Re: selinux, sendmail, and services
- From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
- Date: Tue, 26 Feb 2008 09:17:52 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Steven Stern wrote:
On 02/26/2008 07:37 AM, Daniel J Walsh wrote:This one seems reasonable.
| Steven Stern wrote:
|> For two days, I've been receiving notices from setroubleshooter about
|> sendmail and "unknown file". Today, after the pam update, I rebooted
|> and saw sendmail fail to start due to a problem with "services".
|
|> Feb 26 06:55:50 sds-desk setroubleshoot: #012 SELinux is preventing
|> the /usr/sbin/sendmail.sendmail from using potentially mislabeled files
|> (<Unknown>).#012
|
|> Feb 26 07:04:35 sds-desk setroubleshoot: #012 SELinux is preventing
|> the /usr/sbin/sendmail.sendmail from using potentially mislabeled files
|> (/etc/services).#012
|
|> I used
|
|> ~ grep sendmail /var/log/audit/audit.log | audit2allow -M sendmail
|
|> to generate a policy to fix this. Was this the right thing to do? And
|> what caused sendmail and selinux to suddenly have a problem?
|
|> sendmail.te:
|
|> module sendmail 1.0;
|
|> require {
|> ~ type initrc_tmp_t;
|> ~ type rpm_script_tmp_t;
|> ~ type system_mail_t;
|> ~ type unconfined_home_t;
|> ~ type sendmail_t;
|> ~ type unconfined_home_dir_t;
|> ~ type var_t;
|> ~ class process setrlimit;
|> ~ class dir { getattr search };
|> ~ class file { write getattr read ioctl };
|> }
|
|> #============= sendmail_t ==============
|> allow sendmail_t initrc_tmp_t:file { read write getattr ioctl };
|> allow sendmail_t rpm_script_tmp_t:file read;/etc/services bad label
|> allow sendmail_t self:process setrlimit;Never seen this before, But I guess I will add
|> allow sendmail_t unconfined_home_dir_t:dir { getattr search };These are allowed in current policy for Rawhide/Fedora 8
|> allow sendmail_t unconfined_home_t:file { read getattr };
|> allow sendmail_t var_t:file { read write };This will have to be special for your install. We would need policy for
webmin
|-----BEGIN PGP SIGNATURE-----
|> #============= system_mail_t ==============
|> allow system_mail_t rpm_script_tmp_t:file read;
|
|
| I think your problem is you have a badly labeled /etc/services file.
| restorecon /etc/services
|
| vmware has a bug in there postinstall script that screws up the labeling
| of /etc/services.
|
| I am not sure of your other changes so could you please attach the
| audit.log file that you used to generate this policy.
That makes sense. I was playing with vmware server this weekend,
installed from VMWare's rpm installer.
The log is attached.
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfEH5AACgkQrlYvE4MpobO0JgCfdF3VejfQaGivM4bpzRWghMvl
0kMAoM+J7xIneV2yk0BZWQkycT4jJMRM
=s1RH
-----END PGP SIGNATURE-----
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
- References:
- selinux, sendmail, and services
- From: Steven Stern
- Re: selinux, sendmail, and services
- From: Daniel J Walsh
- Re: selinux, sendmail, and services
- From: Steven Stern
- selinux, sendmail, and services
- Prev by Date: Re: Treo USB no longer creating ttyUSB[01] devices???
- Next by Date: Which will work best ...
- Previous by thread: Re: selinux, sendmail, and services
- Next by thread: Which will work best ...
- Index(es):
Relevant Pages
|
