Request Tracker 3

Kanwar Ranbir Sandhu m3freak at rogers.com
Wed Feb 2 15:43:17 UTC 2005 

On Wed, 2005-02-02 at 10:10 -0500, Daniel J Walsh wrote: 
> Rather than going down a rathole, here could
> you
> setenforce 0
> Run both test and send the avc messages.

Okay, no problem.  I'll describe the mail setups, proceeded by the
selinux messages for each.

Mail config in RT:
------------------
mail command: sendmailpipe
arguements: -oi -t         #(-t required, as stated in RT docs)
path: /usr/sbin/sendmail

avc messages:
-------------
avc:  denied  { read } for  pid=6130 exe=/usr/sbin/httpd name=sendmail
dev=dm-3 ino=277369 scontext=root:system_r:httpd_t
tcontext=user_u:object_r:sbin_t tclass=lnk_file


Mail config in RT:
------------------
mail command: sendmail
arguements: -oi
path: /usr/sbin/sendmail #(not read when mail command set to sendmail)

avc messages:
-------------
avc:  denied  { search } for  pid=6082 exe=/usr/bin/perl name=postfix
dev=dm-5 ino=34833 scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_spool_t tclass=dir

avc:  denied  { getattr } for  pid=6086 exe=/usr/sbin/sendmail.postfix
path=socket:[14139] dev=sockfs ino=14139
scontext=root:system_r:system_mail_t tcontext=root:system_r:httpd_t
tclass=unix_stream_socket

avc:  denied  { execute } for  pid=6087 exe=/usr/sbin/sendmail.postfix
name=postdrop dev=dm-3 ino=276825 scontext=root:system_r:system_mail_t
tcontext=system_u:object_r:sbin_t tclass=file

avc:  denied  { execute_no_trans } for  pid=6087
exe=/usr/sbin/sendmail.postfix path=/usr/sbin/postdrop dev=dm-3
ino=276825 scontext=root:system_r:system_mail_t
tcontext=system_u:object_r:sbin_t tclass=file

avc:  denied  { read } for  pid=6087 exe=/usr/sbin/sendmail.postfix
path=/usr/sbin/postdrop dev=dm-3 ino=276825
scontext=root:system_r:system_mail_t tcontext=system_u:object_r:sbin_t
tclass=file

avc:  denied  { write } for  pid=6087 exe=/usr/sbin/postdrop
name=maildrop dev=dm-5 ino=34842 scontext=root:system_r:system_mail_t
tcontext=system_u:object_r:var_spool_t tclass=dir

avc:  denied  { add_name } for  pid=6087 exe=/usr/sbin/postdrop
name=1290.6087 scontext=root:system_r:system_mail_t
tcontext=system_u:object_r:var_spool_t tclass=dir

avc:  denied  { create } for  pid=6087 exe=/usr/sbin/postdrop
name=1290.6087 scontext=root:system_r:system_mail_t
tcontext=root:object_r:var_spool_t tclass=file

avc:  denied  { getattr } for  pid=6087 exe=/usr/sbin/postdrop
path=/var/spool/postfix/maildrop/1290.6087 dev=dm-5 ino=34911
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t
tclass=file

avc:  denied  { remove_name } for  pid=6087 exe=/usr/sbin/postdrop
name=1290.6087 dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t
tcontext=system_u:object_r:var_spool_t tclass=dir

avc:  denied  { rename } for  pid=6087 exe=/usr/sbin/postdrop
name=1290.6087 dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t
tcontext=root:object_r:var_spool_t tclass=file

avc:  denied  { write } for  pid=6087 exe=/usr/sbin/postdrop
path=/var/spool/postfix/maildrop/1ACA7885F dev=dm-5 ino=34911
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t
tclass=file

avc:  denied  { setattr } for  pid=6087 exe=/usr/sbin/postdrop
name=1ACA7885F dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t
tcontext=root:object_r:var_spool_t tclass=file

avc:  denied  { getattr } for  pid=6087 exe=/usr/sbin/postdrop
path=/var/spool/postfix/public/pickup dev=dm-5 ino=34827
scontext=root:system_r:system_mail_t
tcontext=user_u:object_r:var_spool_t tclass=fifo_file

avc:  denied  { write } for  pid=6087 exe=/usr/sbin/postdrop name=pickup
dev=dm-5 ino=34827 scontext=root:system_r:system_mail_t
tcontext=user_u:object_r:var_spool_t tclass=fifo_file

Wow.  Big difference in denials.

Regards,

Ranbir
-- 
Kanwar Ranbir Sandhu
Linux Consultant
Systems Aligned Inc.
www.systemsaligned.com

More information about the fedora-selinux-list mailing list