F9: sendmail AVC complaint

Daniel J Walsh dwalsh at redhat.com
Mon Aug 10 17:45:32 UTC 2009 

On 08/10/2009 11:18 AM, Daniel B. Thurman wrote:
> 
> I got this AVC complaint fairly recently so please
> let me know how to fix this one thanks!
> 
> File: /var/log/messages
> =================================================
> setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read" to
> /var/log/messages (var_log_t). For complete SELinux messages. run
> sealert -l 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2
> 
> 
> $ sealert -l 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2
> =================================================
> Summary:
> 
> SELinux is preventing sendmail (system_mail_t) "read" to /var/log/messages
> (var_log_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by sendmail. It is not expected that
> this access
> is required by sendmail and this access may signal an intrusion attempt.
> It is
> also possible that the specific version or configuration of the
> application is
> causing it to require additional access.
> 
> Allowing Access:
> 
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore
> the default system file context for /var/log/messages,
> 
> restorecon -v '/var/log/messages'
> 
> If this does not work, there is currently no automatic way to allow this
> access.
> Instead, you can generate a local policy module to allow this access -
> see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context               
> system_u:system_r:system_mail_t:s0-s0:c0.c1023
> Target Context                system_u:object_r:var_log_t:s0
> Target Objects                /var/log/messages [ file ]
> Source                        sendmail
> Source Path                   /usr/sbin/sendmail.sendmail
> Port                          <Unknown>
> Host                          mysystem.mydomain.com
> Source RPM Packages           sendmail-8.14.2-4.fc9
> Target RPM Packages         Policy RPM                   
> selinux-policy-3.3.1-135.fc9
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall_file
> Host Name                     mysystem.mydomain.com
> Platform                      Linux mysystem.mydomain.com
> 2.6.27.25-78.2.56.fc9.i686 #1
>                              SMP Thu Jun 18 12:47:50 EDT 2009 i686 i686
> Alert Count                   1
> First Seen                    Mon Aug 10 04:47:23 2009
> Last Seen                     Mon Aug 10 04:47:23 2009
> Local ID                      5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2
> Line Numbers               
> Raw Audit Messages         
> node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350):
> avc:  denied  { read } for  pid=16757 comm="sendmail"
> path="/var/log/messages" dev=sda6 ino=86361
> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_log_t:s0 tclass=file
> 
> node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350):
> avc:  denied  { read } for  pid=16757 comm="sendmail"
> path="/var/log/secure" dev=sda6 ino=86369
> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_log_t:s0 tclass=file
> 
> node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350):
> avc:  denied  { read } for  pid=16757 comm="sendmail"
> path="/var/log/maillog" dev=sda6 ino=4956165
> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_log_t:s0 tclass=file
> 
> node=mysystem.mydomain.com type=SYSCALL msg=audit(1249904843.352:37350):
> arch=40000003 syscall=11 success=yes exit=0 a0=8f4e3d0 a1=8f4e458
> a2=8f4da48 a3=0 items=0 ppid=16704 pid=16757 auid=0 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=6305
> comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
> subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


Well Number one  Fedora 9 is no longer supported.  Please upgrade to F10 or preferably F11.

If you do not want to do this, you can add custom policy

# grep sendmail /var/log/audit/audit.log | audit2allow -M mysendmail
# semodule -i mysendmail.pp

More information about the fedora-selinux-list mailing list