A few permission problems

Daniel J Walsh dwalsh at redhat.com
Tue Jul 19 15:54:55 UTC 2005 

Nicklas Norling wrote:

> Nicklas Norling wrote:
>
>> <snip>
>> Since 01:22:00 this day my server is in enforce mode. The only thing 
>> I've found so far is sendmail being denied access to urandom and 
>> random. I have sendmail setup with SMTP AUTH as well as certs for 
>> performing STARTTLS with any TLS-able connecting MTA.
>>
>> /var/log/messages
>> Jul 19 08:09:38 spock kernel: audit(1121753378.808:188): avc:  
>> denied  { getattr } for  pid=20520 comm="sendmail" name="urandom" 
>> dev=tmpfs ino=846 
>> scontext=root:system_r:system_mail_ttcontext=system_u:object_r:urandom_device_t 
>> tclass=chr_file
>> Jul 19 08:09:38 spock kernel: audit(1121753378.808:189): avc:  
>> denied  { getattr } for  pid=20520 comm="sendmail" name="random" 
>> dev=tmpfs ino=844 
>> scontext=root:system_r:system_mail_ttcontext=system_u:object_r:random_device_t 
>> tclass=chr_file
>>
>> /var/log/maillog
>> Jul 19 08:09:38 spock sendmail[20520]: j6J69cMx020520: from=<edited>, 
>> size=874, class=0, nrcpts=1, 
>> msgid=<bd1035dcc05d7b2d6a16b046ae4bdd04 at www.exinor.net>, 
>> bodytype=8BITMIME, relay=apache at localhost
>> Jul 19 08:09:38 spock sendmail[20520]: j6J69cMx020520: 
>> STARTTLS=client, error: connect failed=-1, SSL_error=5, timedout=0, 
>> errno=2
>> Jul 19 08:09:38 spock sendmail[20520]: ruleset=tls_server, 
>> arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0TLS handshake.
>> Jul 19 08:09:38 spock sendmail[20520]: j6J69cMx020520: to=<edited>, 
>> ctladdr=<edited> (48/48), delay=00:00:00, xdelay=00:00:00, 
>> mailer=relay, pri=30874, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, 
>> stat=Deferred: 403 4.7.0 TLS handshake.
>> Jul 19 08:09:38 spock sendmail[20521]: STARTTLS=server, error: accept 
>> failed=0, SSL_error=5, timedout=0,errno=0
>> Jul 19 08:09:38 spock sendmail[20521]: j6J69cai020521: localhost 
>> [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>>
>> audit2allow -d -l
>> allow system_mail_t random_device_t:chr_file getattr;
>> allow system_mail_t urandom_device_t:chr_file getattr;
>>
>> Policy rpm installed: selinux-policy-targeted-1.25.1-9.noarch.rpm
>>
> <snip>
>
> I've installed selinux-policy-targeted-sources-1.25.1-9.noarch.rpm, 
> edited
> /etc/selinux/targeted/src/policy/domains/misc/local.te to contain:
>
> allow system_mail_t random_device_t:chr_file getattr;
> allow system_mail_t urandom_device_t:chr_file getattr;
>
> Then did a 'make reload' in /etc/selinux/targeted/src/policy as per 
> instructions I found on the net.
> This made the sendmail TLS errors go away, however, trying smtp auth 
> saslauthd complains instead:
>
> Jul 19 14:14:19 spock saslauthd[22499]: do_auth         : auth 
> failure: [user=<edited>] [service=smtp] [realm=] [mech=shadow] 
> [reason=Unknown]
> Jul 19 14:14:19 spock saslauthd[22500]: do_auth         : auth 
> failure: [user=<edited>] [service=smtp] [realm=] [mech=shadow] 
> [reason=Unknown]
>
> 'setenforce 0' makes it all work. No avc's in the logs during 
> enforcing mode.
>
> I guess my pathetic attempts at creating local rules failed misserably :(
> I'm in way over my head here I think... Any pointers?
> /Nicke
>
No, you are seeing a new problem.

See if you can do the following
setsebool -P allow_saslauthd_read_shadow=1

If that is not in your current policy you might need to update it.

Dan




--

More information about the fedora-selinux-list mailing list