sendmail avc's - on a system upgraded from f7 to f8 - in <Unknown>

Daniel J Walsh dwalsh at redhat.com
Tue Feb 5 13:34:44 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Timms wrote:
> Daniel J Walsh wrote:
>> David Timms wrote:
>>> AFAICS, I haven't made any configs to sendmail, yet I've started to get
>>> lots of AVC warnings in setroubleshoot, of three particular types:
>>>
>>> 1:========
>>> Summary
>>> SELinux is preventing the /usr/sbin/sendmail.sendmail from using
>>> potentially mislabeled files (<Unknown>).
>>>
>>> Detailed Description
>>> SELinux has denied /usr/sbin/sendmail.sendmail access to potentially
>>> mislabeled file(s) (<Unknown>). This means that SELinux will not allow
> 
>> A postinstall script has ruined the labeling on your /etc/services file.
>>
>> # restorecon -v /etc/services
>> will fix
> # ls -lZ /etc/services
> -rw-r--r--  root root unconfined_u:object_r:rpm_script_tmp_t /etc/services
> Yes, you are correct.
> 
> # restorecon -v /etc/services
> restorecon reset /etc/services context
> unconfined_u:object_r:rpm_script_tmp_t:s0->system_u:object_r:etc_t:s0
> 
> I guess experience rather than reading the troubleshoot message led you
> to /etc/services ?
> 
>> 
Yes, although this is actually a bug in audit/setroubleshoot that is
causing the target mislabeled file to be <Unknown>  If the frame work
had actually specified /etc/services, one of the plugins does a
matchpatcon on the file and sees that the file context differs from the
default and sets it correctly.  Please report this as a bug on
setroubleshoot and include the audit messages so we can see why
setroubleshoot failed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkeoZfQACgkQrlYvE4MpobMgHQCbBbgrBQjhwI3dXojEdKYrTTQP
GlsAoN4cCSvxzyguO77FVmdQzR2NbHPf
=knPX
-----END PGP SIGNATURE-----




More information about the fedora-selinux-list mailing list