Re: SELinux problem after sendmail.mc modification.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Doug Thistlethwaite wrote:
> David,  Thanks for the quick reply.  I answered your questions in-line
> below:
> 
> David Caplan wrote:
>> Doug,
>>
>>   ...
>>> My mail server was working fine secured by SELinux running in
>>> enforcing mode. Our company lost connection the the Internet for a
>>> couple days so I edited sendmail.mc to skip the domain check for the
>>> duration. I edited the file ran MAKE and restarted the sendmail
>>> process. I also disabled spamd because all of the email would be
>>> internal.
>>>
>>>     
>>
>> Did you do all of the above as root/unconfined_t? The most likely
>> problem (at least at that point) was a labeling problem. As you are
>> running targeted policy it should not have caused a problem.
>>
>>   
> I assume that I did.  I was logged in as root and did not even know
> until know that something called unconfirmed_t existed. Initially, I
> entered the commands suggested by setroubleshoot.
>>  
>>> Well SELinux didn't like what I did and started to produce lots of AVC
>>> messages and provided solutions to most of them. I followed the
>>> suggestion in the "Allowing Access" section of the setroubleshoot
>>> browser and most of the messages went away.     
>>
>> Does that mean you added a local policy module?
>>   
> 
> I don't think so.  I entered commands like the following: (Copied from
> my command buffer)
> 
> chcon -t httpd_sys_content_t /etc/mail/local-host-names
> chcon -t httpd_sys_content_t /etc/mail/trusted-users
> chcon -t httpd_sys_content_t submit.cf
> chcon -t httpd_sys_content_t clientmqueue
> chcon -t httpd_sys_content_t anon_inode:[eventpoll]
> 
> The last one wouldn't work and this is when I decided to just disable
> SELinux until my internet connection was restored.
> 
> 
>>  
>>> After about a dozen of these
>>> messages, I decided to just have the system "relabel on next reboot"
>>> using the SELinux management tool. When that didn't fix the problem, I
>>> just disabled SELinux until the Internet connection was fixed.
>>>
>>> So the connection was fixed, I fixed the sendmail.mc file to be
>>> exactly the same as before the problem. I used MAKE on the file and
>>> relabeled
>>> the SELinux during a reboot and reset SELinux to enforcement mode.
>>> Spamd will not start in enforcement mode. I get the following
>>> setroubleshoot message:
>>>
>>>     
>>
>> The indication below (in the "Additional Information" section) says that
>> you are in Permissive, not Enforcing. Of course, things should work in
>> Permissive mode.
>>
>>   
> Yes, I switch to Permissive mode so my users  were not burried in spam. 
> The same messages were there in Enforcing mode.
>>> Summary
>>> SELinux is preventing spamd (spamd_t) "search" to mail
>>> (httpd_sys_content_t).
>>>
>>>     
>>
>> It doesn't seem like spamd should need access to httpd* files. If you
>> are in Permissive mode that may not be what your problem is. What is the
>> file related to this message (i.e., the path of the target directory
>> that is labeled with httpd_sys_content_t)?
>>   
> I have no idea.  The information in my first message is everything that
> was dsiplayed in setroubleshoot window.  Other messages in the
> setroubleshoot window show file names, but this one doesn't.  How would
> I find this out?
>>  
>>> Detailed Description
>>> SELinux denied access requested by spamd. It is not expected that this
>>> access is required by spamd and this access may signal an intrusion
>>> attempt. It is also possible that the specific version or
>>> configuration of the application is causing it to require additional
>>> access.
>>>
>>> Allowing Access
>>> Sometimes labeling problems can cause SELinux denials. You could try
>>> to restore the default system file context for mail, restorecon -v
>>> mail If
>>>     this does not work, there is currently no automatic way to allow
>>> this
>>> access. Instead, you can generate a local policy module to allow this
>>> access - see FAQ Or you can disable SELinux protection altogether.
>>> Disabling SELinux protection is not recommended. Please file a bug
>>> report against this package.
>>>
>>> Additional Information
>>>     Source Context: system_u:system_r:spamd_t
>>>     Target Context: system_u:object_r:httpd_sys_content_t
>>>     Target Objects: mail [ dir ]
>>>     Affected RPM Packages:
>>>     Policy RPM: selinux-policy-2.6.4-46.fc7
>>>     Selinux Enabled: TruePolicy Type: targetedMLS Enabled: True
>>>     Enforcing Mode: Permissive
>>>     Plugin Name: plugins.catchall_file
>>>
>>>
>>> When I ran the suggested fix "restorecon -v mail" I get the following
>>> error message:
>>> lstat(mail) failed: No such file or directory
>>>
>>>     
>>
>> I think you want to run this in the directory above the mail directory
>> (e.g., this is typically /etc). Everything in /etc/mail should be
>> labeled with etc_mail_t. You should also run it with -R. For example:
>> # restorecon -v mail
>> lstat(mail) failed: No such file or directory
>> # cd /etc
>> # restorecon -v mail
>> # chcon -t file_t mail/sendmail.mc
>> # restorecon -v mail
>> # ls -Z mail/sendmail.mc
>> -rw-r--r--  root root system_u:object_r:file_t         mail/sendmail.mc
>> # restorecon -Rv mail
>> restorecon reset /etc/mail/sendmail.mc context
>> system_u:object_r:file_t:s0->system_u:object_r:etc_mail_t:s0
>> #
>>
>>   
> I ran the suggested commands and restarted sendmail, spamassassin and I
> did the same restorecon command for any file listed in the error
> messages.  After this I sent an email through a web interface.  I got
> the following errors in setroubleshoot:
> 
> #1
> 
> Summary
>    SELinux is preventing spamd (spamd_t) "search" to
> mail(httpd_sys_content_t).
> 
> Detailed Description
>    SELinux denied access requested by spamd. It is not expected that
> this access is required by spamd and this access may signal an intrusion
> attempt.
>    It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
> 
> Allowing Access
>    Sometimes labeling problems can cause SELinux denials.  You could try
> to restore the default system file context for mail, restorecon -v mail
> If this
>    does not work, there is currently no automatic way to allow this access.
>    Instead,  you can generate a local policy module to allow this access
> - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
> can disable
>    SELinux protection altogether. Disabling SELinux protection is not
> recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
>    against this package.
> 
> Additional Information       
> Source Context                root:system_r:spamd_t
> Target Context                system_u:object_r:httpd_sys_content_t
> Target Objects                mail [ dir ]
> Affected RPM Packages         Policy RPM                   
> selinux-policy-2.6.4-46.fc7
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Permissive
> Plugin Name                   plugins.catchall_file
> Host Name                     mail.dupreeinc.com
> Platform                      Linux mail.dupreeinc.com 2.6.22.9-91.fc7
> #1 SMP
>                              Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
> Alert Count                   1
> First Seen                    Thu 11 Oct 2007 03:32:24 PM PDT
> Last Seen                     Thu 11 Oct 2007 03:32:24 PM PDT
> Local ID                      d478c85c-d36f-4fa3-9371-2ab3f4bb05f5
> Line Numbers                 
> Raw Audit Messages           
> avc: denied { search } for comm="spamd" dev=dm-0 egid=0 euid=0
> exe="/usr/bin/perl" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="mail"
> pid=31883
> scontext=root:system_r:spamd_t:s0 sgid=0 subj=root:system_r:spamd_t:s0
> suid=0
> tclass=dir tcontext=system_u:object_r:httpd_sys_content_t:s0 tty=pts1
> uid=0
> 
> #2
> 
> Summary
>    SELinux is preventing the /usr/sbin/sendmail.sendmail from using
> potentially mislabeled files submit.cf (etc_mail_t).
> 
> Detailed Description
>    SELinux has denied the /usr/sbin/sendmail.sendmail access to
> potentially mislabeled files submit.cf.  This means that SELinux will
> not allow http to
>    use these files.  Many third party apps install html files in
> directories that SELinux policy can not predict.  These directories have
> to be labeled
>    with a file context which httpd can accesss.
> 
> Allowing Access
>    If you want to change the file context of submit.cf so that the httpd
> daemon can access it, you need to execute it using chcon -t
> httpd_sys_content_t
>    submit.cf.  You can look at the httpd_selinux man page for additional
> information.
> 
> Additional Information       
> Source Context                system_u:system_r:httpd_sys_script_t
> Target Context                system_u:object_r:etc_mail_t
> Target Objects                submit.cf [ file ]
> Affected RPM Packages         sendmail-8.14.1-4.2.fc7 [application]
> Policy RPM                    selinux-policy-2.6.4-46.fc7
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Permissive
> Plugin Name                   plugins.httpd_bad_labels
> Host Name                     mail.dupreeinc.com
> Platform                      Linux mail.dupreeinc.com 2.6.22.9-91.fc7
> #1 SMP
>                              Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
> Alert Count                   1
> First Seen                    Thu 11 Oct 2007 03:33:03 PM PDT
> Last Seen                     Thu 11 Oct 2007 03:33:03 PM PDT
> Local ID                      e67e0ecc-909e-44ba-8a80-106228c8e348
> Line Numbers                 
> Raw Audit Messages           
> avc: denied { read } for comm="sendmail" dev=dm-0 egid=51 euid=48
> exe="/usr/sbin/sendmail.sendmail" exit=3 fsgid=51 fsuid=48 gid=48
> items=0
> name="submit.cf" pid=31906
> scontext=system_u:system_r:httpd_sys_script_t:s0
> sgid=51 subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file
> tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48
> 
> 
> #3
> Summary
>    SELinux is preventing the /usr/sbin/sendmail.sendmail from using
> potentially mislabeled files /etc/mail/submit.cf (etc_mail_t).
> 
> Detailed Description
>    SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially
>    mislabeled files /etc/mail/submit.cf.  This means that SELinux will not
>    allow http to use these files.  Many third party apps install html
> files in
>    directories that SELinux policy can not predict.  These directories
> have to
>    be labeled with a file context which httpd can accesss.
> 
> Allowing Access
>    If you want to change the file context of /etc/mail/submit.cf so that
> the
>    httpd daemon can access it, you need to execute it using chcon -t
>    httpd_sys_content_t /etc/mail/submit.cf.  You can look at the
> httpd_selinux
>    man page for additional information.
> 
> Additional Information       
> Source Context                system_u:system_r:httpd_sys_script_t
> Target Context                system_u:object_r:etc_mail_t
> Target Objects                /etc/mail/submit.cf [ file ]
> Affected RPM Packages         sendmail-8.14.1-4.2.fc7
>                              [application]sendmail-8.14.1-4.2.fc7
> [target]
> Policy RPM                    selinux-policy-2.6.4-46.fc7
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Permissive
> Plugin Name                   plugins.httpd_bad_labels
> Host Name                     mail.dupreeinc.com
> Platform                      Linux mail.dupreeinc.com 2.6.22.9-91.fc7
> #1 SMP
>                              Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
> Alert Count                   1
> First Seen                    Thu 11 Oct 2007 03:33:03 PM PDT
> Last Seen                     Thu 11 Oct 2007 03:33:03 PM PDT
> Local ID                      10bd0547-6b5c-4b86-96e6-6bb16af2a64d
> Line Numbers                 
> Raw Audit Messages           
> avc: denied { getattr } for comm="sendmail" dev=dm-0 egid=51 euid=48
> exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48
> items=0
> name="submit.cf" path="/etc/mail/submit.cf" pid=31906
> scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
> subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file
> tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48
> 
> 
> #4
> Summary
>    SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t)
>    "create" to <Unknown> (httpd_sys_script_t).
> 
> Detailed Description
>    SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is
> not
>    expected that this access is required by /usr/sbin/sendmail.sendmail and
>    this access may signal an intrusion attempt. It is also possible that
> the
>    specific version or configuration of the application is causing it to
>    require additional access.
> 
> Allowing Access
>    You can generate a local policy module to allow this access - see
>    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
> disable
>    SELinux protection altogether. Disabling SELinux protection is not
> recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi  against this package.
> 
> Additional Information       
> Source Context                system_u:system_r:httpd_sys_script_t
> Target Context                system_u:system_r:httpd_sys_script_t
> Target Objects                None [ unix_dgram_socket ]
> Affected RPM Packages         sendmail-8.14.1-4.2.fc7 [application]
> Policy RPM                    selinux-policy-2.6.4-46.fc7
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Permissive
> Plugin Name                   plugins.catchall
> Host Name                     mail.dupreeinc.com
> Platform                      Linux mail.dupreeinc.com 2.6.22.9-91.fc7
> #1 SMP
>                              Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
> Alert Count                   1
> First Seen                    Thu 11 Oct 2007 03:33:03 PM PDT
> Last Seen                     Thu 11 Oct 2007 03:33:03 PM PDT
> Local ID                      ef574580-2190-4edc-8e54-b92181831531
> Line Numbers                 
> Raw Audit Messages           
> avc: denied { create } for comm="sendmail" egid=51 euid=48
> exe="/usr/sbin/sendmail.sendmail" exit=3 fsgid=51 fsuid=48 gid=48
> items=0
> pid=31906 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
> subj=system_u:system_r:httpd_sys_script_t:s0 suid=48
> tclass=unix_dgram_socket
> tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48
> 
> #5
> 
> Summary
>    SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t)
>    "sendto" to /dev/log (syslogd_t).
> 
> Detailed Description
>    SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is
> not
>    expected that this access is required by /usr/sbin/sendmail.sendmail and
>    this access may signal an intrusion attempt. It is also possible that
> the
>    specific version or configuration of the application is causing it to
>    require additional access.
> 
> Allowing Access
>    You can generate a local policy module to allow this access - see
>    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
> disable
>    SELinux protection altogether. Disabling SELinux protection is not   
> recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
>    against this package.
> 
> Additional Information       
> Source Context                system_u:system_r:httpd_sys_script_t
> Target Context                system_u:system_r:syslogd_t
> Target Objects                /dev/log [ unix_dgram_socket ]
> Affected RPM Packages         sendmail-8.14.1-4.2.fc7 [application]
> Policy RPM                    selinux-policy-2.6.4-46.fc7
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Permissive
> Plugin Name                   plugins.catchall
> Host Name                     mail.dupreeinc.com
> Platform                      Linux mail.dupreeinc.com 2.6.22.9-91.fc7
> #1 SMP
>                              Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
> Alert Count                   1
> First Seen                    Thu 11 Oct 2007 03:33:03 PM PDT
> Last Seen                     Thu 11 Oct 2007 03:33:03 PM PDT
> Local ID                      831be357-c006-4d42-8ab7-1634e2035ef4
> Line Numbers                 
> Raw Audit Messages           
> avc: denied { sendto } for comm="sendmail" dev=tmpfs egid=51 euid=48
> exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48
> items=0
> name="log" path="/dev/log" pid=31906
> scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
> subj=system_u:system_r:httpd_sys_script_t:s0 suid=48
> tclass=unix_dgram_socket
> tcontext=system_u:system_r:syslogd_t:s0 tty=(none) uid=48
> 
> 
> #6
> 
> Summary
>    SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t)
>    "write" to <Unknown> (httpd_sys_script_t).
> 
> Detailed Description
>    SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is
> not
>    expected that this access is required by /usr/sbin/sendmail.sendmail and
>    this access may signal an intrusion attempt. It is also possible that
> the
>    specific version or configuration of the application is causing it to
>    require additional access.
> 
> Allowing Access
>    You can generate a local policy module to allow this access - see
>    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
> disable
>    SELinux protection altogether. Disabling SELinux protection is not
>    recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
>    against this package.
> 
> Additional Information       
> Source Context                system_u:system_r:httpd_sys_script_t
> Target Context                system_u:system_r:httpd_sys_script_t
> Target Objects                None [ unix_dgram_socket ]
> Affected RPM Packages         sendmail-8.14.1-4.2.fc7 [application]
> Policy RPM                    selinux-policy-2.6.4-46.fc7
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Permissive
> Plugin Name                   plugins.catchall
> Host Name                     mail.dupreeinc.com
> Platform                      Linux mail.dupreeinc.com 2.6.22.9-91.fc7
> #1 SMP
>                              Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
> Alert Count                   1
> First Seen                    Thu 11 Oct 2007 03:33:03 PM PDT
> Last Seen                     Thu 11 Oct 2007 03:33:03 PM PDT
> Local ID                      a793410a-36e5-4685-b82a-c7a0ddee7c44
> Line Numbers                 
> Raw Audit Messages           
> avc: denied { write } for comm="sendmail" egid=51 euid=48
> exe="/usr/sbin/sendmail.sendmail" exit=141 fsgid=51 fsuid=48 gid=48
> items=0
> pid=31906 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
> subj=system_u:system_r:httpd_sys_script_t:s0 suid=48
> tclass=unix_dgram_socket
> tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48
> 
> #7
> 
> Summary
>    SELinux is preventing the /usr/sbin/sendmail.sendmail from using
> potentially
>    mislabeled files anon_inode:[eventpoll] (anon_inodefs_t).
> 
> Detailed Description
>    SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially
>    mislabeled files anon_inode:[eventpoll].  This means that SELinux
> will not
>    allow http to use these files.  Many third party apps install html
> files in
>    directories that SELinux policy can not predict.  These directories
> have to
>    be labeled with a file context which httpd can accesss.
> 
> Allowing Access
>    If you want to change the file context of anon_inode:[eventpoll] so
> that the
>    httpd daemon can access it, you need to execute it using chcon -t
>    httpd_sys_content_t anon_inode:[eventpoll].  You can look at the
>    httpd_selinux man page for additional information.
> 
> Additional Information       
> Source Context                system_u:system_r:httpd_sys_script_t
> Target Context                system_u:object_r:anon_inodefs_t
> Target Objects                anon_inode:[eventpoll] [ file ]
> Affected RPM Packages         sendmail-8.14.1-4.2.fc7 [application]
> Policy RPM                    selinux-policy-2.6.4-46.fc7
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Permissive
> Plugin Name                   plugins.httpd_bad_labels
> Host Name                     mail.dupreeinc.com
> Platform                      Linux mail.dupreeinc.com 2.6.22.9-91.fc7
> #1 SMP
>                              Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64
> Alert Count                   1
> First Seen                    Thu 11 Oct 2007 03:33:03 PM PDT
> Last Seen                     Thu 11 Oct 2007 03:33:03 PM PDT
> Local ID                      5c2f5b86-899e-44d6-ba25-906180a5731d
> Line Numbers                 
> Raw Audit Messages           
> avc: denied { read, write } for comm="sendmail" dev=anon_inodefs egid=51
> euid=48
> exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48
> items=0
> name="[eventpoll]" path="anon_inode:[eventpoll]" pid=31906
> scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51
> subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file
> tcontext=system_u:object_r:anon_inodefs_t:s0 tty=(none) uid=48
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Set the boolean
httpd_can_sendmail on

setsebool -P httpd_can_sendmail 1

This will allow httpd_sys_script_t to transition to sendmail_t and you
should be able to send mail.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHE8CprlYvE4MpobMRAsMVAKCvAuPho1Fl9XPhPPUkz80ugE86twCg3qSd
ktdQGZH0gLkZO+stG0moaac=
=1/ar
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux