selinux, sendmail, and services

From: Steven Stern <subscribed-lists@xxxxxxxxxxxxx>
Date: Tue, 26 Feb 2008 07:22:54 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For two days, I've been receiving notices from setroubleshooter about
sendmail and "unknown file". Today, after the pam update, I rebooted
and saw sendmail fail to start due to a problem with "services".

Feb 26 06:55:50 sds-desk setroubleshoot: #012 SELinux is preventing
the /usr/sbin/sendmail.sendmail from using potentially mislabeled files
(<Unknown>).#012

Feb 26 07:04:35 sds-desk setroubleshoot: #012 SELinux is preventing
the /usr/sbin/sendmail.sendmail from using potentially mislabeled files
(/etc/services).#012

I used

~ grep sendmail /var/log/audit/audit.log | audit2allow -M sendmail

to generate a policy to fix this. Was this the right thing to do? And
what caused sendmail and selinux to suddenly have a problem?

sendmail.te:

module sendmail 1.0;

require {
~ type initrc_tmp_t;
~ type rpm_script_tmp_t;
~ type system_mail_t;
~ type unconfined_home_t;
~ type sendmail_t;
~ type unconfined_home_dir_t;
~ type var_t;
~ class process setrlimit;
~ class dir { getattr search };
~ class file { write getattr read ioctl };
}

#============= sendmail_t ==============
allow sendmail_t initrc_tmp_t:file { read write getattr ioctl };
allow sendmail_t rpm_script_tmp_t:file read;
allow sendmail_t self:process setrlimit;
allow sendmail_t unconfined_home_dir_t:dir { getattr search };
allow sendmail_t unconfined_home_t:file { read getattr };
allow sendmail_t var_t:file { read write };

#============= system_mail_t ==============
allow system_mail_t rpm_script_tmp_t:file read;

- --

~ Steve
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHxBKueERILVgMyvARAvE6AJ49qi30dYDaPPmEWAcXZCK3Sf+i+ACeLgYa
GsbDrhehWXwG+MMxAEoNHXc=
=uKfC
-----END PGP SIGNATURE-----

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Follow-Ups:
- Re: selinux, sendmail, and services
  - From: Daniel J Walsh

Prev by Date: Issues with network install on a Mac-based apache server
Next by Date: Re: selinux, sendmail, and services
Previous by thread: Issues with network install on a Mac-based apache server
Next by thread: Re: selinux, sendmail, and services
Index(es):
- Date
- Thread

Relevant Pages

Re: SELinux warning about sendmail
... SELinux is preventing the sendmail from using potentially mislabeled files ... really about ssmtp. ... When an app starts with it's homedir set to /root, it will getattr on the $HOME, which can cause this AVC. ...
(Fedora)
Re: SELinux warning about sendmail
... SELinux is preventing the sendmail from using potentially mislabeled files ... really about ssmtp. ... which can cause this AVC. ...
(Fedora)
SELinux warning about sendmail
... Sometimes I see the warning: ... SELinux is preventing the sendmail from using potentially mislabeled files ... sendmail is not installed, but according to sealert, this warning is ...
(Fedora)
Re: selinux, sendmail, and services
... and saw sendmail fail to start due to a problem with "services". ... the /usr/sbin/sendmail.sendmail from using potentially mislabeled files ... audit.log file that you used to generate this policy. ... Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org ...
(Fedora)
Re: lost input channel
... You need GnuPG to verify this message ... little luck some sendmail guru will be able to help out here. ... Michael Heiming ...
(comp.os.linux.misc)