Re: selinux, sendmail, and services

---

• From: Steven Stern <subscribed-lists@xxxxxxxxxxxxx>
• Date: Tue, 26 Feb 2008 07:55:54 -0600

---

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/26/2008 07:37 AM, Daniel J Walsh wrote:
| Steven Stern wrote:
|> For two days, I've been receiving notices from setroubleshooter about
|> sendmail and "unknown file". Today, after the pam update, I rebooted
|> and saw sendmail fail to start due to a problem with "services".
|
|> Feb 26 06:55:50 sds-desk setroubleshoot: #012 SELinux is preventing
|> the /usr/sbin/sendmail.sendmail from using potentially mislabeled files
|> (<Unknown>).#012
|
|> Feb 26 07:04:35 sds-desk setroubleshoot: #012 SELinux is preventing
|> the /usr/sbin/sendmail.sendmail from using potentially mislabeled files
|> (/etc/services).#012
|
|> I used
|
|> ~ grep sendmail /var/log/audit/audit.log | audit2allow -M sendmail
|
|> to generate a policy to fix this. Was this the right thing to do? And
|> what caused sendmail and selinux to suddenly have a problem?
|
|> sendmail.te:
|
|> module sendmail 1.0;
|
|> require {
|> ~ type initrc_tmp_t;
|> ~ type rpm_script_tmp_t;
|> ~ type system_mail_t;
|> ~ type unconfined_home_t;
|> ~ type sendmail_t;
|> ~ type unconfined_home_dir_t;
|> ~ type var_t;
|> ~ class process setrlimit;
|> ~ class dir { getattr search };
|> ~ class file { write getattr read ioctl };
|> }
|
|> #============= sendmail_t ==============
|> allow sendmail_t initrc_tmp_t:file { read write getattr ioctl };
|> allow sendmail_t rpm_script_tmp_t:file read;
|> allow sendmail_t self:process setrlimit;
|> allow sendmail_t unconfined_home_dir_t:dir { getattr search };
|> allow sendmail_t unconfined_home_t:file { read getattr };
|> allow sendmail_t var_t:file { read write };
|
|> #============= system_mail_t ==============
|> allow system_mail_t rpm_script_tmp_t:file read;
|
|
| I think your problem is you have a badly labeled /etc/services file.
| restorecon /etc/services
|
| vmware has a bug in there postinstall script that screws up the labeling
| of /etc/services.
|
| I am not sure of your other changes so could you please attach the
| audit.log file that you used to generate this policy.

That makes sense. I was playing with vmware server this weekend,
installed from VMWare's rpm installer.

The log is attached.
- --

~ Steve
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHxBpqeERILVgMyvARAvAoAJ9wpMLwBE1KLMcPyTcdY9DzAjvUIACfeixZ
0BhxSPOxXzLuJlogBu3ot/A=
=R+Pe
-----END PGP SIGNATURE-----
type=AVC msg=audit(1194824782.094:78): avc: denied { getattr } for pid=8591 comm="sendmail" path="/home/sdstern" dev=dm-0 ino=12419074 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1194824782.094:79): avc: denied { search } for pid=8591 comm="sendmail" name="sdstern" dev=dm-0 ino=12419074 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1194824782.095:80): avc: denied { getattr } for pid=8591 comm="sendmail" path="/home/sdstern/.forward" dev=dm-0 ino=12420212 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:unconfined_home_t:s0 tclass=file
type=AVC msg=audit(1194824782.095:81): avc: denied { read } for pid=8591 comm="sendmail" name=".forward" dev=dm-0 ino=12420212 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:unconfined_home_t:s0 tclass=file
type=AVC msg=audit(1194880560.718:124): avc: denied { getattr } for pid=4439 comm="sendmail" path="/home/sdstern" dev=dm-0 ino=12419074 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1194880560.718:125): avc: denied { search } for pid=4439 comm="sendmail" name="sdstern" dev=dm-0 ino=12419074 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1194880560.718:126): avc: denied { getattr } for pid=4439 comm="sendmail" path="/home/sdstern/.forward" dev=dm-0 ino=12420212 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:unconfined_home_t:s0 tclass=file
type=AVC msg=audit(1194880560.719:127): avc: denied { read } for pid=4439 comm="sendmail" name=".forward" dev=dm-0 ino=12420212 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:unconfined_home_t:s0 tclass=file
type=AVC msg=audit(1194966939.075:109): avc: denied { getattr } for pid=14096 comm="sendmail" path="/home/sdstern" dev=dm-0 ino=12419074 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1194966939.076:110): avc: denied { search } for pid=14096 comm="sendmail" name="sdstern" dev=dm-0 ino=12419074 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1194966939.076:111): avc: denied { getattr } for pid=14096 comm="sendmail" path="/home/sdstern/.forward" dev=dm-0 ino=12420212 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:unconfined_home_t:s0 tclass=file
type=AVC msg=audit(1194966939.076:112): avc: denied { read } for pid=14096 comm="sendmail" name=".forward" dev=dm-0 ino=12420212 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:unconfined_home_t:s0 tclass=file
type=AVC msg=audit(1199075688.218:1166): avc: denied { read } for pid=6404 comm="sendmail" path=2F746D702F52735A6B686D4D45202864656C6574656429 dev=dm-0 ino=4720032 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1199075688.218:1166): avc: denied { write } for pid=6404 comm="sendmail" path=2F746D702F736172672F3230303744656333302D3230303744656333302F746F70202864656C6574656429 dev=dm-0 ino=4751375 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1199075688.218:1166): avc: denied { read write } for pid=6404 comm="sendmail" path="/var/webmin/sessiondb.pag" dev=dm-0 ino=37524750 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1199075688.268:1167): avc: denied { getattr } for pid=6404 comm="sendmail" path=2F746D702F52735A6B686D4D45202864656C6574656429 dev=dm-0 ino=4720032 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1199075688.296:1168): avc: denied { setrlimit } for pid=6404 comm="sendmail" scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:system_r:sendmail_t:s0 tclass=process
type=AVC msg=audit(1199075688.296:1169): avc: denied { ioctl } for pid=6404 comm="sendmail" path=2F746D702F52735A6B686D4D45202864656C6574656429 dev=dm-0 ino=4720032 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1203922909.014:202): avc: denied { read } for pid=4237 comm="sendmail" name="services" dev=dm-0 ino=4784248 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=file
type=AVC msg=audit(1203922909.185:205): avc: denied { read } for pid=10939 comm="sendmail" name="services" dev=dm-0 ino=4784248 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=file
type=AVC msg=audit(1203937731.272:234): avc: denied { read } for pid=12342 comm="sendmail" name="services" dev=dm-0 ino=4784248 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=file
type=AVC msg=audit(1204024130.397:402): avc: denied { read } for pid=19120 comm="sendmail" name="services" dev=dm-0 ino=4784248 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=file
type=AVC msg=audit(1204030502.662:26): avc: denied { read } for pid=2482 comm="newaliases" name="services" dev=dm-0 ino=4784248 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=file
type=AVC msg=audit(1204030502.709:27): avc: denied { read } for pid=2486 comm="sendmail" name="services" dev=dm-0 ino=4784248 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=file
type=AVC msg=audit(1204030548.925:44): avc: denied { read } for pid=2964 comm="newaliases" name="services" dev=dm-0 ino=4784248 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=file
type=AVC msg=audit(1204030548.940:45): avc: denied { read } for pid=2968 comm="sendmail" name="services" dev=dm-0 ino=4784248 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=file
type=AVC msg=audit(1204030704.096:48): avc: denied { getattr } for pid=3063 comm="newaliases" path="/etc/services" dev=dm-0 ino=4784248 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=file
type=AVC msg=audit(1204030704.195:49): avc: denied { getattr } for pid=3067 comm="sendmail" path="/etc/services" dev=dm-0 ino=4784248 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=file
type=AVC msg=audit(1204031069.445:26): avc: denied { getattr } for pid=2501 comm="newaliases" path="/etc/services" dev=dm-0 ino=4784248 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=file
type=AVC msg=audit(1204031069.564:27): avc: denied { getattr } for pid=2505 comm="sendmail" path="/etc/services" dev=dm-0 ino=4784248 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=file
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

---

• Follow-Ups:
  • Re: selinux, sendmail, and services
    • From: Daniel J Walsh

• References:
  • selinux, sendmail, and services
    • From: Steven Stern
  • Re: selinux, sendmail, and services
    • From: Daniel J Walsh

• Prev by Date: Re: selinux, sendmail, and services
• Next by Date: Re: Treo USB no longer creating ttyUSB[01] devices???
• Previous by thread: Re: selinux, sendmail, and services
• Next by thread: Re: selinux, sendmail, and services
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: lost input channel ... You need GnuPG to verify this message ... little luck some sendmail guru will be able to help out here. ... Michael Heiming ... (comp.os.linux.misc) Re: Changing From: address of periodic scripts ... | I set up a remote box to e-mail 'periodic' output to me directly. ... | couldn't see a command line option to specify a 'From:'. ... | 'sendmail' to send e-mail; is there a simple way of forcing a 'From:' ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ... (freebsd-questions) Re: smart_host on sendmail min config ... If a direct telnet to port 25 works, ... completely unchanged before and after I attempted to sendmail to my ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ... (freebsd-questions) Getting around ISP SMTP firewall settings (Re: Submitting a new port if send-pr is broken) ... You should be able to set up a local mailer/MTA (sendmail, postfix, ... sendmail refers to this feature as SMART_HOST, ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ... (freebsd-questions) Re: How do I get sendmail working again ... You've got two conflicting sets of daemon ... options -- effectively you're telling sendmail to bind to the ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ... (freebsd-questions)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)