SELinux problem after sendmail.mc modification.

Doug Thistlethwaite doug at dupreeinc.com
Thu Oct 11 20:16:53 UTC 2007 

Hello,

I hope somebody has seen this before. I am not sure if it is a bug or my 
not completely understanding how SELinux works.

My mail server was working fine secured by SELinux running in enforcing 
mode. Our company lost connection the the Internet for a couple days so 
I edited sendmail.mc to skip the domain check for the duration. I edited 
the file ran MAKE and restarted the sendmail process. I also disabled 
spamd because all of the email would be internal.

Well SELinux didn't like what I did and started to produce lots of AVC 
messages and provided solutions to most of them. I followed the 
suggestion in the "Allowing Access" section of the setroubleshoot 
browser and most of the messages went away. After about a dozen of these 
messages, I decided to just have the system "relabel on next reboot" 
using the SELinux management tool. When that didn't fix the problem, I 
just disabled SELinux until the Internet connection was fixed.

So the connection was fixed, I fixed the sendmail.mc file to be exactly 
the same as before the problem. I used MAKE on the file and relabeled 
the SELinux during a reboot and reset SELinux to enforcement mode.

Spamd will not start in enforcement mode. I get the following
setroubleshoot message:

Summary
SELinux is preventing spamd (spamd_t) "search" to mail 
(httpd_sys_content_t).

Detailed Description
SELinux denied access requested by spamd. It is not expected that this 
access is required by spamd and this access may signal an intrusion 
attempt. It is also possible that the specific version or configuration 
of the application is causing it to require additional access.

Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to 
restore the default system file context for mail, restorecon -v mail If 
this does not work, there is currently no automatic way to allow this 
access. Instead, you can generate a local policy module to allow this 
access - see FAQ Or you can disable SELinux protection altogether. 
Disabling SELinux protection is not recommended. Please file a bug 
report against this package.

Additional Information
    Source Context: system_u:system_r:spamd_t
    Target Context: system_u:object_r:httpd_sys_content_t
    Target Objects: mail [ dir ]
    Affected RPM Packages:
    Policy RPM: selinux-policy-2.6.4-46.fc7
    Selinux Enabled: TruePolicy Type: targetedMLS Enabled: True
    Enforcing Mode: Permissive
    Plugin Name: plugins.catchall_file


When I ran the suggested fix "restorecon -v mail" I get the following 
error message:
lstat(mail) failed: No such file or directory

I was under the impression that if I relabeled the system everything 
would be reset, but obviously I am incorrect...

I have also received other AVC messages all relating to sendmail files. 
  I was not sure if these would help so I did not include them in this 
message (This questions is already pretty long!).

Any idea how I can get spamd to run in enforcing mode -and- get SELinux 
to be happy again?

Thanks,

Doug

More information about the fedora-selinux-list mailing list