senmail, /etc/aliases.db ....
Paul Howarth
paul at city-fan.org
Tue Aug 28 20:28:16 UTC 2007
On Tue, 28 Aug 2007 10:30:59 -0700
"Tom London" <selinux at gmail.com> wrote:
> Running Rawhide, targeted/enforcing.
>
> Notice this in /var/log/audit/audit.log:
>
> type=AVC msg=audit(1188316403.485:16): avc: denied { create } for
> pid=2704 comm="newaliases" name="aliases.db"
> scontext=system_u:system_r:sendmail_t:s0
> tcontext=system_u:object_r:etc_aliases_t:s0 tclass=file
> type=SYSCALL msg=audit(1188316403.485:16): arch=40000003 syscall=5
> success=no exit=-13 a0=bfa8ddd8 a1=c2 a2=1a0 a3=c2 items=0 ppid=2691
> pid=2704 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51
> sgid=51 fsgid=51 tty=(none) comm="newaliases"
> exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0
> key=(null)
>
> Looks like it is occurring when sendmail gets started during boot.
>
> Running /usr/bin/newalises manually at root console works with no
> AVCs, but leaves /etc/aliases.db with the 'wrong' label:
>
> [root at localhost ~]# ls -Zl /etc/alia*
> -rw-r--r-- 1 system_u:object_r:etc_aliases_t root root 1512
> 2005-04-25 09:48 /etc/aliases
> -rw-r----- 1 system_u:object_r:etc_t root smmsp 12288
> 2007-08-28 10:27 /etc/aliases.db
> [root at localhost ~]# restorecon -v /etc/alias*
> restorecon reset /etc/aliases.db context
> system_u:object_r:etc_t:s0->system_u:object_r:etc_aliases_t:s0
> [root at localhost ~]#
>
> Should /etc/init.d/sendmail fix the label after running newalises?
Possibly, but running newaliases at the console shouldn't result in the
wrong label; this is a normal thing to do after updating the aliases
file.
Paul.
More information about the fedora-selinux-list
mailing list