Confusion about transition when httpd_t process calls sendmail

Daniel J Walsh dwalsh at redhat.com
Fri Sep 18 12:26:08 UTC 2009


On 09/18/2009 02:46 AM, Paul Howarth wrote:
> On Thu, 17 Sep 2009 23:06:15 -0500
> Jason L Tibbitts III <tibbs at math.uh.edu> wrote:
> 
>> Tough to come up with a subject for this one; it's really messing with
>> my fragile mind.  I have a system running RT3, which uses mod_perl or
>> somesuch to run within the web server process.  It needs to send mail,
>> so it calls /usr/bin/sendmail, which happens to be exim on this
>> system. If I understand things correctly, the sendmail process is
>> supposed to start as or somehow transition to exim_t where it is then
>> allowed to access whatever exim_t is allowed to access.
>>
>> This was all working until I had to reboot the machine for unrelated
>> reasons today.  Now, RT3 can't send mail, and the audit logs seem to
>> indicate that httpd_t is being denied things like writing to the exim
>> spool file location.  It really seems like somehow the transition to
>> exim_t is not happening.  Perhaps this will illustrate:
>>
>>> s ausearch -ts today |grep exim|audit2allow
>>
>> #============= httpd_t ==============
>> allow httpd_t exim_spool_t:dir { search setattr read write getattr
>> remove_name open add_name }; allow httpd_t exim_spool_t:file { rename
>> setattr read lock create write getattr unlink open append }; allow
>> httpd_t proc_net_t:file { read getattr open }; allow httpd_t
>> self:capability fowner; allow httpd_t smtp_port_t:tcp_socket
>> name_connect;
>>
>> Currently I've simply disabled selinux until I can understand what has
>> happened.  yum.log indicates that selinux-policy(-targeted) were
>> updated on the 13th, but everything was working fine up until the
>> today's reboot.  No other related packages have been updated
>> recently, and nothing was updated today.  I suppose the reboot did
>> boot me into a new kernel version (from
>> kernel-2.6.29.6-217.2.3.fc11.x86_64 to
>> kernel-2.6.30.5-43.fc11.x86_64).
>>
>>> ls -lZ /usr/sbin/exim
>> -rwsr-xr-x. root root system_u:object_r:exim_exec_t:s0 /usr/sbin/exim*
>>
>> (which is what /usr/bin/sendmail is linked to via half a dozen
>> symlinks due to alternatives).
> 
> Just a thought but is your httpd_can_sendmail boolean still set?
> 
> Paul.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> 


I think if people would just get their hands around this document, it could help.

http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf

SELinux is trying to say either you have a labeling problem in that exim no longer has the correct label.  So httpd_t is not transitioning to the system_mail_t.

Or

For some reason the http_can_sendmail  boolean is not set.

Of cours it could also be a bug in policy.




More information about the fedora-selinux-list mailing list