Strange Mailman/Sendmail Audit messages in Fedora-10?

Paul Howarth paul at city-fan.org
Tue Feb 10 00:15:33 UTC 2009 

On Mon, 09 Feb 2009 12:47:51 -0500
Derek Atkins <warlord at MIT.EDU> wrote:

> Hi,
> 
> Paul Howarth <paul at city-fan.org> writes:
> 
> [snip]
> > Do your milters exec other programs? There are a couple of sockets
> 
> I don't think so, but I don't know.  I'm using clamav-milter,
> spamass-milter, and milter-sender.  I'm pretty sure that the
> latter doesn't fork/exec.  I don't know about clamav or spamass.

spamass-milter forks and execs sendmail to deliver spam if you use the
"-b" option - that's how I discovered the problem.

The audit log entries you posted suggest that mailman inherited a
socket descriptor from sendmail.

> > involved in the milter process (one in libmilter that shows up in
> > the milter process itself, and one at the other end of the
> > connection in sendmail) that don't have close-on-exec set, so their
> > descriptors leak when they exec other programs, and that looks like
> > what you're seeing here. I've submitted patches against 8.14.3
> > upstream many months ago but there hasn't been a new release since.
> >
> > In the meantime, I expect you can safely dontaudit these.
> 
> Okay, how would I do that?

You'll need to create a local policy module. I'd do it this way:

 * Create a policy module development area:

# yum install make selinux-policy-devel
# cd /root
# mkdir selinux.local
# cd selinux.local
# chcon -R -t usr_t .
# ln -s /usr/share/selinux/devel/Makefile . 

 * Pipe the audit messages you want to eliminate through audit2allow to
   create a policy module "mysendmail":

# ausearch -se sendmail |
	audit2allow -m mysendmail |
	sed 's/^allow /dontaudit /' > mysendmail.te

That should produce a file mysendmail.te like this:

module mysendmail 1.0;

require {
	type mailman_mail_t;
	type sendmail_t;
	class unix_stream_socket { read write };
}

#============= mailman_mail_t ==============
dontaudit mailman_mail_t sendmail_t:unix_stream_socket { read write };


 * Compile the policy module:

# make

 * Install the policy module:

# semodule -i mysendmail.pp

If you later want to remove the policy module (it'll survive a reboot),
do:

# semodule -r mysendmail

Cheers, Paul.

More information about the fedora-selinux-list mailing list