Strange Mailman/Sendmail Audit messages in Fedora-10?

Mon Feb 9 09:15:50 UTC 2009

Derek Atkins wrote:
> Hey,
> 
> I'm working on getting a new Fedora-10 server up and running.  I've
> set up mailman and have lists configured.  Mail even seems to be
> flowing, but for some reason I'm getting a strange audit message on
> each incoming message.  I find it interesting that there are three
> unix_socket AVCs and I have three milters connected to sendmail.
> 
> The settroubleshoot viewer gives me the following information.
> 
> I'm hoping someone could help me understand these log messages,
> and maybe help me make them go away?
> 
> Thanks,
> 
> -derek
> 
> 
> Summary
> 
> SELinux is preventing mailman (mailman_mail_t) "read write" sendmail_t.
> 
> Detailed Description
> 
> SELinux denied access requested by mailman. It is not expected that this access is required by mailman and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. 
> 
> Allowing Access
> 
> You can generate a local policy module to allow this access - see FAQ
> Or you can disable SELinux protection altogether. Disabling SELinux
> protection is not recommended. Please file a bug report against this
> package.
> 
> Additional Information
> Source Context:  system_u:system_r:mailman_mail_t:s0
> Target Context:  system_u:system_r:sendmail_t:s0
> Target Objects:  socket [ unix_stream_socket ]
> Source:  mailman
> Source Path:  /usr/lib/mailman/mail/mailman
> Port:  <Unknown>
> Host:  <redacted>
> Source RPM Packages:  mailman-2.1.11-3.fc10
> Target RPM Packages:  
> Policy RPM:  selinux-policy-3.5.13-41.fc10
> Selinux Enabled:  True
> Policy Type:  targeted
> MLS Enabled:  True
> Enforcing Mode:  Enforcing
> Plugin Name:  catchall
> Host Name:  code.gnucash.org
> Platform:  Linux code.gnucash.org 2.6.27.12-170.2.5.fc10.i686 #1 SMP Wed Jan 21 02:09:37 EST 2009 i686 athlon
> Alert Count:  1
> First Seen:  Sun 08 Feb 2009 11:28:40 AM EST
> Last Seen:  Sun 08 Feb 2009 03:04:01 PM EST
> Local ID:  606e93dc-55fc-4454-acfa-1081a87deb63
> Line Numbers:  
> 
> Raw Audit Messages :
> 
> node=code.gnucash.org type=AVC msg=audit(1234123441.829:421): avc:
> denied { read write } for pid=17455 comm="mailman"
> path="socket:[105075]" dev=sockfs ino=105075
> scontext=system_u:system_r:mailman_mail_t:s0
> tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket
> 
> node=code.gnucash.org type=AVC msg=audit(1234123441.829:421): avc:
> denied { read write } for pid=17455 comm="mailman"
> path="socket:[105077]" dev=sockfs ino=105077
> scontext=system_u:system_r:mailman_mail_t:s0
> tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket
> 
> node=code.gnucash.org type=AVC msg=audit(1234123441.829:421): avc:
> denied { read write } for pid=17455 comm="mailman"
> path="socket:[105079]" dev=sockfs ino=105079
> scontext=system_u:system_r:mailman_mail_t:s0
> tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket
> 
> node=code.gnucash.org type=SYSCALL msg=audit(1234123441.829:421):
> arch=40000003 syscall=11 success=yes exit=0 a0=8d42e38 a1=8d42f20
> a2=8d42508 a3=0 items=0 ppid=17454 pid=17455 auid=4294967295 uid=8
> gid=12 euid=8 suid=8 fsuid=8 egid=41 sgid=41 fsgid=41 tty=(none)
> ses=4294967295 comm="mailman" exe="/usr/lib/mailman/mail/mailman"
> subj=system_u:system_r:mailman_mail_t:s0 key=(null)

Do your milters exec other programs? There are a couple of sockets 
involved in the milter process (one in libmilter that shows up in the 
milter process itself, and one at the other end of the connection in 
sendmail) that don't have close-on-exec set, so their descriptors leak 
when they exec other programs, and that looks like what you're seeing 
here. I've submitted patches against 8.14.3 upstream many months ago but 
there hasn't been a new release since.

In the meantime, I expect you can safely dontaudit these.

Paul.