Strange Mailman/Sendmail Audit messages in Fedora-10?

Paul Howarth paul at city-fan.org
Tue Feb 10 14:12:42 UTC 2009 

Derek Atkins wrote:
> Paul,
> 
> Quoting Paul Howarth <paul at city-fan.org>:
> 
>>> [snip]
>>> > Do your milters exec other programs? There are a couple of sockets
>>>
>>> I don't think so, but I don't know.  I'm using clamav-milter,
>>> spamass-milter, and milter-sender.  I'm pretty sure that the
>>> latter doesn't fork/exec.  I don't know about clamav or spamass.
>>
>> spamass-milter forks and execs sendmail to deliver spam if you use the
>> "-b" option - that's how I discovered the problem.
> 
> Thanks.  But I'm not using the -b option.  It's run with:
> 
>  -p /path/to/sock -P /path/to/pid -m -r 5 -i ...

Yes, all the logs you posted appear to be mailman-related.

>> The audit log entries you posted suggest that mailman inherited a
>> socket descriptor from sendmail.
> 
> I believe that..  Yet it doesn't look like it actually stopped anything
> from happening..  The mail seemed to flow okay.  But it would be
> nice to fix this.   I don't like getting audit warnings.  Maybe sendmail
> is leaking fds as you suggest?   Should I file a bug with fedora
> about this?

Well you could but it's not really causing a problem other than log 
noise and upstream already have a fix for it though they're not in a 
rush to do a new release.

> [snip]
>>> Okay, how would I do that?
>>
>> You'll need to create a local policy module. I'd do it this way:
>>
> [instructions snipped]
> 
> Thanks, Paul.  I'll consider doing this.
> 
> Is there any easy way to figure out what's connected to the sockets
> that it's complaining about?   I certainly can't find anything via
> lsof or netstat -a.   Most likely because the sockets get closed
> before I see the audit message and try to track it down.

There's no easy way that I know of. In the end I got the spamass-milter 
ones from running strace on the processes (I've since discovered how to 
use the audit subsystem to get a little more targeted information of 
this nature) and looking at the source code to follow what was going on.

If you're in enforcing mode then the kernel will actually be closing 
down the descriptors at the time the AVCs are generated.

Paul.

More information about the fedora-selinux-list mailing list