Problems with sendmail after upgrade to F8

Daniel J Walsh dwalsh at redhat.com
Tue Nov 20 13:32:41 UTC 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adam Huffman wrote:
> After yum upgrading from F7 to F8, I'm seeing alerts whenever
> fetchmail brings in new mail, even after a complete relabelling of the
> system:
> 
> 
> 
> Summary
>     SELinux is preventing sendmail (sendmail_t) "search" to <Unknown>
>     (unconfined_home_dir_t).
> 
> Detailed Description
>     SELinux denied access requested by sendmail. It is not expected that this
>     access is required by sendmail and this access may signal an intrusion
>     attempt. It is also possible that the specific version or configuration of
>     the application is causing it to require additional access.
> 
> Allowing Access
>     Sometimes labeling problems can cause SELinux denials.  You could try to
>     restore the default system file context for <Unknown>, restorecon -v
>     <Unknown> If this does not work, there is currently no automatic way to
>     allow this access. Instead,  you can generate a local policy module to allow
>     this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
>     Or you can disable SELinux protection altogether. Disabling SELinux
>     protection is not recommended. Please file a
>     http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
> 
> Additional Information
> 
> Source Context                system_u:system_r:sendmail_t
> Target Context                unconfined_u:object_r:unconfined_home_dir_t
> Target Objects                None [ dir ]
> Affected RPM Packages
> Policy RPM                    selinux-policy-3.0.8-56.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.catchall_file
> Host Name                     saintloup.smith.man.ac.uk
> Platform                      Linux saintloup.smith.man.ac.uk 2.6.23.1-49.fc8 #1
>                               SMP Thu Nov 8 22:14:09 EST 2007 x86_64 x86_64
> Alert Count                   18
> First Seen                    Tue Nov 20 12:15:53 2007
> Last Seen                     Tue Nov 20 12:30:59 2007
> Local ID                      3c789a3b-b8f8-4b21-a34a-bc198b90be73
> Line Numbers
> 
> Raw Audit Messages
> 
> avc: denied { search } for comm=sendmail dev=dm-1 name=adam pid=5161
> scontext=system_u:system_r:sendmail_t:s0 tclass=dir
> tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0
> 
> Summary
>     SELinux is preventing /usr/sbin/sendmail.sendmail (sendmail_t) "getattr" to
>     /home/adam (unconfined_home_dir_t).
> 
> Detailed Description
>     SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not
>     expected that this access is required by /usr/sbin/sendmail.sendmail and
>     this access may signal an intrusion attempt. It is also possible that the
>     specific version or configuration of the application is causing it to
>     require additional access.
> 
> Allowing Access
>     Sometimes labeling problems can cause SELinux denials.  You could try to
>     restore the default system file context for /home/adam, restorecon -v
>     /home/adam If this does not work, there is currently no automatic way to
>     allow this access. Instead,  you can generate a local policy module to allow
>     this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
>     Or you can disable SELinux protection altogether. Disabling SELinux
>     protection is not recommended. Please file a
>     http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
> 
> Additional Information
> 
> Source Context                system_u:system_r:sendmail_t
> Target Context                unconfined_u:object_r:unconfined_home_dir_t
> Target Objects                /home/adam [ dir ]
> Affected RPM Packages         sendmail-8.14.1-4.2.fc8 [application]
> Policy RPM                    selinux-policy-3.0.8-56.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.catchall_file
> Host Name                     saintloup.smith.man.ac.uk
> Platform                      Linux saintloup.smith.man.ac.uk 2.6.23.1-49.fc8 #1
>                               SMP Thu Nov 8 22:14:09 EST 2007 x86_64 x86_64
> Alert Count                   66
> First Seen                    Tue Nov 20 12:15:53 2007
> Last Seen                     Tue Nov 20 12:30:59 2007
> Local ID                      a9ca1470-2510-4d05-baa4-48f8aa3b4474
> Line Numbers
> 
> Raw Audit Messages
> 
> avc: denied { getattr } for comm=sendmail dev=dm-1 egid=500 euid=500
> exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=500 fsuid=500 gid=500 items=0
> path=/home/adam pid=5161 scontext=system_u:system_r:sendmail_t:s0 sgid=500
> subj=system_u:system_r:sendmail_t:s0 suid=500 tclass=dir
> tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tty=(none) uid=0
> 
> 
> I've not seen anything about sendmail in recent selinux-policy builds
> - is something else wrong here?
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Does everything seem to be working correctly?  IE Are you getting your mail?

This looks like sendmail is being executed from your home dir and it is
doing a getattr on it (On current working directory), which is
generating the AVC.  If is not causing a problem.  YOu should use
audit2allow to generate dontaudit rule.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHQuH5rlYvE4MpobMRAvsAAKDp8LXKk1nkcywmn7GIPl2Q9qAaXwCfarGN
5QOtH0QW6efPg1Zt5BL45nk=
=poHR
-----END PGP SIGNATURE-----




More information about the fedora-selinux-list mailing list