A few permission problems
Nicklas Norling
exinor at exinor.net
Tue Jul 19 16:07:02 UTC 2005
Daniel J Walsh wrote:
> Nicklas Norling wrote:
>
>> Nicklas Norling wrote:
>>
>>> <snip>
>>> Since 01:22:00 this day my server is in enforce mode. The only thing
>>> I've found so far is sendmail being denied access to urandom and
>>> random. I have sendmail setup with SMTP AUTH as well as certs for
>>> performing STARTTLS with any TLS-able connecting MTA.
>>>
>>> /var/log/messages
>>> Jul 19 08:09:38 spock kernel: audit(1121753378.808:188): avc:
>>> denied { getattr } for pid=20520 comm="sendmail" name="urandom"
>>> dev=tmpfs ino=846
>>> scontext=root:system_r:system_mail_ttcontext=system_u:object_r:urandom_device_t
>>> tclass=chr_file
>>> Jul 19 08:09:38 spock kernel: audit(1121753378.808:189): avc:
>>> denied { getattr } for pid=20520 comm="sendmail" name="random"
>>> dev=tmpfs ino=844
>>> scontext=root:system_r:system_mail_ttcontext=system_u:object_r:random_device_t
>>> tclass=chr_file
>>>
>>> /var/log/maillog
>>> Jul 19 08:09:38 spock sendmail[20520]: j6J69cMx020520:
>>> from=<edited>, size=874, class=0, nrcpts=1,
>>> msgid=<bd1035dcc05d7b2d6a16b046ae4bdd04 at www.exinor.net>,
>>> bodytype=8BITMIME, relay=apache at localhost
>>> Jul 19 08:09:38 spock sendmail[20520]: j6J69cMx020520:
>>> STARTTLS=client, error: connect failed=-1, SSL_error=5, timedout=0,
>>> errno=2
>>> Jul 19 08:09:38 spock sendmail[20520]: ruleset=tls_server,
>>> arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0TLS handshake.
>>> Jul 19 08:09:38 spock sendmail[20520]: j6J69cMx020520: to=<edited>,
>>> ctladdr=<edited> (48/48), delay=00:00:00, xdelay=00:00:00,
>>> mailer=relay, pri=30874, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0,
>>> stat=Deferred: 403 4.7.0 TLS handshake.
>>> Jul 19 08:09:38 spock sendmail[20521]: STARTTLS=server, error:
>>> accept failed=0, SSL_error=5, timedout=0,errno=0
>>> Jul 19 08:09:38 spock sendmail[20521]: j6J69cai020521: localhost
>>> [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>>>
>>> audit2allow -d -l
>>> allow system_mail_t random_device_t:chr_file getattr;
>>> allow system_mail_t urandom_device_t:chr_file getattr;
>>>
>>> Policy rpm installed: selinux-policy-targeted-1.25.1-9.noarch.rpm
>>>
>> <snip>
>>
>> I've installed selinux-policy-targeted-sources-1.25.1-9.noarch.rpm,
>> edited
>> /etc/selinux/targeted/src/policy/domains/misc/local.te to contain:
>>
>> allow system_mail_t random_device_t:chr_file getattr;
>> allow system_mail_t urandom_device_t:chr_file getattr;
>>
>> Then did a 'make reload' in /etc/selinux/targeted/src/policy as per
>> instructions I found on the net.
>> This made the sendmail TLS errors go away, however, trying smtp auth
>> saslauthd complains instead:
>>
>> Jul 19 14:14:19 spock saslauthd[22499]: do_auth : auth
>> failure: [user=<edited>] [service=smtp] [realm=] [mech=shadow]
>> [reason=Unknown]
>> Jul 19 14:14:19 spock saslauthd[22500]: do_auth : auth
>> failure: [user=<edited>] [service=smtp] [realm=] [mech=shadow]
>> [reason=Unknown]
>>
>> 'setenforce 0' makes it all work. No avc's in the logs during
>> enforcing mode.
>>
>> I guess my pathetic attempts at creating local rules failed
>> misserably :(
>> I'm in way over my head here I think... Any pointers?
>> /Nicke
>>
> No, you are seeing a new problem.
>
> See if you can do the following
> setsebool -P allow_saslauthd_read_shadow=1
>
> If that is not in your current policy you might need to update it.
>
> Dan
>
I've set the boolean and turned enforcing back on. Mail works as expected :)
Thanks a lot for all the help Daniel!
Yet another system securer :)
/Nicke
More information about the fedora-selinux-list
mailing list