Weird selinux problem with sendmail
Morgan Read
mstuff at read.org.nz
Mon Nov 26 22:27:53 UTC 2007
On Mon, 2007-11-26 at 13:34 +0000, Adam Huffman wrote:
> On Nov 25, 2007 8:45 AM, Knute Johnson <knute at frazmtn.com> wrote:
> > I loaded F8 onto my old mail server computer and started to
> > reassemble it. But I'm getting a strange message from sendmail and a
> > selinux avc to go with it. I do not have a .forward file and I have
> > an almost identical system running that doesn't have one either and
> > doesn't give any errors. I don't know if this is a sendmail problem
> > or a selinux problem. The mail comes and goes OK. Any ideas?
> >
> > Thanks,
> >
> > knute...
> >
> > Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward
> > /home/knute/.forward.www: Permission denied
> > Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward
> > /home/knute/.forward: Permission denied
> >
> > Nov 25 00:40:55 www kernel: audit(1195980055.494:277): avc: denied
> > { getattr } for pid=7949 comm="sendmail" path="/home/knute" dev=dm-0
> > ino=262146 scontext=unconfined_u:system_r:sendmail_t:s0
> > tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir
(I'd like to jump in here - I was about to file a bug against sendmail,
but thought I'd check the lists first!)
I have a similar looking problem after moving to f8 and setting up
my /etc/aliases so that user "morgan" is the person that should get
root's mail (as I have done previously). Similar ref to
unconfined_home_dir_t - but I know little about this stuff. I'm not
getting my mail.
I've copied at bottom three example selinux_alerts, the most recent from
each of three streams of alerts I seem to be accumulating in the
"setroubleshoot browser".
Hope this helps, and I'm interested in any answers.
Regards,
M.
selinux_alert_22-11-07-1.45
Summary
SELinux is preventing sendmail (sendmail_t) "getattr"
to /home/morgan
(unconfined_home_dir_t).
Detailed Description
SELinux denied access requested by sendmail. It is not expected that
this
access is required by sendmail and this access may signal an
intrusion
attempt. It is also possible that the specific version or
configuration of
the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could
try to
restore the default system file context for /home/morgan, restorecon
-v
/home/morgan If this does not work, there is currently no automatic
way to
allow this access. Instead, you can generate a local policy module
to allow
this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.
Additional Information
Source Context system_u:system_r:sendmail_t
Target Context
unconfined_u:object_r:unconfined_home_dir_t
Target Objects /home/morgan [ dir ]
Affected RPM Packages
Policy RPM selinux-policy-3.0.8-56.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name morgansmachine.lan
Platform Linux morgansmachine.lan 2.6.23.1-49.fc8
#1 SMP
Thu Nov 8 21:41:26 EST 2007 i686 i686
Alert Count 2
First Seen Wed 21 Nov 2007 09:50:53 AM NZDT
Last Seen Thu 22 Nov 2007 01:45:01 PM NZDT
Local ID 33456cfd-f6bf-4857-8690-f681680cd24c
Line Numbers
Raw Audit Messages
avc: denied { getattr } for comm=sendmail dev=dm-1 path=/home/morgan
pid=14769
scontext=system_u:system_r:sendmail_t:s0 tclass=dir
tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0
selinux_alert_27-11-07-9.45
Summary
SELinux is preventing sendmail (sendmail_t) "search" to <Unknown>
(unconfined_home_dir_t).
Detailed Description
SELinux denied access requested by sendmail. It is not expected that
this
access is required by sendmail and this access may signal an
intrusion
attempt. It is also possible that the specific version or
configuration of
the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could
try to
restore the default system file context for <Unknown>, restorecon -v
<Unknown> If this does not work, there is currently no automatic way
to
allow this access. Instead, you can generate a local policy module
to allow
this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.
Additional Information
Source Context system_u:system_r:sendmail_t
Target Context
unconfined_u:object_r:unconfined_home_dir_t
Target Objects None [ dir ]
Affected RPM Packages
Policy RPM selinux-policy-3.0.8-56.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name morgansmachine.lan
Platform Linux morgansmachine.lan 2.6.23.1-49.fc8
#1 SMP
Thu Nov 8 21:41:26 EST 2007 i686 i686
Alert Count 5
First Seen Wed 21 Nov 2007 09:50:53 AM NZDT
Last Seen Tue 27 Nov 2007 09:45:51 AM NZDT
Local ID b60f5a23-575f-4489-89c7-ab71e8be786d
Line Numbers
Raw Audit Messages
avc: denied { search } for comm=sendmail dev=dm-1 name=morgan pid=5918
scontext=system_u:system_r:sendmail_t:s0 tclass=dir
tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0
selinux_alert_27-11-07-10.10
Summary
SELinux is preventing sendmail (sendmail_t) "getattr"
to /home/morgan
(unconfined_home_dir_t).
Detailed Description
SELinux denied access requested by sendmail. /home/morgan may be a
mislabeled. /home/morgan default SELinux type is
<B>user_home_dir_t</B>,
while its current type is <B>unconfined_home_dir_t</B>. Changing
this file
back to the default type, may fix your problem. File contexts can
get
assigned to a file can following ways. <ul> <li>Files created in a
directory recieve the file context of the parent directory by
default.
<li>Users can change the file context on a file using tools like
chcon, or
restorecon. <li>The kernel can decide via policy that an application
running
as context A Creating a file in a directory labeled B will create
files
labeled C. </ul> This file could have been mislabeled either by user
error,
or if an normally confined application was run under the wrong
domain. Of
course this could also indicate a bug in SELinux, in that the file
should
not be labeled with this type. If you believe this is a bug, please
file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.
Allowing Access
You can restore the default system context to this file by executing
the
restorecon command. restorecon /home/morgan, if this file is a
directory,
you can recursively restore using restorecon -R /home/morgan.
The following command will allow this access:
restorecon /home/morgan
Additional Information
Source Context system_u:system_r:sendmail_t
Target Context
unconfined_u:object_r:unconfined_home_dir_t
Target Objects /home/morgan [ dir ]
Affected RPM Packages
Policy RPM selinux-policy-3.0.8-56.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.restorecon
Host Name morgansmachine.lan
Platform Linux morgansmachine.lan 2.6.23.1-49.fc8
#1 SMP
Thu Nov 8 21:41:26 EST 2007 i686 i686
Alert Count 9
First Seen Fri 23 Nov 2007 07:04:40 PM NZDT
Last Seen Tue 27 Nov 2007 10:10:04 AM NZDT
Local ID 96c556ec-4c09-4641-90d0-8c4be7082c66
Line Numbers
Raw Audit Messages
avc: denied { getattr } for comm=sendmail dev=dm-1 path=/home/morgan
pid=7760
scontext=system_u:system_r:sendmail_t:s0 tclass=dir
tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0
--
Getting errors: "There are problems with the signature" (or similar)?
Update your system by installing certificates from CAcert Inc, see here:
http://wiki.cacert.org/wiki/BrowserClients?#head-259758ec5ba51c5205cfb179cf60e0b54d9e378b
Or, if Internet Explorer is your default browser, simply click this link:
http://www.cacert.org/index.php?id=17
Morgan Read
NEW ZEALAND
<mailto:mstuffATreadDOTorgDOTnz>
fedora: Freedom Forever!
http://fedoraproject.org/wiki/Overview
"By choosing not to ship any proprietary or binary drivers, Fedora does
differ from other distributions. ..."
Quote: Max Spevik
http://interviews.slashdot.org/article.pl?sid=06/08/17/177220
RMS on fedora:
http://fedoraproject.org/wiki/FreeSoftwareAnalysis/FSF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3549 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20071127/79e03465/attachment.bin>
More information about the fedora-selinux-list
mailing list