F9: sendmail AVC complaint
Daniel B. Thurman
dant at cdkkt.com
Mon Aug 10 17:56:00 UTC 2009
Daniel J Walsh wrote:
> On 08/10/2009 11:18 AM, Daniel B. Thurman wrote:
>
>> I got this AVC complaint fairly recently so please
>> let me know how to fix this one thanks!
>>
>> File: /var/log/messages
>> =================================================
>> setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read" to
>> /var/log/messages (var_log_t). For complete SELinux messages. run
>> sealert -l 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2
>>
>>
>> $ sealert -l 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2
>> =================================================
>> Summary:
>>
>> SELinux is preventing sendmail (system_mail_t) "read" to /var/log/messages
>> (var_log_t).
>>
>> Detailed Description:
>>
>> SELinux denied access requested by sendmail. It is not expected that
>> this access
>> is required by sendmail and this access may signal an intrusion attempt.
>> It is
>> also possible that the specific version or configuration of the
>> application is
>> causing it to require additional access.
>>
>> Allowing Access:
>>
>> Sometimes labeling problems can cause SELinux denials. You could try to
>> restore
>> the default system file context for /var/log/messages,
>>
>> restorecon -v '/var/log/messages'
>>
>> If this does not work, there is currently no automatic way to allow this
>> access.
>> Instead, you can generate a local policy module to allow this access -
>> see FAQ
>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
>> disable
>> SELinux protection altogether. Disabling SELinux protection is not
>> recommended.
>> Please file a bug report
>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>> against this package.
>>
>> Additional Information:
>>
>> Source Context
>> system_u:system_r:system_mail_t:s0-s0:c0.c1023
>> Target Context system_u:object_r:var_log_t:s0
>> Target Objects /var/log/messages [ file ]
>> Source sendmail
>> Source Path /usr/sbin/sendmail.sendmail
>> Port <Unknown>
>> Host mysystem.mydomain.com
>> Source RPM Packages sendmail-8.14.2-4.fc9
>> Target RPM Packages Policy RPM
>> selinux-policy-3.3.1-135.fc9
>> Selinux Enabled True
>> Policy Type targeted
>> MLS Enabled True
>> Enforcing Mode Enforcing
>> Plugin Name catchall_file
>> Host Name mysystem.mydomain.com
>> Platform Linux mysystem.mydomain.com
>> 2.6.27.25-78.2.56.fc9.i686 #1
>> SMP Thu Jun 18 12:47:50 EDT 2009 i686 i686
>> Alert Count 1
>> First Seen Mon Aug 10 04:47:23 2009
>> Last Seen Mon Aug 10 04:47:23 2009
>> Local ID 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2
>> Line Numbers
>> Raw Audit Messages
>> node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350):
>> avc: denied { read } for pid=16757 comm="sendmail"
>> path="/var/log/messages" dev=sda6 ino=86361
>> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:var_log_t:s0 tclass=file
>>
>> node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350):
>> avc: denied { read } for pid=16757 comm="sendmail"
>> path="/var/log/secure" dev=sda6 ino=86369
>> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:var_log_t:s0 tclass=file
>>
>> node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350):
>> avc: denied { read } for pid=16757 comm="sendmail"
>> path="/var/log/maillog" dev=sda6 ino=4956165
>> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:var_log_t:s0 tclass=file
>>
>> node=mysystem.mydomain.com type=SYSCALL msg=audit(1249904843.352:37350):
>> arch=40000003 syscall=11 success=yes exit=0 a0=8f4e3d0 a1=8f4e458
>> a2=8f4da48 a3=0 items=0 ppid=16704 pid=16757 auid=0 uid=0 gid=0 euid=0
>> suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=6305
>> comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
>> subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>
>
> Well Number one Fedora 9 is no longer supported. Please upgrade to F10 or preferably F11.
>
> If you do not want to do this, you can add custom policy
>
> # grep sendmail /var/log/audit/audit.log | audit2allow -M mysendmail
> # semodule -i mysendmail.pp
>
Thanks!
Dan
More information about the fedora-selinux-list
mailing list