F9: sendmail AVC complaint

Daniel B. Thurman dant at cdkkt.com
Mon Aug 10 17:56:00 UTC 2009 

Daniel J Walsh wrote:
> On 08/10/2009 11:18 AM, Daniel B. Thurman wrote:
>   
>> I got this AVC complaint fairly recently so please
>> let me know how to fix this one thanks!
>>
>> File: /var/log/messages
>> =================================================
>> setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read" to
>> /var/log/messages (var_log_t). For complete SELinux messages. run
>> sealert -l 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2
>>
>>
>> $ sealert -l 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2
>> =================================================
>> Summary:
>>
>> SELinux is preventing sendmail (system_mail_t) "read" to /var/log/messages
>> (var_log_t).
>>
>> Detailed Description:
>>
>> SELinux denied access requested by sendmail. It is not expected that
>> this access
>> is required by sendmail and this access may signal an intrusion attempt.
>> It is
>> also possible that the specific version or configuration of the
>> application is
>> causing it to require additional access.
>>
>> Allowing Access:
>>
>> Sometimes labeling problems can cause SELinux denials. You could try to
>> restore
>> the default system file context for /var/log/messages,
>>
>> restorecon -v '/var/log/messages'
>>
>> If this does not work, there is currently no automatic way to allow this
>> access.
>> Instead, you can generate a local policy module to allow this access -
>> see FAQ
>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
>> disable
>> SELinux protection altogether. Disabling SELinux protection is not
>> recommended.
>> Please file a bug report
>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>> against this package.
>>
>> Additional Information:
>>
>> Source Context               
>> system_u:system_r:system_mail_t:s0-s0:c0.c1023
>> Target Context                system_u:object_r:var_log_t:s0
>> Target Objects                /var/log/messages [ file ]
>> Source                        sendmail
>> Source Path                   /usr/sbin/sendmail.sendmail
>> Port                          <Unknown>
>> Host                          mysystem.mydomain.com
>> Source RPM Packages           sendmail-8.14.2-4.fc9
>> Target RPM Packages         Policy RPM                   
>> selinux-policy-3.3.1-135.fc9
>> Selinux Enabled               True
>> Policy Type                   targeted
>> MLS Enabled                   True
>> Enforcing Mode                Enforcing
>> Plugin Name                   catchall_file
>> Host Name                     mysystem.mydomain.com
>> Platform                      Linux mysystem.mydomain.com
>> 2.6.27.25-78.2.56.fc9.i686 #1
>>                              SMP Thu Jun 18 12:47:50 EDT 2009 i686 i686
>> Alert Count                   1
>> First Seen                    Mon Aug 10 04:47:23 2009
>> Last Seen                     Mon Aug 10 04:47:23 2009
>> Local ID                      5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2
>> Line Numbers               
>> Raw Audit Messages         
>> node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350):
>> avc:  denied  { read } for  pid=16757 comm="sendmail"
>> path="/var/log/messages" dev=sda6 ino=86361
>> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:var_log_t:s0 tclass=file
>>
>> node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350):
>> avc:  denied  { read } for  pid=16757 comm="sendmail"
>> path="/var/log/secure" dev=sda6 ino=86369
>> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:var_log_t:s0 tclass=file
>>
>> node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350):
>> avc:  denied  { read } for  pid=16757 comm="sendmail"
>> path="/var/log/maillog" dev=sda6 ino=4956165
>> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:var_log_t:s0 tclass=file
>>
>> node=mysystem.mydomain.com type=SYSCALL msg=audit(1249904843.352:37350):
>> arch=40000003 syscall=11 success=yes exit=0 a0=8f4e3d0 a1=8f4e458
>> a2=8f4da48 a3=0 items=0 ppid=16704 pid=16757 auid=0 uid=0 gid=0 euid=0
>> suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=6305
>> comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
>> subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
>>
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>     
>
>
> Well Number one  Fedora 9 is no longer supported.  Please upgrade to F10 or preferably F11.
>
> If you do not want to do this, you can add custom policy
>
> # grep sendmail /var/log/audit/audit.log | audit2allow -M mysendmail
> # semodule -i mysendmail.pp
>   
Thanks!
Dan

More information about the fedora-selinux-list mailing list