selinux, sendmail, and services

Daniel J Walsh dwalsh at redhat.com
Tue Feb 26 14:17:52 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven Stern wrote:
> On 02/26/2008 07:37 AM, Daniel J Walsh wrote:
> | Steven Stern wrote:
> |> For two days, I've been receiving notices from setroubleshooter about
> |> sendmail and "unknown file".  Today, after the pam update, I rebooted
> |> and saw sendmail fail to start due to a problem with "services".
> |
> |> Feb 26 06:55:50 sds-desk setroubleshoot: #012    SELinux is preventing
> |> the /usr/sbin/sendmail.sendmail from using potentially mislabeled files
> |> (<Unknown>).#012
> |
> |> Feb 26 07:04:35 sds-desk setroubleshoot: #012    SELinux is preventing
> |> the /usr/sbin/sendmail.sendmail from using potentially mislabeled files
> |> (/etc/services).#012
> |
> |> I used
> |
> |> ~   grep sendmail /var/log/audit/audit.log | audit2allow -M sendmail
> |
> |> to generate a policy to fix this. Was this the right thing to do?  And
> |> what caused sendmail and selinux to suddenly have a problem?
> |
> |> sendmail.te:
> |
> |> module sendmail 1.0;
> |
> |> require {
> |> ~        type initrc_tmp_t;
> |> ~        type rpm_script_tmp_t;
> |> ~        type system_mail_t;
> |> ~        type unconfined_home_t;
> |> ~        type sendmail_t;
> |> ~        type unconfined_home_dir_t;
> |> ~        type var_t;
> |> ~        class process setrlimit;
> |> ~        class dir { getattr search };
> |> ~        class file { write getattr read ioctl };
> |> }
> |
> |> #============= sendmail_t ==============
> |> allow sendmail_t initrc_tmp_t:file { read write getattr ioctl };
This one seems reasonable.
> |> allow sendmail_t rpm_script_tmp_t:file read;
/etc/services bad label
> |> allow sendmail_t self:process setrlimit;
Never seen this before,  But I guess I will add
> |> allow sendmail_t unconfined_home_dir_t:dir { getattr search };
> |> allow sendmail_t unconfined_home_t:file { read getattr };
These are allowed in current policy for Rawhide/Fedora 8
> |> allow sendmail_t var_t:file { read write };
This will have to be special for your install.  We would need policy for
webmin
> |
> |> #============= system_mail_t ==============
> |> allow system_mail_t rpm_script_tmp_t:file read;
> |
> |
> | I think your problem is you have a badly labeled /etc/services file.
> | restorecon /etc/services
> |
> | vmware has a bug in there postinstall script that screws up the labeling
> | of /etc/services.
> |
> | I am not sure of your other changes so could you please attach the
> | audit.log file that you used to generate this policy.
> 
> That makes sense. I was playing with vmware server this weekend,
> installed from VMWare's rpm installer.
> 
> The log is attached.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfEH5AACgkQrlYvE4MpobO0JgCfdF3VejfQaGivM4bpzRWghMvl
0kMAoM+J7xIneV2yk0BZWQkycT4jJMRM
=s1RH
-----END PGP SIGNATURE-----

More information about the fedora-list mailing list