-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adam Huffman wrote: > After yum upgrading from F7 to F8, I'm seeing alerts whenever > fetchmail brings in new mail, even after a complete relabelling of the > system: > > > > Summary > SELinux is preventing sendmail (sendmail_t) "search" to <Unknown> > (unconfined_home_dir_t). > > Detailed Description > SELinux denied access requested by sendmail. It is not expected that this > access is required by sendmail and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of > the application is causing it to require additional access. > > Allowing Access > Sometimes labeling problems can cause SELinux denials. You could try to > restore the default system file context for <Unknown>, restorecon -v > <Unknown> If this does not work, there is currently no automatic way to > allow this access. Instead, you can generate a local policy module to allow > this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 > Or you can disable SELinux protection altogether. Disabling SELinux > protection is not recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. > > Additional Information > > Source Context system_u:system_r:sendmail_t > Target Context unconfined_u:object_r:unconfined_home_dir_t > Target Objects None [ dir ] > Affected RPM Packages > Policy RPM selinux-policy-3.0.8-56.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.catchall_file > Host Name saintloup.smith.man.ac.uk > Platform Linux saintloup.smith.man.ac.uk 2.6.23.1-49.fc8 #1 > SMP Thu Nov 8 22:14:09 EST 2007 x86_64 x86_64 > Alert Count 18 > First Seen Tue Nov 20 12:15:53 2007 > Last Seen Tue Nov 20 12:30:59 2007 > Local ID 3c789a3b-b8f8-4b21-a34a-bc198b90be73 > Line Numbers > > Raw Audit Messages > > avc: denied { search } for comm=sendmail dev=dm-1 name=adam pid=5161 > scontext=system_u:system_r:sendmail_t:s0 tclass=dir > tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 > > Summary > SELinux is preventing /usr/sbin/sendmail.sendmail (sendmail_t) "getattr" to > /home/adam (unconfined_home_dir_t). > > Detailed Description > SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not > expected that this access is required by /usr/sbin/sendmail.sendmail and > this access may signal an intrusion attempt. It is also possible that the > specific version or configuration of the application is causing it to > require additional access. > > Allowing Access > Sometimes labeling problems can cause SELinux denials. You could try to > restore the default system file context for /home/adam, restorecon -v > /home/adam If this does not work, there is currently no automatic way to > allow this access. Instead, you can generate a local policy module to allow > this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 > Or you can disable SELinux protection altogether. Disabling SELinux > protection is not recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. > > Additional Information > > Source Context system_u:system_r:sendmail_t > Target Context unconfined_u:object_r:unconfined_home_dir_t > Target Objects /home/adam [ dir ] > Affected RPM Packages sendmail-8.14.1-4.2.fc8 [application] > Policy RPM selinux-policy-3.0.8-56.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.catchall_file > Host Name saintloup.smith.man.ac.uk > Platform Linux saintloup.smith.man.ac.uk 2.6.23.1-49.fc8 #1 > SMP Thu Nov 8 22:14:09 EST 2007 x86_64 x86_64 > Alert Count 66 > First Seen Tue Nov 20 12:15:53 2007 > Last Seen Tue Nov 20 12:30:59 2007 > Local ID a9ca1470-2510-4d05-baa4-48f8aa3b4474 > Line Numbers > > Raw Audit Messages > > avc: denied { getattr } for comm=sendmail dev=dm-1 egid=500 euid=500 > exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=500 fsuid=500 gid=500 items=0 > path=/home/adam pid=5161 scontext=system_u:system_r:sendmail_t:s0 sgid=500 > subj=system_u:system_r:sendmail_t:s0 suid=500 tclass=dir > tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tty=(none) uid=0 > > > I've not seen anything about sendmail in recent selinux-policy builds > - is something else wrong here? > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Does everything seem to be working correctly? IE Are you getting your mail? This looks like sendmail is being executed from your home dir and it is doing a getattr on it (On current working directory), which is generating the AVC. If is not causing a problem. YOu should use audit2allow to generate dontaudit rule. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHQuH5rlYvE4MpobMRAvsAAKDp8LXKk1nkcywmn7GIPl2Q9qAaXwCfarGN 5QOtH0QW6efPg1Zt5BL45nk= =poHR -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
