SELinux problem after sendmail.mc modification.
doug at dupreeinc.com
Thu Oct 11 20:16:53 UTC 2007
I hope somebody has seen this before. I am not sure if it is a bug or my
not completely understanding how SELinux works.
My mail server was working fine secured by SELinux running in enforcing
mode. Our company lost connection the the Internet for a couple days so
I edited sendmail.mc to skip the domain check for the duration. I edited
the file ran MAKE and restarted the sendmail process. I also disabled
spamd because all of the email would be internal.
Well SELinux didn't like what I did and started to produce lots of AVC
messages and provided solutions to most of them. I followed the
suggestion in the "Allowing Access" section of the setroubleshoot
browser and most of the messages went away. After about a dozen of these
messages, I decided to just have the system "relabel on next reboot"
using the SELinux management tool. When that didn't fix the problem, I
just disabled SELinux until the Internet connection was fixed.
So the connection was fixed, I fixed the sendmail.mc file to be exactly
the same as before the problem. I used MAKE on the file and relabeled
the SELinux during a reboot and reset SELinux to enforcement mode.
Spamd will not start in enforcement mode. I get the following
SELinux is preventing spamd (spamd_t) "search" to mail
SELinux denied access requested by spamd. It is not expected that this
access is required by spamd and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the application is causing it to require additional access.
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for mail, restorecon -v mail If
this does not work, there is currently no automatic way to allow this
access. Instead, you can generate a local policy module to allow this
access - see FAQ Or you can disable SELinux protection altogether.
Disabling SELinux protection is not recommended. Please file a bug
report against this package.
Source Context: system_u:system_r:spamd_t
Target Context: system_u:object_r:httpd_sys_content_t
Target Objects: mail [ dir ]
Affected RPM Packages:
Policy RPM: selinux-policy-2.6.4-46.fc7
Selinux Enabled: TruePolicy Type: targetedMLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: plugins.catchall_file
When I ran the suggested fix "restorecon -v mail" I get the following
lstat(mail) failed: No such file or directory
I was under the impression that if I relabeled the system everything
would be reset, but obviously I am incorrect...
I have also received other AVC messages all relating to sendmail files.
I was not sure if these would help so I did not include them in this
message (This questions is already pretty long!).
Any idea how I can get spamd to run in enforcing mode -and- get SELinux
to be happy again?
More information about the fedora-selinux-list