Strange Mailman/Sendmail Audit messages in Fedora-10?
Paul Howarth
paul at city-fan.org
Tue Feb 10 00:15:33 UTC 2009
On Mon, 09 Feb 2009 12:47:51 -0500
Derek Atkins <warlord at MIT.EDU> wrote:
> Hi,
>
> Paul Howarth <paul at city-fan.org> writes:
>
> [snip]
> > Do your milters exec other programs? There are a couple of sockets
>
> I don't think so, but I don't know. I'm using clamav-milter,
> spamass-milter, and milter-sender. I'm pretty sure that the
> latter doesn't fork/exec. I don't know about clamav or spamass.
spamass-milter forks and execs sendmail to deliver spam if you use the
"-b" option - that's how I discovered the problem.
The audit log entries you posted suggest that mailman inherited a
socket descriptor from sendmail.
> > involved in the milter process (one in libmilter that shows up in
> > the milter process itself, and one at the other end of the
> > connection in sendmail) that don't have close-on-exec set, so their
> > descriptors leak when they exec other programs, and that looks like
> > what you're seeing here. I've submitted patches against 8.14.3
> > upstream many months ago but there hasn't been a new release since.
> >
> > In the meantime, I expect you can safely dontaudit these.
>
> Okay, how would I do that?
You'll need to create a local policy module. I'd do it this way:
* Create a policy module development area:
# yum install make selinux-policy-devel
# cd /root
# mkdir selinux.local
# cd selinux.local
# chcon -R -t usr_t .
# ln -s /usr/share/selinux/devel/Makefile .
* Pipe the audit messages you want to eliminate through audit2allow to
create a policy module "mysendmail":
# ausearch -se sendmail |
audit2allow -m mysendmail |
sed 's/^allow /dontaudit /' > mysendmail.te
That should produce a file mysendmail.te like this:
module mysendmail 1.0;
require {
type mailman_mail_t;
type sendmail_t;
class unix_stream_socket { read write };
}
#============= mailman_mail_t ==============
dontaudit mailman_mail_t sendmail_t:unix_stream_socket { read write };
* Compile the policy module:
# make
* Install the policy module:
# semodule -i mysendmail.pp
If you later want to remove the policy module (it'll survive a reboot),
do:
# semodule -r mysendmail
Cheers, Paul.
More information about the fedora-selinux-list
mailing list