Problems with sendmail after upgrade to F8
Daniel J Walsh
dwalsh at redhat.com
Tue Nov 20 13:32:41 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Adam Huffman wrote:
> After yum upgrading from F7 to F8, I'm seeing alerts whenever
> fetchmail brings in new mail, even after a complete relabelling of the
> system:
>
>
>
> Summary
> SELinux is preventing sendmail (sendmail_t) "search" to <Unknown>
> (unconfined_home_dir_t).
>
> Detailed Description
> SELinux denied access requested by sendmail. It is not expected that this
> access is required by sendmail and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of
> the application is causing it to require additional access.
>
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore the default system file context for <Unknown>, restorecon -v
> <Unknown> If this does not work, there is currently no automatic way to
> allow this access. Instead, you can generate a local policy module to allow
> this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
> Or you can disable SELinux protection altogether. Disabling SELinux
> protection is not recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
>
> Additional Information
>
> Source Context system_u:system_r:sendmail_t
> Target Context unconfined_u:object_r:unconfined_home_dir_t
> Target Objects None [ dir ]
> Affected RPM Packages
> Policy RPM selinux-policy-3.0.8-56.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.catchall_file
> Host Name saintloup.smith.man.ac.uk
> Platform Linux saintloup.smith.man.ac.uk 2.6.23.1-49.fc8 #1
> SMP Thu Nov 8 22:14:09 EST 2007 x86_64 x86_64
> Alert Count 18
> First Seen Tue Nov 20 12:15:53 2007
> Last Seen Tue Nov 20 12:30:59 2007
> Local ID 3c789a3b-b8f8-4b21-a34a-bc198b90be73
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { search } for comm=sendmail dev=dm-1 name=adam pid=5161
> scontext=system_u:system_r:sendmail_t:s0 tclass=dir
> tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0
>
> Summary
> SELinux is preventing /usr/sbin/sendmail.sendmail (sendmail_t) "getattr" to
> /home/adam (unconfined_home_dir_t).
>
> Detailed Description
> SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not
> expected that this access is required by /usr/sbin/sendmail.sendmail and
> this access may signal an intrusion attempt. It is also possible that the
> specific version or configuration of the application is causing it to
> require additional access.
>
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore the default system file context for /home/adam, restorecon -v
> /home/adam If this does not work, there is currently no automatic way to
> allow this access. Instead, you can generate a local policy module to allow
> this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
> Or you can disable SELinux protection altogether. Disabling SELinux
> protection is not recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
>
> Additional Information
>
> Source Context system_u:system_r:sendmail_t
> Target Context unconfined_u:object_r:unconfined_home_dir_t
> Target Objects /home/adam [ dir ]
> Affected RPM Packages sendmail-8.14.1-4.2.fc8 [application]
> Policy RPM selinux-policy-3.0.8-56.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.catchall_file
> Host Name saintloup.smith.man.ac.uk
> Platform Linux saintloup.smith.man.ac.uk 2.6.23.1-49.fc8 #1
> SMP Thu Nov 8 22:14:09 EST 2007 x86_64 x86_64
> Alert Count 66
> First Seen Tue Nov 20 12:15:53 2007
> Last Seen Tue Nov 20 12:30:59 2007
> Local ID a9ca1470-2510-4d05-baa4-48f8aa3b4474
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { getattr } for comm=sendmail dev=dm-1 egid=500 euid=500
> exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=500 fsuid=500 gid=500 items=0
> path=/home/adam pid=5161 scontext=system_u:system_r:sendmail_t:s0 sgid=500
> subj=system_u:system_r:sendmail_t:s0 suid=500 tclass=dir
> tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tty=(none) uid=0
>
>
> I've not seen anything about sendmail in recent selinux-policy builds
> - is something else wrong here?
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Does everything seem to be working correctly? IE Are you getting your mail?
This looks like sendmail is being executed from your home dir and it is
doing a getattr on it (On current working directory), which is
generating the AVC. If is not causing a problem. YOu should use
audit2allow to generate dontaudit rule.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHQuH5rlYvE4MpobMRAvsAAKDp8LXKk1nkcywmn7GIPl2Q9qAaXwCfarGN
5QOtH0QW6efPg1Zt5BL45nk=
=poHR
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list