tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48
>
> #5
>
> Summary
> SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t)
> "sendto" to /dev/log (syslogd_t).
>
> Detailed Description
> SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is
> not
> expected that this access is required by /usr/sbin/sendmail.sendmail and
> this access may signal an intrusion attempt. It is also possible that
> the
> specific version or configuration of the application is causing it to
> require additional access.
>
> Allowing Access
> You can generate a local policy module to allow this access - see
> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
> against this package.
>
> Additional Information
> Source Context system_u:system_r:httpd_sys_script_t
> Target Context system_u:system_r:syslogd_t
> Target Objects /dev/log [ unix_dgram_socket ]
> Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application]
> Policy RPM selinux-policy-2.6.4-46.fc7
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Permissive
> Plugin Name plugins.catchall
> Host Name mail.dupreeinc.com
> Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7
> #1 SMP
> Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
> Alert Count 1
> First Seen Thu 11 Oct 2007 03:33:03 PM PDT
> Last Seen Thu 11 Oct 2007 03:33:03 PM PDT
> Local ID 831be357-c006-4d42-8ab7-1634e2035ef4
> Line Numbers
> Raw Audit Messages
> avc: denied { sendto } for comm="sendmail" dev=tmpfs egid=51 euid=48
> exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48
> items=0
> name="log" path="/dev/log" pid=31906
> scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
> subj=system_u:system_r:httpd_sys_script_t:s0 suid=48
> tclass=unix_dgram_socket
> tcontext=system_u:system_r:syslogd_t:s0 tty=(none) uid=48
>
>
> #6
>
> Summary
> SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t)
> "write" to <Unknown> (httpd_sys_script_t).
>
> Detailed Description
> SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is
> not
> expected that this access is required by /usr/sbin/sendmail.sendmail and
> this access may signal an intrusion attempt. It is also possible that
> the
> specific version or configuration of the application is causing it to
> require additional access.
>
> Allowing Access
> You can generate a local policy module to allow this access - see
> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
> against this package.
>
> Additional Information
> Source Context system_u:system_r:httpd_sys_script_t
> Target Context system_u:system_r:httpd_sys_script_t
> Target Objects None [ unix_dgram_socket ]
> Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application]
> Policy RPM selinux-policy-2.6.4-46.fc7
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Permissive
> Plugin Name plugins.catchall
> Host Name mail.dupreeinc.com
> Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7
> #1 SMP
> Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
> Alert Count 1
> First Seen Thu 11 Oct 2007 03:33:03 PM PDT
> Last Seen Thu 11 Oct 2007 03:33:03 PM PDT
> Local ID a793410a-36e5-4685-b82a-c7a0ddee7c44
> Line Numbers
> Raw Audit Messages
> avc: denied { write } for comm="sendmail" egid=51 euid=48
> exe="/usr/sbin/sendmail.sendmail" exit=141 fsgid=51 fsuid=48 gid=48
> items=0
> pid=31906 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
> subj=system_u:system_r:httpd_sys_script_t:s0 suid=48
> tclass=unix_dgram_socket
> tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48
>
> #7
>
> Summary
> SELinux is preventing the /usr/sbin/sendmail.sendmail from using
> potentially
> mislabeled files anon_inode:[eventpoll] (anon_inodefs_t).
>
> Detailed Description
> SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially
> mislabeled files anon_inode:[eventpoll]. This means that SELinux
> will not
> allow http to use these files. Many third party apps install html
> files in
> directories that SELinux policy can not predict. These directories
> have to
> be labeled with a file context which httpd can accesss.
>
> Allowing Access
> If you want to change the file context of anon_inode:[eventpoll] so
> that the
> httpd daemon can access it, you need to execute it using chcon -t
> httpd_sys_content_t anon_inode:[eventpoll]. You can look at the
> httpd_selinux man page for additional information.
>
> Additional Information
> Source Context system_u:system_r:httpd_sys_script_t
> Target Context system_u:object_r:anon_inodefs_t
> Target Objects anon_inode:[eventpoll] [ file ]
> Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application]
> Policy RPM selinux-policy-2.6.4-46.fc7
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Permissive
> Plugin Name plugins.httpd_bad_labels
> Host Name mail.dupreeinc.com
> Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7
> #1 SMP
> Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
> Alert Count 1
> First Seen Thu 11 Oct 2007 03:33:03 PM PDT
> Last Seen Thu 11 Oct 2007 03:33:03 PM PDT
> Local ID 5c2f5b86-899e-44d6-ba25-906180a5731d
> Line Numbers
> Raw Audit Messages
> avc: denied { read, write } for comm="sendmail" dev=anon_inodefs egid=51
> euid=48
> exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48
> items=0
> name="[eventpoll]" path="anon_inode:[eventpoll]" pid=31906
> scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
> subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file
> tcontext=system_u:object_r:anon_inodefs_t:s0 tty=(none) uid=48
>
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Set the boolean
httpd_can_sendmail on
setsebool -P httpd_can_sendmail 1
This will allow httpd_sys_script_t to transition to sendmail_t and you
should be able to send mail.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHE8CprlYvE4MpobMRAsMVAKCvAuPho1Fl9XPhPPUkz80ugE86twCg3qSd
ktdQGZH0gLkZO+stG0moaac=
=1/ar
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list