-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Doug Thistlethwaite wrote: > David, Thanks for the quick reply. I answered your questions in-line > below: > > David Caplan wrote: >> Doug, >> >> ... >>> My mail server was working fine secured by SELinux running in >>> enforcing mode. Our company lost connection the the Internet for a >>> couple days so I edited sendmail.mc to skip the domain check for the >>> duration. I edited the file ran MAKE and restarted the sendmail >>> process. I also disabled spamd because all of the email would be >>> internal. >>> >>> >> >> Did you do all of the above as root/unconfined_t? The most likely >> problem (at least at that point) was a labeling problem. As you are >> running targeted policy it should not have caused a problem. >> >> > I assume that I did. I was logged in as root and did not even know > until know that something called unconfirmed_t existed. Initially, I > entered the commands suggested by setroubleshoot. >> >>> Well SELinux didn't like what I did and started to produce lots of AVC >>> messages and provided solutions to most of them. I followed the >>> suggestion in the "Allowing Access" section of the setroubleshoot >>> browser and most of the messages went away. >> >> Does that mean you added a local policy module? >> > > I don't think so. I entered commands like the following: (Copied from > my command buffer) > > chcon -t httpd_sys_content_t /etc/mail/local-host-names > chcon -t httpd_sys_content_t /etc/mail/trusted-users > chcon -t httpd_sys_content_t submit.cf > chcon -t httpd_sys_content_t clientmqueue > chcon -t httpd_sys_content_t anon_inode:[eventpoll] > > The last one wouldn't work and this is when I decided to just disable > SELinux until my internet connection was restored. > > >> >>> After about a dozen of these >>> messages, I decided to just have the system "relabel on next reboot" >>> using the SELinux management tool. When that didn't fix the problem, I >>> just disabled SELinux until the Internet connection was fixed. >>> >>> So the connection was fixed, I fixed the sendmail.mc file to be >>> exactly the same as before the problem. I used MAKE on the file and >>> relabeled >>> the SELinux during a reboot and reset SELinux to enforcement mode. >>> Spamd will not start in enforcement mode. I get the following >>> setroubleshoot message: >>> >>> >> >> The indication below (in the "Additional Information" section) says that >> you are in Permissive, not Enforcing. Of course, things should work in >> Permissive mode. >> >> > Yes, I switch to Permissive mode so my users were not burried in spam. > The same messages were there in Enforcing mode. >>> Summary >>> SELinux is preventing spamd (spamd_t) "search" to mail >>> (httpd_sys_content_t). >>> >>> >> >> It doesn't seem like spamd should need access to httpd* files. If you >> are in Permissive mode that may not be what your problem is. What is the >> file related to this message (i.e., the path of the target directory >> that is labeled with httpd_sys_content_t)? >> > I have no idea. The information in my first message is everything that > was dsiplayed in setroubleshoot window. Other messages in the > setroubleshoot window show file names, but this one doesn't. How would > I find this out? >> >>> Detailed Description >>> SELinux denied access requested by spamd. It is not expected that this >>> access is required by spamd and this access may signal an intrusion >>> attempt. It is also possible that the specific version or >>> configuration of the application is causing it to require additional >>> access. >>> >>> Allowing Access >>> Sometimes labeling problems can cause SELinux denials. You could try >>> to restore the default system file context for mail, restorecon -v >>> mail If >>> this does not work, there is currently no automatic way to allow >>> this >>> access. Instead, you can generate a local policy module to allow this >>> access - see FAQ Or you can disable SELinux protection altogether. >>> Disabling SELinux protection is not recommended. Please file a bug >>> report against this package. >>> >>> Additional Information >>> Source Context: system_u:system_r:spamd_t >>> Target Context: system_u:object_r:httpd_sys_content_t >>> Target Objects: mail [ dir ] >>> Affected RPM Packages: >>> Policy RPM: selinux-policy-2.6.4-46.fc7 >>> Selinux Enabled: TruePolicy Type: targetedMLS Enabled: True >>> Enforcing Mode: Permissive >>> Plugin Name: plugins.catchall_file >>> >>> >>> When I ran the suggested fix "restorecon -v mail" I get the following >>> error message: >>> lstat(mail) failed: No such file or directory >>> >>> >> >> I think you want to run this in the directory above the mail directory >> (e.g., this is typically /etc). Everything in /etc/mail should be >> labeled with etc_mail_t. You should also run it with -R. For example: >> # restorecon -v mail >> lstat(mail) failed: No such file or directory >> # cd /etc >> # restorecon -v mail >> # chcon -t file_t mail/sendmail.mc >> # restorecon -v mail >> # ls -Z mail/sendmail.mc >> -rw-r--r-- root root system_u:object_r:file_t mail/sendmail.mc >> # restorecon -Rv mail >> restorecon reset /etc/mail/sendmail.mc context >> system_u:object_r:file_t:s0->system_u:object_r:etc_mail_t:s0 >> # >> >> > I ran the suggested commands and restarted sendmail, spamassassin and I > did the same restorecon command for any file listed in the error > messages. After this I sent an email through a web interface. I got > the following errors in setroubleshoot: > > #1 > > Summary > SELinux is preventing spamd (spamd_t) "search" to > mail(httpd_sys_content_t). > > Detailed Description > SELinux denied access requested by spamd. It is not expected that > this access is required by spamd and this access may signal an intrusion > attempt. > It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access > Sometimes labeling problems can cause SELinux denials. You could try > to restore the default system file context for mail, restorecon -v mail > If this > does not work, there is currently no automatic way to allow this access. > Instead, you can generate a local policy module to allow this access > - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you > can disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi > against this package. > > Additional Information > Source Context root:system_r:spamd_t > Target Context system_u:object_r:httpd_sys_content_t > Target Objects mail [ dir ] > Affected RPM Packages Policy RPM > selinux-policy-2.6.4-46.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Permissive > Plugin Name plugins.catchall_file > Host Name mail.dupreeinc.com > Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7 > #1 SMP > Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64 > Alert Count 1 > First Seen Thu 11 Oct 2007 03:32:24 PM PDT > Last Seen Thu 11 Oct 2007 03:32:24 PM PDT > Local ID d478c85c-d36f-4fa3-9371-2ab3f4bb05f5 > Line Numbers > Raw Audit Messages > avc: denied { search } for comm="spamd" dev=dm-0 egid=0 euid=0 > exe="/usr/bin/perl" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="mail" > pid=31883 > scontext=root:system_r:spamd_t:s0 sgid=0 subj=root:system_r:spamd_t:s0 > suid=0 > tclass=dir tcontext=system_u:object_r:httpd_sys_content_t:s0 tty=pts1 > uid=0 > > #2 > > Summary > SELinux is preventing the /usr/sbin/sendmail.sendmail from using > potentially mislabeled files submit.cf (etc_mail_t). > > Detailed Description > SELinux has denied the /usr/sbin/sendmail.sendmail access to > potentially mislabeled files submit.cf. This means that SELinux will > not allow http to > use these files. Many third party apps install html files in > directories that SELinux policy can not predict. These directories have > to be labeled > with a file context which httpd can accesss. > > Allowing Access > If you want to change the file context of submit.cf so that the httpd > daemon can access it, you need to execute it using chcon -t > httpd_sys_content_t > submit.cf. You can look at the httpd_selinux man page for additional > information. > > Additional Information > Source Context system_u:system_r:httpd_sys_script_t > Target Context system_u:object_r:etc_mail_t > Target Objects submit.cf [ file ] > Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application] > Policy RPM selinux-policy-2.6.4-46.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Permissive > Plugin Name plugins.httpd_bad_labels > Host Name mail.dupreeinc.com > Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7 > #1 SMP > Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64 > Alert Count 1 > First Seen Thu 11 Oct 2007 03:33:03 PM PDT > Last Seen Thu 11 Oct 2007 03:33:03 PM PDT > Local ID e67e0ecc-909e-44ba-8a80-106228c8e348 > Line Numbers > Raw Audit Messages > avc: denied { read } for comm="sendmail" dev=dm-0 egid=51 euid=48 > exe="/usr/sbin/sendmail.sendmail" exit=3 fsgid=51 fsuid=48 gid=48 > items=0 > name="submit.cf" pid=31906 > scontext=system_u:system_r:httpd_sys_script_t:s0 > sgid=51 subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file > tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48 > > > #3 > Summary > SELinux is preventing the /usr/sbin/sendmail.sendmail from using > potentially mislabeled files /etc/mail/submit.cf (etc_mail_t). > > Detailed Description > SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially > mislabeled files /etc/mail/submit.cf. This means that SELinux will not > allow http to use these files. Many third party apps install html > files in > directories that SELinux policy can not predict. These directories > have to > be labeled with a file context which httpd can accesss. > > Allowing Access > If you want to change the file context of /etc/mail/submit.cf so that > the > httpd daemon can access it, you need to execute it using chcon -t > httpd_sys_content_t /etc/mail/submit.cf. You can look at the > httpd_selinux > man page for additional information. > > Additional Information > Source Context system_u:system_r:httpd_sys_script_t > Target Context system_u:object_r:etc_mail_t > Target Objects /etc/mail/submit.cf [ file ] > Affected RPM Packages sendmail-8.14.1-4.2.fc7 > [application]sendmail-8.14.1-4.2.fc7 > [target] > Policy RPM selinux-policy-2.6.4-46.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Permissive > Plugin Name plugins.httpd_bad_labels > Host Name mail.dupreeinc.com > Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7 > #1 SMP > Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64 > Alert Count 1 > First Seen Thu 11 Oct 2007 03:33:03 PM PDT > Last Seen Thu 11 Oct 2007 03:33:03 PM PDT > Local ID 10bd0547-6b5c-4b86-96e6-6bb16af2a64d > Line Numbers > Raw Audit Messages > avc: denied { getattr } for comm="sendmail" dev=dm-0 egid=51 euid=48 > exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48 > items=0 > name="submit.cf" path="/etc/mail/submit.cf" pid=31906 > scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51 > subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file > tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48 > > > #4 > Summary > SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t) > "create" to <Unknown> (httpd_sys_script_t). > > Detailed Description > SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is > not > expected that this access is required by /usr/sbin/sendmail.sendmail and > this access may signal an intrusion attempt. It is also possible that > the > specific version or configuration of the application is causing it to > require additional access. > > Allowing Access > You can generate a local policy module to allow this access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. > > Additional Information > Source Context system_u:system_r:httpd_sys_script_t > Target Context system_u:system_r:httpd_sys_script_t > Target Objects None [ unix_dgram_socket ] > Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application] > Policy RPM selinux-policy-2.6.4-46.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Permissive > Plugin Name plugins.catchall > Host Name mail.dupreeinc.com > Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7 > #1 SMP > Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64 > Alert Count 1 > First Seen Thu 11 Oct 2007 03:33:03 PM PDT > Last Seen Thu 11 Oct 2007 03:33:03 PM PDT > Local ID ef574580-2190-4edc-8e54-b92181831531 > Line Numbers > Raw Audit Messages > avc: denied { create } for comm="sendmail" egid=51 euid=48 > exe="/usr/sbin/sendmail.sendmail" exit=3 fsgid=51 fsuid=48 gid=48 > items=0 > pid=31906 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51 > subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 > tclass=unix_dgram_socket > tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48 > > #5 > > Summary > SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t) > "sendto" to /dev/log (syslogd_t). > > Detailed Description > SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is > not > expected that this access is required by /usr/sbin/sendmail.sendmail and > this access may signal an intrusion attempt. It is also possible that > the > specific version or configuration of the application is causing it to > require additional access. > > Allowing Access > You can generate a local policy module to allow this access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi > against this package. > > Additional Information > Source Context system_u:system_r:httpd_sys_script_t > Target Context system_u:system_r:syslogd_t > Target Objects /dev/log [ unix_dgram_socket ] > Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application] > Policy RPM selinux-policy-2.6.4-46.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Permissive > Plugin Name plugins.catchall > Host Name mail.dupreeinc.com > Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7 > #1 SMP > Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64 > Alert Count 1 > First Seen Thu 11 Oct 2007 03:33:03 PM PDT > Last Seen Thu 11 Oct 2007 03:33:03 PM PDT > Local ID 831be357-c006-4d42-8ab7-1634e2035ef4 > Line Numbers > Raw Audit Messages > avc: denied { sendto } for comm="sendmail" dev=tmpfs egid=51 euid=48 > exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48 > items=0 > name="log" path="/dev/log" pid=31906 > scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51 > subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 > tclass=unix_dgram_socket > tcontext=system_u:system_r:syslogd_t:s0 tty=(none) uid=48 > > > #6 > > Summary > SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t) > "write" to <Unknown> (httpd_sys_script_t). > > Detailed Description > SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is > not > expected that this access is required by /usr/sbin/sendmail.sendmail and > this access may signal an intrusion attempt. It is also possible that > the > specific version or configuration of the application is causing it to > require additional access. > > Allowing Access > You can generate a local policy module to allow this access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi > against this package. > > Additional Information > Source Context system_u:system_r:httpd_sys_script_t > Target Context system_u:system_r:httpd_sys_script_t > Target Objects None [ unix_dgram_socket ] > Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application] > Policy RPM selinux-policy-2.6.4-46.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Permissive > Plugin Name plugins.catchall > Host Name mail.dupreeinc.com > Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7 > #1 SMP > Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64 > Alert Count 1 > First Seen Thu 11 Oct 2007 03:33:03 PM PDT > Last Seen Thu 11 Oct 2007 03:33:03 PM PDT > Local ID a793410a-36e5-4685-b82a-c7a0ddee7c44 > Line Numbers > Raw Audit Messages > avc: denied { write } for comm="sendmail" egid=51 euid=48 > exe="/usr/sbin/sendmail.sendmail" exit=141 fsgid=51 fsuid=48 gid=48 > items=0 > pid=31906 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51 > subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 > tclass=unix_dgram_socket > tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48 > > #7 > > Summary > SELinux is preventing the /usr/sbin/sendmail.sendmail from using > potentially > mislabeled files anon_inode:[eventpoll] (anon_inodefs_t). > > Detailed Description > SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially > mislabeled files anon_inode:[eventpoll]. This means that SELinux > will not > allow http to use these files. Many third party apps install html > files in > directories that SELinux policy can not predict. These directories > have to > be labeled with a file context which httpd can accesss. > > Allowing Access > If you want to change the file context of anon_inode:[eventpoll] so > that the > httpd daemon can access it, you need to execute it using chcon -t > httpd_sys_content_t anon_inode:[eventpoll]. You can look at the > httpd_selinux man page for additional information. > > Additional Information > Source Context system_u:system_r:httpd_sys_script_t > Target Context system_u:object_r:anon_inodefs_t > Target Objects anon_inode:[eventpoll] [ file ] > Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application] > Policy RPM selinux-policy-2.6.4-46.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Permissive > Plugin Name plugins.httpd_bad_labels > Host Name mail.dupreeinc.com > Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7 > #1 SMP > Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64 > Alert Count 1 > First Seen Thu 11 Oct 2007 03:33:03 PM PDT > Last Seen Thu 11 Oct 2007 03:33:03 PM PDT > Local ID 5c2f5b86-899e-44d6-ba25-906180a5731d > Line Numbers > Raw Audit Messages > avc: denied { read, write } for comm="sendmail" dev=anon_inodefs egid=51 > euid=48 > exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48 > items=0 > name="[eventpoll]" path="anon_inode:[eventpoll]" pid=31906 > scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51 > subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file > tcontext=system_u:object_r:anon_inodefs_t:s0 tty=(none) uid=48 > > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Set the boolean httpd_can_sendmail on setsebool -P httpd_can_sendmail 1 This will allow httpd_sys_script_t to transition to sendmail_t and you should be able to send mail. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHE8CprlYvE4MpobMRAsMVAKCvAuPho1Fl9XPhPPUkz80ugE86twCg3qSd ktdQGZH0gLkZO+stG0moaac= =1/ar -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
