Is SELinux blocking all forward-only mail agents? (esmtp/ssmtp)

NM nico at altiva.fr
Fri Dec 12 09:53:15 UTC 2008 

I didn't want to have a full-fledged MTA on my machines; I tried both 
esmtp and ssmtp, and both seem unable to work without tripping on 
SELinux. It looks like they always inherit the context of the calling 
program, which doesn't have the rights to, say, connect outside on port 
25.

Is there a way?


Summary:

SELinux is preventing sendmail (logwatch_t) "name_connect" smtp_port_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but 
was permitted due to permissive mode.]

SELinux denied access requested by sendmail. It is not expected that this 
access 
is required by sendmail and this access may signal an intrusion attempt. 
It is
also possible that the specific version or configuration of the 
application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can 
disable SELinux protection altogether. Disabling SELinux protection is not 
recommended. 
Please file a bug report (http://bugzilla.redhat.com/bugzilla/
enter_bug.cgi) against this package.

Additional Information:

Source Context                system_u:system_r:logwatch_t:s0-s0:c0.c1023
Target Context                system_u:object_r:smtp_port_t:s0
Target Objects                None [ tcp_socket ]
Source                        sendmail
Source Path                   /usr/sbin/ssmtp
Port                          25
Host                          lin1195
Source RPM Packages           ssmtp-2.61-11.7.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-26.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     lin1195
Platform                      Linux lin1195 2.6.27.5-117.fc10.x86_64 #1 
SMP Tue
                              Nov 18 11:58:53 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 12 Dec 2008 04:02:05 AM CET
Last Seen                     Fri 12 Dec 2008 04:02:05 AM CET
Local ID                      631702fa-42b7-444d-b62e-fe50df41bf9f
Line Numbers                  

Raw Audit Messages            

node=lin1195 type=AVC msg=audit(1229050925.485:1082): avc:  denied  
{ name_connect } for  pid=22689 comm="sendmail" dest=25 
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket

node=lin1195 type=SYSCALL msg=audit(1229050925.485:1082): arch=c000003e 
syscall=42 success=yes exit=0 a0=3 a1=ad2d90 a2=10 a3=3b4856da70 items=0 
ppid=22433 pid=22689 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=122 comm="sendmail" exe="/usr/sbin/ssmtp" 
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)

More information about the fedora-selinux-list mailing list