<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
David, Thanks for the quick reply. I answered your questions in-line
below:<br>
<br>
David Caplan wrote:
<blockquote
cite="mid6FE441CD9F0C0C479F2D88F959B01588011004F8@exchange.columbia.tresys.com"
type="cite">
<pre wrap="">Doug,
</pre>
...
<blockquote type="cite">
<pre wrap="">
My mail server was working fine secured by SELinux running in enforcing mode. Our company lost connection the the Internet for a couple days so I edited sendmail.mc to skip the domain check for the duration. I edited the file ran MAKE and restarted the sendmail process. I also disabled spamd because all of the email would be internal.
</pre>
</blockquote>
<pre wrap=""><!---->
Did you do all of the above as root/unconfined_t? The most likely
problem (at least at that point) was a labeling problem. As you are
running targeted policy it should not have caused a problem.
</pre>
</blockquote>
I assume that I did. I was logged in as root and did not even know
until know that something called unconfirmed_t existed. Initially, I
entered the commands suggested by setroubleshoot.<br>
<blockquote
cite="mid6FE441CD9F0C0C479F2D88F959B01588011004F8@exchange.columbia.tresys.com"
type="cite">
<pre wrap=""> </pre>
<blockquote type="cite">
<pre wrap="">Well SELinux didn't like what I did and started to produce lots of AVC
messages and provided solutions to most of them. I followed the
suggestion in the "Allowing Access" section of the setroubleshoot
browser and most of the messages went away.
</pre>
</blockquote>
<pre wrap=""><!---->
Does that mean you added a local policy module?
</pre>
</blockquote>
<br>
I don't think so. I entered commands like the following: (Copied from
my command buffer)<br>
<pre wrap="">chcon -t httpd_sys_content_t /etc/mail/local-host-names
chcon -t httpd_sys_content_t /etc/mail/trusted-users
chcon -t httpd_sys_content_t submit.cf
chcon -t httpd_sys_content_t clientmqueue
chcon -t httpd_sys_content_t anon_inode:[eventpoll]
The last one wouldn't work and this is when I decided to just disable SELinux until my internet connection was restored.
</pre>
<br>
<blockquote
cite="mid6FE441CD9F0C0C479F2D88F959B01588011004F8@exchange.columbia.tresys.com"
type="cite">
<pre wrap=""> </pre>
<blockquote type="cite">
<pre wrap="">After about a dozen of these
messages, I decided to just have the system "relabel on next reboot"
using the SELinux management tool. When that didn't fix the problem, I
just disabled SELinux until the Internet connection was fixed.
So the connection was fixed, I fixed the sendmail.mc file to be exactly the same as before the problem. I used MAKE on the file and relabeled
the SELinux during a reboot and reset SELinux to enforcement mode. Spamd will not start in enforcement mode. I get the following
setroubleshoot message:
</pre>
</blockquote>
<pre wrap=""><!---->
The indication below (in the "Additional Information" section) says that
you are in Permissive, not Enforcing. Of course, things should work in
Permissive mode.
</pre>
</blockquote>
Yes, I switch to Permissive mode so my users were not burried in
spam. The same messages were there in Enforcing mode.<br>
<blockquote
cite="mid6FE441CD9F0C0C479F2D88F959B01588011004F8@exchange.columbia.tresys.com"
type="cite">
<blockquote type="cite">
<pre wrap="">Summary
SELinux is preventing spamd (spamd_t) "search" to mail
(httpd_sys_content_t).
</pre>
</blockquote>
<pre wrap=""><!---->
It doesn't seem like spamd should need access to httpd* files. If you
are in Permissive mode that may not be what your problem is. What is the
file related to this message (i.e., the path of the target directory
that is labeled with httpd_sys_content_t)?
</pre>
</blockquote>
I have no idea. The information in my first message is everything that
was dsiplayed in setroubleshoot window. Other messages in the
setroubleshoot window show file names, but this one doesn't. How would
I find this out?<br>
<blockquote
cite="mid6FE441CD9F0C0C479F2D88F959B01588011004F8@exchange.columbia.tresys.com"
type="cite">
<pre wrap=""> </pre>
<blockquote type="cite">
<pre wrap="">Detailed Description
SELinux denied access requested by spamd. It is not expected that this
access is required by spamd and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access
<!----><!---->Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for mail, restorecon -v mail If
</pre>
</blockquote>
<blockquote type="cite">
<pre wrap="">this does not work, there is currently no automatic way to allow this
access. Instead, you can generate a local policy module to allow this
access - see FAQ Or you can disable SELinux protection altogether.
Disabling SELinux protection is not recommended. Please file a bug
report against this package.
Additional Information
Source Context: system_u:system_r:spamd_t
Target Context: system_u:object_r:httpd_sys_content_t
Target Objects: mail [ dir ]
Affected RPM Packages:
Policy RPM: selinux-policy-2.6.4-46.fc7
Selinux Enabled: TruePolicy Type: targetedMLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: plugins.catchall_file
When I ran the suggested fix "restorecon -v mail" I get the following
error message:
lstat(mail) failed: No such file or directory
</pre>
</blockquote>
<pre wrap=""><!---->
I think you want to run this in the directory above the mail directory
(e.g., this is typically /etc). Everything in /etc/mail should be
labeled with etc_mail_t. You should also run it with -R. For example:
# restorecon -v mail
lstat(mail) failed: No such file or directory
# cd /etc
# restorecon -v mail
# chcon -t file_t mail/sendmail.mc
# restorecon -v mail
# ls -Z mail/sendmail.mc
-rw-r--r-- root root system_u:object_r:file_t mail/sendmail.mc
# restorecon -Rv mail
restorecon reset /etc/mail/sendmail.mc context
system_u:object_r:file_t:s0->system_u:object_r:etc_mail_t:s0
#
</pre>
</blockquote>
I ran the suggested commands and restarted sendmail, spamassassin and
I did the same restorecon command for any file listed in the error
messages. After this I sent an email through a web interface. I got
the following errors in
setroubleshoot:<br>
<br>
#1<br>
<pre wrap="">Summary
SELinux is preventing spamd (spamd_t) "search" to mail(httpd_sys_content_t).
Detailed Description
SELinux denied access requested by spamd. It is not expected that this access is required by spamd and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for mail, restorecon -v mail If this
does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see <a
class="moz-txt-link-freetext"
href="http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385">http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385</a> Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a <a
class="moz-txt-link-freetext"
href="http://bugzilla.redhat.com/bugzilla/enter_bug.cgi">http://bugzilla.redhat.com/bugzilla/enter_bug.cgi</a>
against this package.
Additional Information
Source Context root:system_r:spamd_t
Target Context system_u:object_r:httpd_sys_content_t
Target Objects mail [ dir ]
Affected RPM Packages
Policy RPM selinux-policy-2.6.4-46.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall_file
Host Name mail.dupreeinc.com
Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7
#1 SMP
Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
Alert Count 1
First Seen Thu 11 Oct 2007 03:32:24 PM PDT
Last Seen Thu 11 Oct 2007 03:32:24 PM PDT
Local ID d478c85c-d36f-4fa3-9371-2ab3f4bb05f5
Line Numbers
Raw Audit Messages
avc: denied { search } for comm="spamd" dev=dm-0 egid=0 euid=0
exe="/usr/bin/perl" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="mail"
pid=31883
scontext=root:system_r:spamd_t:s0 sgid=0 subj=root:system_r:spamd_t:s0
suid=0
tclass=dir tcontext=system_u:object_r:httpd_sys_content_t:s0 tty=pts1
uid=0
#2
Summary
SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially mislabeled files submit.cf (etc_mail_t).
Detailed Description
SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially mislabeled files submit.cf. This means that SELinux will not allow http to
use these files. Many third party apps install html files in directories that SELinux policy can not predict. These directories have to be labeled
with a file context which httpd can accesss.
Allowing Access
If you want to change the file context of submit.cf so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t
submit.cf. You can look at the httpd_selinux man page for additional information.
Additional Information
Source Context system_u:system_r:httpd_sys_script_t
Target Context system_u:object_r:etc_mail_t
Target Objects submit.cf [ file ]
Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application]
Policy RPM selinux-policy-2.6.4-46.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.httpd_bad_labels
Host Name mail.dupreeinc.com
Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7
#1 SMP
Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
Alert Count 1
First Seen Thu 11 Oct 2007 03:33:03 PM PDT
Last Seen Thu 11 Oct 2007 03:33:03 PM PDT
Local ID e67e0ecc-909e-44ba-8a80-106228c8e348
Line Numbers
Raw Audit Messages
avc: denied { read } for comm="sendmail" dev=dm-0 egid=51 euid=48
exe="/usr/sbin/sendmail.sendmail" exit=3 fsgid=51 fsuid=48 gid=48
items=0
name="submit.cf" pid=31906
scontext=system_u:system_r:httpd_sys_script_t:s0
sgid=51 subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file
tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48
#3
Summary
SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially mislabeled files /etc/mail/submit.cf (etc_mail_t).
Detailed Description
SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially
mislabeled files /etc/mail/submit.cf. This means that SELinux will not
allow http to use these files. Many third party apps install html files in
directories that SELinux policy can not predict. These directories have to
be labeled with a file context which httpd can accesss.
Allowing Access
If you want to change the file context of /etc/mail/submit.cf so that the
httpd daemon can access it, you need to execute it using chcon -t
httpd_sys_content_t /etc/mail/submit.cf. You can look at the httpd_selinux
man page for additional information.
Additional Information
Source Context system_u:system_r:httpd_sys_script_t
Target Context system_u:object_r:etc_mail_t
Target Objects /etc/mail/submit.cf [ file ]
Affected RPM Packages sendmail-8.14.1-4.2.fc7
[application]sendmail-8.14.1-4.2.fc7
[target]
Policy RPM selinux-policy-2.6.4-46.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.httpd_bad_labels
Host Name mail.dupreeinc.com
Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7
#1 SMP
Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
Alert Count 1
First Seen Thu 11 Oct 2007 03:33:03 PM PDT
Last Seen Thu 11 Oct 2007 03:33:03 PM PDT
Local ID 10bd0547-6b5c-4b86-96e6-6bb16af2a64d
Line Numbers
Raw Audit Messages
avc: denied { getattr } for comm="sendmail" dev=dm-0 egid=51 euid=48
exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48
items=0
name="submit.cf" path="/etc/mail/submit.cf" pid=31906
scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file
tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48
#4
Summary
SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t)
"create" to <Unknown> (httpd_sys_script_t).
Detailed Description
SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not
expected that this access is required by /usr/sbin/sendmail.sendmail and
this access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access.
Allowing Access
You can generate a local policy module to allow this access - see
<a class="moz-txt-link-freetext"
href="http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385">http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385</a> Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a <a
class="moz-txt-link-freetext"
href="http://bugzilla.redhat.com/bugzilla/enter_bug.cgi">http://bugzilla.redhat.com/bugzilla/enter_bug.cgi </a> against this package.
Additional Information
Source Context system_u:system_r:httpd_sys_script_t
Target Context system_u:system_r:httpd_sys_script_t
Target Objects None [ unix_dgram_socket ]
Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application]
Policy RPM selinux-policy-2.6.4-46.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall
Host Name mail.dupreeinc.com
Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7
#1 SMP
Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
Alert Count 1
First Seen Thu 11 Oct 2007 03:33:03 PM PDT
Last Seen Thu 11 Oct 2007 03:33:03 PM PDT
Local ID ef574580-2190-4edc-8e54-b92181831531
Line Numbers
Raw Audit Messages
avc: denied { create } for comm="sendmail" egid=51 euid=48
exe="/usr/sbin/sendmail.sendmail" exit=3 fsgid=51 fsuid=48 gid=48
items=0
pid=31906 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
subj=system_u:system_r:httpd_sys_script_t:s0 suid=48
tclass=unix_dgram_socket
tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48
#5
Summary
SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t)
"sendto" to /dev/log (syslogd_t).
Detailed Description
SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not
expected that this access is required by /usr/sbin/sendmail.sendmail and
this access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access.
Allowing Access
You can generate a local policy module to allow this access - see
<a class="moz-txt-link-freetext"
href="http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385">http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385</a> Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a <a class="moz-txt-link-freetext"
href="http://bugzilla.redhat.com/bugzilla/enter_bug.cgi">http://bugzilla.redhat.com/bugzilla/enter_bug.cgi</a>
against this package.
Additional Information
Source Context system_u:system_r:httpd_sys_script_t
Target Context system_u:system_r:syslogd_t
Target Objects /dev/log [ unix_dgram_socket ]
Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application]
Policy RPM selinux-policy-2.6.4-46.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall
Host Name mail.dupreeinc.com
Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7
#1 SMP
Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
Alert Count 1
First Seen Thu 11 Oct 2007 03:33:03 PM PDT
Last Seen Thu 11 Oct 2007 03:33:03 PM PDT
Local ID 831be357-c006-4d42-8ab7-1634e2035ef4
Line Numbers
Raw Audit Messages
avc: denied { sendto } for comm="sendmail" dev=tmpfs egid=51 euid=48
exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48
items=0
name="log" path="/dev/log" pid=31906
scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
subj=system_u:system_r:httpd_sys_script_t:s0 suid=48
tclass=unix_dgram_socket
tcontext=system_u:system_r:syslogd_t:s0 tty=(none) uid=48
#6
Summary
SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t)
"write" to <Unknown> (httpd_sys_script_t).
Detailed Description
SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not
expected that this access is required by /usr/sbin/sendmail.sendmail and
this access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access.
Allowing Access
You can generate a local policy module to allow this access - see
<a class="moz-txt-link-freetext"
href="http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385">http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385</a> Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a <a class="moz-txt-link-freetext"
href="http://bugzilla.redhat.com/bugzilla/enter_bug.cgi">http://bugzilla.redhat.com/bugzilla/enter_bug.cgi</a>
against this package.
Additional Information
Source Context system_u:system_r:httpd_sys_script_t
Target Context system_u:system_r:httpd_sys_script_t
Target Objects None [ unix_dgram_socket ]
Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application]
Policy RPM selinux-policy-2.6.4-46.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall
Host Name mail.dupreeinc.com
Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7
#1 SMP
Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
Alert Count 1
First Seen Thu 11 Oct 2007 03:33:03 PM PDT
Last Seen Thu 11 Oct 2007 03:33:03 PM PDT
Local ID a793410a-36e5-4685-b82a-c7a0ddee7c44
Line Numbers
Raw Audit Messages
avc: denied { write } for comm="sendmail" egid=51 euid=48
exe="/usr/sbin/sendmail.sendmail" exit=141 fsgid=51 fsuid=48 gid=48
items=0
pid=31906 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
subj=system_u:system_r:httpd_sys_script_t:s0 suid=48
tclass=unix_dgram_socket
tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48
#7
Summary
SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially
mislabeled files anon_inode:[eventpoll] (anon_inodefs_t).
Detailed Description
SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially
mislabeled files anon_inode:[eventpoll]. This means that SELinux will not
allow http to use these files. Many third party apps install html files in
directories that SELinux policy can not predict. These directories have to
be labeled with a file context which httpd can accesss.
Allowing Access
If you want to change the file context of anon_inode:[eventpoll] so that the
httpd daemon can access it, you need to execute it using chcon -t
httpd_sys_content_t anon_inode:[eventpoll]. You can look at the
httpd_selinux man page for additional information.
Additional Information
Source Context system_u:system_r:httpd_sys_script_t
Target Context system_u:object_r:anon_inodefs_t
Target Objects anon_inode:[eventpoll] [ file ]
Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application]
Policy RPM selinux-policy-2.6.4-46.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.httpd_bad_labels
Host Name mail.dupreeinc.com
Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7
#1 SMP
Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
Alert Count 1
First Seen Thu 11 Oct 2007 03:33:03 PM PDT
Last Seen Thu 11 Oct 2007 03:33:03 PM PDT
Local ID 5c2f5b86-899e-44d6-ba25-906180a5731d
Line Numbers
Raw Audit Messages
avc: denied { read, write } for comm="sendmail" dev=anon_inodefs egid=51
euid=48
exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48
items=0
name="[eventpoll]" path="anon_inode:[eventpoll]" pid=31906
scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file
tcontext=system_u:object_r:anon_inodefs_t:s0 tty=(none) uid=48</pre>
<br>
</body>
</html>