Fedora 9 SELinux is preventing sendmail (exim_t) "getattr" to pipe (system_crond_t)

Mon Jun 30 12:36:30 UTC 2008

Frank Murphy wrote:
> I think this has to do with exim trying to send logs?
> Should I actually bug-report?
> or just use the 
> audit2allow -M local < /tmp/avcs
> 
> Frank
> 
> Summary:
> 
> SELinux is preventing sendmail (exim_t) "getattr" to pipe
> (system_crond_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by sendmail. It is not expected that
> this access
> is required by sendmail and this access may signal an intrusion attempt.
> It is
> also possible that the specific version or configuration of the
> application is
> causing it to require additional access.
> 
> Allowing Access:
> 
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                system_u:system_r:exim_t:s0
> Target Context                system_u:system_r:system_crond_t:s0
> Target Objects                pipe [ fifo_file ]
> Source                        sendmail
> Source Path                   /usr/sbin/exim
> Port                          <Unknown>
> Host                          frank-01
> Source RPM Packages           exim-4.69-4.fc9
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.3.1-69.fc9
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     frank-01
> Platform                      Linux frank-01 2.6.25.6-55.fc9.i686 #1 SMP
> Tue Jun
>                               10 16:27:49 EDT 2008 i686 i686
> Alert Count                   3
> First Seen                    Sat 28 Jun 2008 11:01:27 IST
> Last Seen                     Sat 28 Jun 2008 11:01:27 IST
> Local ID                      675df78e-7627-418a-8d0b-2f9943cd7033
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> host=frank-01 type=AVC msg=audit(1214647287.324:61): avc:  denied
> { getattr } for  pid=16267 comm="sendmail" path="pipe:[94447]"
> dev=pipefs ino=94447 scontext=system_u:system_r:exim_t:s0
> tcontext=system_u:system_r:system_crond_t:s0 tclass=fifo_file
> 
> host=frank-01 type=SYSCALL msg=audit(1214647287.324:61): arch=40000003
> syscall=197 success=no exit=-13 a0=1 a1=bf812f64 a2=981ff4 a3=b805d84c
> items=0 ppid=1 pid=16267 auid=4294967295 uid=93 gid=93 euid=93 suid=93
> fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295
> comm="sendmail" exe="/usr/sbin/exim" subj=system_u:system_r:exim_t:s0
> key=(null)
> 
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I will update policy to allow this.  Although this probably does not
stop anything from functioning properly.