On Wed, 2005-02-02 at 10:10 -0500, Daniel J Walsh wrote:
> Rather than going down a rathole, here could
> you
> setenforce 0
> Run both test and send the avc messages.
Okay, no problem. I'll describe the mail setups, proceeded by the
selinux messages for each.
Mail config in RT:
------------------
mail command: sendmailpipe
arguements: -oi -t #(-t required, as stated in RT docs)
path: /usr/sbin/sendmail
avc messages:
-------------
avc: denied { read } for pid=6130 exe=/usr/sbin/httpd name=sendmail
dev=dm-3 ino=277369 scontext=root:system_r:httpd_t
tcontext=user_u:object_r:sbin_t tclass=lnk_file
Mail config in RT:
------------------
mail command: sendmail
arguements: -oi
path: /usr/sbin/sendmail #(not read when mail command set to sendmail)
avc messages:
-------------
avc: denied { search } for pid=6082 exe=/usr/bin/perl name=postfix
dev=dm-5 ino=34833 scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_spool_t tclass=dir
avc: denied { getattr } for pid=6086 exe=/usr/sbin/sendmail.postfix
path=socket:[14139] dev=sockfs ino=14139
scontext=root:system_r:system_mail_t tcontext=root:system_r:httpd_t
tclass=unix_stream_socket
avc: denied { execute } for pid=6087 exe=/usr/sbin/sendmail.postfix
name=postdrop dev=dm-3 ino=276825 scontext=root:system_r:system_mail_t
tcontext=system_u:object_r:sbin_t tclass=file
avc: denied { execute_no_trans } for pid=6087
exe=/usr/sbin/sendmail.postfix path=/usr/sbin/postdrop dev=dm-3
ino=276825 scontext=root:system_r:system_mail_t
tcontext=system_u:object_r:sbin_t tclass=file
avc: denied { read } for pid=6087 exe=/usr/sbin/sendmail.postfix
path=/usr/sbin/postdrop dev=dm-3 ino=276825
scontext=root:system_r:system_mail_t tcontext=system_u:object_r:sbin_t
tclass=file
avc: denied { write } for pid=6087 exe=/usr/sbin/postdrop
name=maildrop dev=dm-5 ino=34842 scontext=root:system_r:system_mail_t
tcontext=system_u:object_r:var_spool_t tclass=dir
avc: denied { add_name } for pid=6087 exe=/usr/sbin/postdrop
name=1290.6087 scontext=root:system_r:system_mail_t
tcontext=system_u:object_r:var_spool_t tclass=dir
avc: denied { create } for pid=6087 exe=/usr/sbin/postdrop
name=1290.6087 scontext=root:system_r:system_mail_t
tcontext=root:object_r:var_spool_t tclass=file
avc: denied { getattr } for pid=6087 exe=/usr/sbin/postdrop
path=/var/spool/postfix/maildrop/1290.6087 dev=dm-5 ino=34911
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t
tclass=file
avc: denied { remove_name } for pid=6087 exe=/usr/sbin/postdrop
name=1290.6087 dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t
tcontext=system_u:object_r:var_spool_t tclass=dir
avc: denied { rename } for pid=6087 exe=/usr/sbin/postdrop
name=1290.6087 dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t
tcontext=root:object_r:var_spool_t tclass=file
avc: denied { write } for pid=6087 exe=/usr/sbin/postdrop
path=/var/spool/postfix/maildrop/1ACA7885F dev=dm-5 ino=34911
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t
tclass=file
avc: denied { setattr } for pid=6087 exe=/usr/sbin/postdrop
name=1ACA7885F dev=dm-5 ino=34911 scontext=root:system_r:system_mail_t
tcontext=root:object_r:var_spool_t tclass=file
avc: denied { getattr } for pid=6087 exe=/usr/sbin/postdrop
path=/var/spool/postfix/public/pickup dev=dm-5 ino=34827
scontext=root:system_r:system_mail_t
tcontext=user_u:object_r:var_spool_t tclass=fifo_file
avc: denied { write } for pid=6087 exe=/usr/sbin/postdrop name=pickup
dev=dm-5 ino=34827 scontext=root:system_r:system_mail_t
tcontext=user_u:object_r:var_spool_t tclass=fifo_file
Wow. Big difference in denials.
Regards,
Ranbir
--
Kanwar Ranbir Sandhu
Linux Consultant
Systems Aligned Inc.
www.systemsaligned.com
