sendmail+greylist-milter problem

Alexey Tarasov glorg at bk.ru
Tue Dec 20 07:29:23 UTC 2005 

Greetings,

Sorry, if same matters was discussed previously - I've not found any 
trails. If there is any FAQ with solution of my problem, please give me 
a link.
Thanks for help.

best regards,
Alexey Tarasov

---------------
Problem 1.
Installed:  sendmail-8.3.14, milter-greylist-2.0.2, 
selinux-policy-targeted-1.27.2-19

starting sendmail from init results in:
maillog
---
sendmail[1997]: NOQUEUE: SYSERR(root): /etc/mail/sendmail.cf: line 1674: 
Xgreylist: local socket name /var/milter-greylist/milter-greylist.sock 
unsafe: Permission denied
---

audit.log:
---
type=AVC msg=audit(1135060778.168:5): avc:  denied  { getattr } for  
pid=1994 comm="newaliases" name="milter-greylist.sock" dev=dm-0 
ino=7831655 scontext=system_u:system_r:sendmail_t:s0 
tcontext=system_u:object_r:var_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1135060778.168:5): arch=40000003 syscall=196 
success=no exit=-13 a0=bfd5995c a1=bfd598ac a2=b7c60ff4 a3=bfd598ac 
items=1 pid=1994 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=51 sgid=51 fsgid=51 comm="newaliases" exe="/usr/sbin/sendmail.sendmail"
type=AVC_PATH msg=audit(1135060778.168:5):  
path="/var/milter-greylist/milter-greylist.sock"
type=PATH msg=audit(1135060778.168:5): item=0 
name="/var/milter-greylist/milter-greylist.sock" flags=0  inode=7831655 
dev=fd:00 mode=0140755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1135060778.260:6): avc:  denied  { getattr } for  
pid=1997 comm="sendmail" name="milter-greylist.sock" dev=dm-0 
ino=7831655 scontext=system_u:system_r:sendmail_t:s0 
tcontext=system_u:object_r:var_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1135060778.260:6): arch=40000003 syscall=196 
success=no exit=-13 a0=bf89508c a1=bf894fdc a2=b7c9dff4 a3=bf894fdc 
items=1 pid=1997 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=51 sgid=51 fsgid=51 comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
type=AVC_PATH msg=audit(1135060778.260:6):  
path="/var/milter-greylist/milter-greylist.sock"
type=PATH msg=audit(1135060778.260:6): item=0 
name="/var/milter-greylist/milter-greylist.sock" flags=0  inode=7831655 
dev=fd:00 mode=0140755 ouid=0 ogid=0 rdev=00:00
---

And this output is generated on system shutdown:
---
type=AVC msg=audit(1135059155.814:79): avc:  denied  { getattr } for  
pid=3857 comm="K30sendmail" name="sendmail.pid" dev=dm-0 ino=7602305 
scontext=system_u:system_r:sendmail_launch_t:s0 
tcontext=root:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1135059155.814:79): arch=40000003 syscall=195 
success=no exit=-13 a0=8113cf8 a1=bfe421c8 a2=aedff4 a3=8113828 items=1 
pid=3857 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 comm="K30sendmail" exe="/bin/bash"
type=AVC_PATH msg=audit(1135059155.814:79):  path="/var/run/sendmail.pid"
type=PATH msg=audit(1135059155.814:79): item=0 
name="/var/run/sendmail.pid" flags=1  inode=7602305 dev=fd:00 
mode=0100600 ouid=0 ogid=51 rdev=00:00
type=AVC msg=audit(1135059155.822:80): avc:  denied  { unlink } for  
pid=3864 comm="rm" name="sendmail.pid" dev=dm-0 ino=7602305 
scontext=system_u:system_r:sendmail_launch_t:s0 
tcontext=root:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1135059155.822:80): arch=40000003 syscall=10 
success=no exit=-13 a0=bfdabf03 a1=1 a2=8050204 a3=bfdab9e0 items=1 
pid=3864 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 comm="rm" exe="/bin/rm"
type=PATH msg=audit(1135059155.822:80): item=0 
name="/var/run/sendmail.pid" flags=10  inode=7602212 dev=fd:00 
mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1135059155.826:81): avc:  denied  { unlink } for  
pid=3865 comm="rm" name="sendmail" dev=dm-0 ino=7602307 
scontext=system_u:system_r:sendmail_launch_t:s0 
tcontext=root:object_r:var_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1135059155.826:81): arch=40000003 syscall=10 
success=no exit=-13 a0=bff31eff a1=1 a2=8050204 a3=bff30f40 items=1 
pid=3865 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 comm="rm" exe="/bin/rm"
type=PATH msg=audit(1135059155.826:81): item=0 
name="/var/lock/subsys/sendmail" flags=10  inode=7602207 dev=fd:00 
mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1135059155.826:82): avc:  denied  { getattr } for  
pid=3857 comm="K30sendmail" name="sm-client.pid" dev=dm-0 ino=7602308 
scontext=system_u:system_r:sendmail_launch_t:s0 
tcontext=root:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1135059155.826:82): arch=40000003 syscall=195 
success=no exit=-13 a0=8113cf8 a1=bfe448b8 a2=aedff4 a3=8110710 items=1 
pid=3857 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 comm="K30sendmail" exe="/bin/bash"
type=AVC_PATH msg=audit(1135059155.826:82):  path="/var/run/sm-client.pid"
type=PATH msg=audit(1135059155.826:82): item=0 
name="/var/run/sm-client.pid" flags=1  inode=7602308 dev=fd:00 
mode=0100644 ouid=51 ogid=51 rdev=00:00
---
#ls -lZ
-rw-------  root     smmsp    root:object_r:var_run_t          sendmail.pid
-rw-r--r--  smmsp    smmsp    root:object_r:var_run_t          sm-client.pid
-rw-r--r--  root     root     root:object_r:var_lock_t         sendmail


Problem 2.
ping is called by bash script, executed by cron with root rights (comand 
line: ping -c 1 -w 5 > /dev/null )

---
type=AVC msg=audit(1133295301.930:2739): avc:  denied  { write } for  
pid=30341 comm="ping" name="[56893]" dev=pipefs ino=56893 
scontext=root:system_r:ping_t:s0 tcontext=system_u:system_r:crond_t:s0 
tclass=fifo_file
type=AVC msg=audit(1133295301.930:2739): avc:  denied  { read } for  
pid=30341 comm="ping" name="[56892]" dev=pipefs ino=56892 
scontext=root:system_r:ping_t:s0 tcontext=system_u:system_r:crond_t:s0 
tclass=fifo_file
---

Is any way to avoid such messages?

More information about the fedora-selinux-list mailing list