selinux, sendmail, and services
Daniel J Walsh
dwalsh at redhat.com
Tue Feb 26 13:37:23 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Steven Stern wrote:
> For two days, I've been receiving notices from setroubleshooter about
> sendmail and "unknown file". Today, after the pam update, I rebooted
> and saw sendmail fail to start due to a problem with "services".
>
> Feb 26 06:55:50 sds-desk setroubleshoot: #012 SELinux is preventing
> the /usr/sbin/sendmail.sendmail from using potentially mislabeled files
> (<Unknown>).#012
>
> Feb 26 07:04:35 sds-desk setroubleshoot: #012 SELinux is preventing
> the /usr/sbin/sendmail.sendmail from using potentially mislabeled files
> (/etc/services).#012
>
> I used
>
> ~ grep sendmail /var/log/audit/audit.log | audit2allow -M sendmail
>
> to generate a policy to fix this. Was this the right thing to do? And
> what caused sendmail and selinux to suddenly have a problem?
>
> sendmail.te:
>
> module sendmail 1.0;
>
> require {
> ~ type initrc_tmp_t;
> ~ type rpm_script_tmp_t;
> ~ type system_mail_t;
> ~ type unconfined_home_t;
> ~ type sendmail_t;
> ~ type unconfined_home_dir_t;
> ~ type var_t;
> ~ class process setrlimit;
> ~ class dir { getattr search };
> ~ class file { write getattr read ioctl };
> }
>
> #============= sendmail_t ==============
> allow sendmail_t initrc_tmp_t:file { read write getattr ioctl };
> allow sendmail_t rpm_script_tmp_t:file read;
> allow sendmail_t self:process setrlimit;
> allow sendmail_t unconfined_home_dir_t:dir { getattr search };
> allow sendmail_t unconfined_home_t:file { read getattr };
> allow sendmail_t var_t:file { read write };
>
> #============= system_mail_t ==============
> allow system_mail_t rpm_script_tmp_t:file read;
>
>
I think your problem is you have a badly labeled /etc/services file.
restorecon /etc/services
vmware has a bug in there postinstall script that screws up the labeling
of /etc/services.
I am not sure of your other changes so could you please attach the
audit.log file that you used to generate this policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfEFhIACgkQrlYvE4MpobPOtwCg5XO78Qdwual6RQNWJ+xNJvAM
hJ4An29saOATJ24LvaT04GA0RDWSRGYR
=Aa6e
-----END PGP SIGNATURE-----
More information about the fedora-list
mailing list