Re: selinux, sendmail, and services

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven Stern wrote:
> For two days, I've been receiving notices from setroubleshooter about
> sendmail and "unknown file".  Today, after the pam update, I rebooted
> and saw sendmail fail to start due to a problem with "services".
> 
> Feb 26 06:55:50 sds-desk setroubleshoot: #012    SELinux is preventing
> the /usr/sbin/sendmail.sendmail from using potentially mislabeled files
> (<Unknown>).#012
> 
> Feb 26 07:04:35 sds-desk setroubleshoot: #012    SELinux is preventing
> the /usr/sbin/sendmail.sendmail from using potentially mislabeled files
> (/etc/services).#012
> 
> I used
> 
> ~   grep sendmail /var/log/audit/audit.log | audit2allow -M sendmail
> 
> to generate a policy to fix this. Was this the right thing to do?  And
> what caused sendmail and selinux to suddenly have a problem?
> 
> sendmail.te:
> 
> module sendmail 1.0;
> 
> require {
> ~        type initrc_tmp_t;
> ~        type rpm_script_tmp_t;
> ~        type system_mail_t;
> ~        type unconfined_home_t;
> ~        type sendmail_t;
> ~        type unconfined_home_dir_t;
> ~        type var_t;
> ~        class process setrlimit;
> ~        class dir { getattr search };
> ~        class file { write getattr read ioctl };
> }
> 
> #============= sendmail_t ==============
> allow sendmail_t initrc_tmp_t:file { read write getattr ioctl };
> allow sendmail_t rpm_script_tmp_t:file read;
> allow sendmail_t self:process setrlimit;
> allow sendmail_t unconfined_home_dir_t:dir { getattr search };
> allow sendmail_t unconfined_home_t:file { read getattr };
> allow sendmail_t var_t:file { read write };
> 
> #============= system_mail_t ==============
> allow system_mail_t rpm_script_tmp_t:file read;
> 
> 
I think your problem is you have a badly labeled /etc/services file.
restorecon /etc/services

vmware has a bug in there postinstall script that screws up the labeling
of /etc/services.

I am not sure of your other changes so could you please attach the
audit.log file that you used to generate this policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfEFhIACgkQrlYvE4MpobPOtwCg5XO78Qdwual6RQNWJ+xNJvAM
hJ4An29saOATJ24LvaT04GA0RDWSRGYR
=Aa6e
-----END PGP SIGNATURE-----

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux