Using FC6, I get the following SELinux warnings in /var/log/messages
every time I reboot:
Dec 13 07:18:21 localhost setroubleshoot: SELinux is preventing
/usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda
(fixed_disk_device_t). For complete SELinux messages. run sealert
-l 334bcb59-54ff-414f-bd52-f32c49
90df4a
Dec 13 07:18:22 localhost setroubleshoot: SELinux is preventing
/usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda
(fixed_disk_device_t). For complete SELinux messages. run sealert
-l 334bcb59-54ff-414f-bd52-f32c49
90df4a
My sendmail configuration is unmodified from Fedora Core 6 default
installation, and while sendmail is set to start at bootup, I am not
currently using sendmail for anything on this system.
Nonetheless the error is a bit alarming, and I didn't find anything
similar in a google search. My system is fully updated to the
current updates as of just prior to my reboot, which was about 15
minutes ago.
[root@shuttle ~]# rpm -qf /usr/sbin/sendmail.sendmail
sendmail-8.13.8-2
[root@shuttle ~]# ls -al /usr/sbin/sendmail.sendmail
-rwxr-sr-x 1 root smmsp 806460 Sep 5 09:27 /usr/sbin/sendmail.sendmail
[root@shuttle ~]# sealert -l 334bcb59-54ff-414f-bd52-f32c4990df4a
Summary
SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t)
"read" to
/dev/hda (fixed_disk_device_t).
Detailed Description
SELinux denied access requested by /usr/sbin/sendmail.sendmail. It
is not
expected that this access is required by
/usr/sbin/sendmail.sendmail and
this access may signal an intrusion attempt. It is also possible
that the
specific version or configuration of the application is causing it to
require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could
try to
restore the default system file context for /dev/hda, restorecon -v
/dev/hda
If this does not work, there is currently no automatic way to allow
this
access. Instead, you can generate a local policy module to allow this
access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
can disable SELinux protection altogether. Disabling SELinux
protection is
not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information:
Source Context: system_u:system_r:system_mail_t
Target Context: system_u:object_r:fixed_disk_device_t
Target Objects: /dev/hda [ blk_file ]
Affected RPM Packages: sendmail-8.13.8-2 [application]
Policy RPM: selinux-policy-2.4.6-1.fc6
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Enforcing
Plugin Name: plugins.catchall_file
Host Name: shuttle
Platform: Linux shuttle 2.6.18-1.2849.fc6 #1 SMP Fri
Nov 10 12:45:28 EST 2006 i686 i686
Alert Count: 2
Line Numbers:
Raw Audit Messages:
avc: denied { read } for comm="sendmail" dev=tmpfs egid=51 euid=0
exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=0 gid=0 items=0
name="hda" path="/dev/hda" pid=2509
scontext=system_u:system_r:system_mail_t:s0 sgid=51
subj=system_u:system_r:system_mail_t:s0 suid=0 tclass=blk_file
tcontext=system_u:object_r:fixed_disk_device_t:s0 tty=(none) uid=0
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
