Yee-HAH! 'smartd' issues 70 avc's when it tries to send mail...

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Tue Dec 7 16:50:27 UTC 2004


On Tue, 07 Dec 2004 10:24:54 EST, Daniel J Walsh said:

> Can you try this patch

Will let you know after I get a chance to test at a reboot, but at first
eyeball it looks close to workable, if not elegant.  Probably be tomorrow
before I have feedback on this one...

> +can_exec(fsdaemon_t, { sbin_t bin_t shell_exec_t }

Definitely more sledgehammer than elegance here. :)

I'm wondering if it would make more sense to push a patch upstream to the
kernel-utils crew.  Reading the smartd manpage in more detail, it looks like
feeding it a '-M exec /usr/sbin/sendmail' (or building with that as the
default) would let us only have to add sendmail_exec_t rather than all those.

I'll try your patch, and then see where I can get with the 'invoke sendmail
directly' route.

I'm not sure what we want to do here - even if we fix the flood of avc's for
the default case, the smartmontools documentation has examples of invoking
arbitrary shell scripts with -M (which of course means the obvious).  What
direction do we want to take here?  Where should sites that need to add
other 'can_exec' entries be putting them?



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20041207/bdd8ddb7/attachment.sig>


More information about the fedora-selinux-list mailing list