senmail, /etc/aliases.db ....

Daniel J Walsh dwalsh at redhat.com
Wed Aug 29 10:32:59 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Howarth wrote:
> On Tue, 28 Aug 2007 10:30:59 -0700
> "Tom London" <selinux at gmail.com> wrote:
> 
>> Running Rawhide, targeted/enforcing.
>>
>> Notice this in /var/log/audit/audit.log:
>>
>> type=AVC msg=audit(1188316403.485:16): avc:  denied  { create } for
>> pid=2704 comm="newaliases" name="aliases.db"
>> scontext=system_u:system_r:sendmail_t:s0
>> tcontext=system_u:object_r:etc_aliases_t:s0 tclass=file
>> type=SYSCALL msg=audit(1188316403.485:16): arch=40000003 syscall=5
>> success=no exit=-13 a0=bfa8ddd8 a1=c2 a2=1a0 a3=c2 items=0 ppid=2691
>> pid=2704 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51
>> sgid=51 fsgid=51 tty=(none) comm="newaliases"
>> exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0
>> key=(null)
>>
>> Looks like it is occurring when sendmail gets started during boot.
>>
>> Running /usr/bin/newalises manually at root console works with no
>> AVCs, but leaves /etc/aliases.db with the 'wrong' label:
>>
>> [root at localhost ~]# ls -Zl /etc/alia*
>> -rw-r--r-- 1 system_u:object_r:etc_aliases_t  root root   1512
>> 2005-04-25 09:48 /etc/aliases
>> -rw-r----- 1 system_u:object_r:etc_t          root smmsp 12288
>> 2007-08-28 10:27 /etc/aliases.db
>> [root at localhost ~]# restorecon -v /etc/alias*
>> restorecon reset /etc/aliases.db context
>> system_u:object_r:etc_t:s0->system_u:object_r:etc_aliases_t:s0
>> [root at localhost ~]#
>>
>> Should /etc/init.d/sendmail fix the label after running newalises?
> 
> Possibly, but running newaliases at the console shouldn't result in the
> wrong label; this is a normal thing to do after updating the aliases
> file.
> 
> Paul.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

You are right,  I need a transition from unconfined to sendmail.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG1UtbrlYvE4MpobMRAjEIAJ9D+TuU/PgO8URggJmD9q71IY+sKwCfbhE0
DFZb+2GY9xc3Afx91VjVvK4=
=FsWk
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list