Yee-HAH! 'smartd' issues 70 avc's when it tries to send mail...

Colin Walters walters at
Wed Dec 8 17:08:38 UTC 2004

On Tue, 2004-12-07 at 11:50 -0500, Valdis.Kletnieks at wrote: 
> On Tue, 07 Dec 2004 10:24:54 EST, Daniel J Walsh said:
> > Can you try this patch
> Will let you know after I get a chance to test at a reboot, but at first
> eyeball it looks close to workable, if not elegant.  Probably be tomorrow
> before I have feedback on this one...
> > +can_exec(fsdaemon_t, { sbin_t bin_t shell_exec_t }
> Definitely more sledgehammer than elegance here. :)

Note that in general allowing a domain to exec a shell or random binary
isn't really a big deal; the new binary retains the original domain and
all of its restrictions.

> I'm wondering if it would make more sense to push a patch upstream to the
> kernel-utils crew.  Reading the smartd manpage in more detail, it looks like
> feeding it a '-M exec /usr/sbin/sendmail' (or building with that as the
> default) would let us only have to add sendmail_exec_t rather than all those.

It's always useful to reduce the permissions needed for a particular
program, but I don't see this particular instance as a large win.
Better to spend the time e.g. helping with refactoring HAL to not need
direct block device access in the main process.

> Where should sites that need to add
> other 'can_exec' entries be putting them?

On my personal server which still runs FC2, I put most of my rules in
domains/misc/local.te, and then try to redo it as a diff later against
the latest FC3 policy where applicable.  When I'm directly doing
development of course I edit the original file and send a direct diff,
assuming it will be upstreamed.

More information about the fedora-selinux-list mailing list