Re: SELinux problem after sendmail.mc modification.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

David,  Thanks for the quick reply.  I answered your questions in-line below:

David Caplan wrote: 
Doug,
... 
My mail server was working fine secured by SELinux running in enforcing mode. Our company lost connection the the Internet for a couple days so I edited sendmail.mc to skip the domain check for the duration. I edited the file ran MAKE and restarted the sendmail process. I also disabled spamd because all of the email would be internal.

    

Did you do all of the above as root/unconfined_t? The most likely
problem (at least at that point) was a labeling problem. As you are
running targeted policy it should not have caused a problem.
I assume that I did.  I was logged in as root and did not even know until know that something called unconfirmed_t existed. Initially, I entered the commands suggested by setroubleshoot.
  
Well SELinux didn't like what I did and started to produce lots of AVC
messages and provided solutions to most of them. I followed the
suggestion in the "Allowing Access" section of the setroubleshoot
browser and most of the messages went away. 
    

Does that mean you added a local policy module?

I don't think so.  I entered commands like the following: (Copied from my command buffer)
chcon -t httpd_sys_content_t /etc/mail/local-host-names
chcon -t httpd_sys_content_t /etc/mail/trusted-users
chcon -t httpd_sys_content_t submit.cf
chcon -t httpd_sys_content_t clientmqueue
chcon -t httpd_sys_content_t anon_inode:[eventpoll]

The last one wouldn't work and this is when I decided to just disable SELinux until my internet connection was restored.


  
After about a dozen of these
messages, I decided to just have the system "relabel on next reboot"
using the SELinux management tool. When that didn't fix the problem, I
just disabled SELinux until the Internet connection was fixed.

So the connection was fixed, I fixed the sendmail.mc file to be exactly the same as before the problem. I used MAKE on the file and relabeled
the SELinux during a reboot and reset SELinux to enforcement mode. Spamd will not start in enforcement mode. I get the following
setroubleshoot message:

    

The indication below (in the "Additional Information" section) says that
you are in Permissive, not Enforcing. Of course, things should work in
Permissive mode.
Yes, I switch to Permissive mode so my users  were not burried in spam.  The same messages were there in Enforcing mode.
Summary
SELinux is preventing spamd (spamd_t) "search" to mail
(httpd_sys_content_t).

    

It doesn't seem like spamd should need access to httpd* files. If you
are in Permissive mode that may not be what your problem is. What is the
file related to this message (i.e., the path of the target directory
that is labeled with httpd_sys_content_t)?
I have no idea.  The information in my first message is everything that was dsiplayed in setroubleshoot window.  Other messages in the setroubleshoot window show file names, but this one doesn't.  How would I find this out?
  
Detailed Description
SELinux denied access requested by spamd. It is not expected that this
access is required by spamd and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.

Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for mail, restorecon -v mail If
    
this does not work, there is currently no automatic way to allow this
access. Instead, you can generate a local policy module to allow this
access - see FAQ Or you can disable SELinux protection altogether.
Disabling SELinux protection is not recommended. Please file a bug
report against this package.

Additional Information
    Source Context: system_u:system_r:spamd_t
    Target Context: system_u:object_r:httpd_sys_content_t
    Target Objects: mail [ dir ]
    Affected RPM Packages:
    Policy RPM: selinux-policy-2.6.4-46.fc7
    Selinux Enabled: TruePolicy Type: targetedMLS Enabled: True
    Enforcing Mode: Permissive
    Plugin Name: plugins.catchall_file


When I ran the suggested fix "restorecon -v mail" I get the following
error message:
lstat(mail) failed: No such file or directory

    

I think you want to run this in the directory above the mail directory
(e.g., this is typically /etc). Everything in /etc/mail should be
labeled with etc_mail_t. You should also run it with -R. For example:
# restorecon -v mail
lstat(mail) failed: No such file or directory
# cd /etc
# restorecon -v mail
# chcon -t file_t mail/sendmail.mc
# restorecon -v mail
# ls -Z mail/sendmail.mc
-rw-r--r--  root root system_u:object_r:file_t         mail/sendmail.mc
# restorecon -Rv mail
restorecon reset /etc/mail/sendmail.mc context
system_u:object_r:file_t:s0->system_u:object_r:etc_mail_t:s0
#
I ran the suggested commands and restarted sendmail, spamassassin and I did the same restorecon command for any file listed in the error messages.  After this I sent an email through a web interface.  I got the following errors in setroubleshoot:

#1
Summary
    SELinux is preventing spamd (spamd_t) "search" to mail(httpd_sys_content_t).

Detailed Description
    SELinux denied access requested by spamd. It is not expected that this access is required by spamd and this access may signal an intrusion attempt.
    It is also possible that the specific version or configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to restore the default system file context for mail, restorecon -v mail If this
    does not work, there is currently no automatic way to allow this access.
    Instead,  you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                root:system_r:spamd_t
Target Context                system_u:object_r:httpd_sys_content_t
Target Objects                mail [ dir ]
Affected RPM Packages         
Policy RPM                    selinux-policy-2.6.4-46.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     mail.dupreeinc.com
Platform                      Linux mail.dupreeinc.com 2.6.22.9-91.fc7
#1 SMP
                              Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 11 Oct 2007 03:32:24 PM PDT
Last Seen                     Thu 11 Oct 2007 03:32:24 PM PDT
Local ID                      d478c85c-d36f-4fa3-9371-2ab3f4bb05f5
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm="spamd" dev=dm-0 egid=0 euid=0
exe="/usr/bin/perl" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="mail"
pid=31883
scontext=root:system_r:spamd_t:s0 sgid=0 subj=root:system_r:spamd_t:s0
suid=0
tclass=dir tcontext=system_u:object_r:httpd_sys_content_t:s0 tty=pts1
uid=0

#2

Summary
    SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially mislabeled files submit.cf (etc_mail_t).

Detailed Description
    SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially mislabeled files submit.cf.  This means that SELinux will not allow http to
    use these files.  Many third party apps install html files in directories that SELinux policy can not predict.  These directories have to be labeled
    with a file context which httpd can accesss.

Allowing Access
    If you want to change the file context of submit.cf so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t
    submit.cf.  You can look at the httpd_selinux man page for additional information.

Additional Information        

Source Context                system_u:system_r:httpd_sys_script_t
Target Context                system_u:object_r:etc_mail_t
Target Objects                submit.cf [ file ]
Affected RPM Packages         sendmail-8.14.1-4.2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-46.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.httpd_bad_labels
Host Name                     mail.dupreeinc.com
Platform                      Linux mail.dupreeinc.com 2.6.22.9-91.fc7
#1 SMP
                              Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 11 Oct 2007 03:33:03 PM PDT
Last Seen                     Thu 11 Oct 2007 03:33:03 PM PDT
Local ID                      e67e0ecc-909e-44ba-8a80-106228c8e348
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm="sendmail" dev=dm-0 egid=51 euid=48
exe="/usr/sbin/sendmail.sendmail" exit=3 fsgid=51 fsuid=48 gid=48
items=0
name="submit.cf" pid=31906
scontext=system_u:system_r:httpd_sys_script_t:s0
sgid=51 subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file
tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48


#3
Summary
    SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially mislabeled files /etc/mail/submit.cf (etc_mail_t).

Detailed Description
    SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially
    mislabeled files /etc/mail/submit.cf.  This means that SELinux will not
    allow http to use these files.  Many third party apps install html files in
    directories that SELinux policy can not predict.  These directories have to
    be labeled with a file context which httpd can accesss.

Allowing Access
    If you want to change the file context of /etc/mail/submit.cf so that the
    httpd daemon can access it, you need to execute it using chcon -t
    httpd_sys_content_t /etc/mail/submit.cf.  You can look at the httpd_selinux
    man page for additional information.

Additional Information        

Source Context                system_u:system_r:httpd_sys_script_t
Target Context                system_u:object_r:etc_mail_t
Target Objects                /etc/mail/submit.cf [ file ]
Affected RPM Packages         sendmail-8.14.1-4.2.fc7
                              [application]sendmail-8.14.1-4.2.fc7
[target]
Policy RPM                    selinux-policy-2.6.4-46.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.httpd_bad_labels
Host Name                     mail.dupreeinc.com
Platform                      Linux mail.dupreeinc.com 2.6.22.9-91.fc7
#1 SMP
                              Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 11 Oct 2007 03:33:03 PM PDT
Last Seen                     Thu 11 Oct 2007 03:33:03 PM PDT
Local ID                      10bd0547-6b5c-4b86-96e6-6bb16af2a64d
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm="sendmail" dev=dm-0 egid=51 euid=48
exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48
items=0
name="submit.cf" path="/etc/mail/submit.cf" pid=31906
scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file
tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48


#4 

Summary
    SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t)
    "create" to <Unknown> (httpd_sys_script_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not
    expected that this access is required by /usr/sbin/sendmail.sendmail and
    this access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi  against this package.

Additional Information        

Source Context                system_u:system_r:httpd_sys_script_t
Target Context                system_u:system_r:httpd_sys_script_t
Target Objects                None [ unix_dgram_socket ]
Affected RPM Packages         sendmail-8.14.1-4.2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-46.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall
Host Name                     mail.dupreeinc.com
Platform                      Linux mail.dupreeinc.com 2.6.22.9-91.fc7
#1 SMP
                              Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 11 Oct 2007 03:33:03 PM PDT
Last Seen                     Thu 11 Oct 2007 03:33:03 PM PDT
Local ID                      ef574580-2190-4edc-8e54-b92181831531
Line Numbers                  

Raw Audit Messages            

avc: denied { create } for comm="sendmail" egid=51 euid=48
exe="/usr/sbin/sendmail.sendmail" exit=3 fsgid=51 fsuid=48 gid=48
items=0
pid=31906 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
subj=system_u:system_r:httpd_sys_script_t:s0 suid=48
tclass=unix_dgram_socket
tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48

#5

Summary
    SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t)
    "sendto" to /dev/log (syslogd_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not
    expected that this access is required by /usr/sbin/sendmail.sendmail and
    this access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not 
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:httpd_sys_script_t
Target Context                system_u:system_r:syslogd_t
Target Objects                /dev/log [ unix_dgram_socket ]
Affected RPM Packages         sendmail-8.14.1-4.2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-46.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall
Host Name                     mail.dupreeinc.com
Platform                      Linux mail.dupreeinc.com 2.6.22.9-91.fc7
#1 SMP
                              Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 11 Oct 2007 03:33:03 PM PDT
Last Seen                     Thu 11 Oct 2007 03:33:03 PM PDT
Local ID                      831be357-c006-4d42-8ab7-1634e2035ef4
Line Numbers                  

Raw Audit Messages            

avc: denied { sendto } for comm="sendmail" dev=tmpfs egid=51 euid=48
exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48
items=0
name="log" path="/dev/log" pid=31906
scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
subj=system_u:system_r:httpd_sys_script_t:s0 suid=48
tclass=unix_dgram_socket
tcontext=system_u:system_r:syslogd_t:s0 tty=(none) uid=48


#6
 
Summary
    SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t)
    "write" to <Unknown> (httpd_sys_script_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not
    expected that this access is required by /usr/sbin/sendmail.sendmail and
    this access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:httpd_sys_script_t
Target Context                system_u:system_r:httpd_sys_script_t
Target Objects                None [ unix_dgram_socket ]
Affected RPM Packages         sendmail-8.14.1-4.2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-46.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall
Host Name                     mail.dupreeinc.com
Platform                      Linux mail.dupreeinc.com 2.6.22.9-91.fc7
#1 SMP
                              Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 11 Oct 2007 03:33:03 PM PDT
Last Seen                     Thu 11 Oct 2007 03:33:03 PM PDT
Local ID                      a793410a-36e5-4685-b82a-c7a0ddee7c44
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm="sendmail" egid=51 euid=48
exe="/usr/sbin/sendmail.sendmail" exit=141 fsgid=51 fsuid=48 gid=48
items=0
pid=31906 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
subj=system_u:system_r:httpd_sys_script_t:s0 suid=48
tclass=unix_dgram_socket
tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48

#7

Summary
    SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially
    mislabeled files anon_inode:[eventpoll] (anon_inodefs_t).

Detailed Description
    SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially
    mislabeled files anon_inode:[eventpoll].  This means that SELinux will not
    allow http to use these files.  Many third party apps install html files in
    directories that SELinux policy can not predict.  These directories have to
    be labeled with a file context which httpd can accesss.

Allowing Access
    If you want to change the file context of anon_inode:[eventpoll] so that the
    httpd daemon can access it, you need to execute it using chcon -t
    httpd_sys_content_t anon_inode:[eventpoll].  You can look at the
    httpd_selinux man page for additional information.

Additional Information        

Source Context                system_u:system_r:httpd_sys_script_t
Target Context                system_u:object_r:anon_inodefs_t
Target Objects                anon_inode:[eventpoll] [ file ]
Affected RPM Packages         sendmail-8.14.1-4.2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-46.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.httpd_bad_labels
Host Name                     mail.dupreeinc.com
Platform                      Linux mail.dupreeinc.com 2.6.22.9-91.fc7
#1 SMP
                              Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 11 Oct 2007 03:33:03 PM PDT
Last Seen                     Thu 11 Oct 2007 03:33:03 PM PDT
Local ID                      5c2f5b86-899e-44d6-ba25-906180a5731d
Line Numbers                  

Raw Audit Messages            

avc: denied { read, write } for comm="sendmail" dev=anon_inodefs egid=51
euid=48
exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48
items=0
name="[eventpoll]" path="anon_inode:[eventpoll]" pid=31906
scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file
tcontext=system_u:object_r:anon_inodefs_t:s0 tty=(none) uid=48

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux