Re: Weird selinux problem with sendmail

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2007-11-26 at 13:34 +0000, Adam Huffman wrote:
> On Nov 25, 2007 8:45 AM, Knute Johnson <knute@xxxxxxxxxxx> wrote:
> > I loaded F8 onto my old mail server computer and started to
> > reassemble it.  But I'm getting a strange message from sendmail and a
> > selinux avc to go with it.  I do not have a .forward file and I have
> > an almost identical system running that doesn't have one either and
> > doesn't give any errors.  I don't know if this is a sendmail problem
> > or a selinux problem.  The mail comes and goes OK.  Any ideas?
> >
> > Thanks,
> >
> > knute...
> >
> > Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward
> > /home/knute/.forward.www: Permission denied
> > Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward
> > /home/knute/.forward: Permission denied
> >
> > Nov 25 00:40:55 www kernel: audit(1195980055.494:277): avc:  denied
> > { getattr } for  pid=7949 comm="sendmail" path="/home/knute" dev=dm-0
> > ino=262146 scontext=unconfined_u:system_r:sendmail_t:s0
> > tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir

(I'd like to jump in here - I was about to file a bug against sendmail,
but thought I'd check the lists first!)

I have a similar looking problem after moving to f8 and setting up
my /etc/aliases so that user "morgan" is the person that should get
root's mail (as I have done previously).  Similar ref to
unconfined_home_dir_t - but I know little about this stuff.  I'm not
getting my mail.

I've copied at bottom three example selinux_alerts, the most recent from
each of three streams of alerts I seem to be accumulating in the
"setroubleshoot browser".

Hope this helps, and I'm interested in any answers.

Regards,
M.

selinux_alert_22-11-07-1.45
Summary
    SELinux is preventing sendmail (sendmail_t) "getattr"
to /home/morgan
    (unconfined_home_dir_t).

Detailed Description
    SELinux denied access requested by sendmail. It is not expected that
this
    access is required by sendmail and this access may signal an
intrusion
    attempt. It is also possible that the specific version or
configuration of
    the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could
try to
    restore the default system file context for /home/morgan, restorecon
-v
    /home/morgan If this does not work, there is currently no automatic
way to
    allow this access. Instead,  you can generate a local policy module
to allow
    this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.

Additional Information        

Source Context                system_u:system_r:sendmail_t
Target Context
unconfined_u:object_r:unconfined_home_dir_t
Target Objects                /home/morgan [ dir ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.8-56.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     morgansmachine.lan
Platform                      Linux morgansmachine.lan 2.6.23.1-49.fc8
#1 SMP
                              Thu Nov 8 21:41:26 EST 2007 i686 i686
Alert Count                   2
First Seen                    Wed 21 Nov 2007 09:50:53 AM NZDT
Last Seen                     Thu 22 Nov 2007 01:45:01 PM NZDT
Local ID                      33456cfd-f6bf-4857-8690-f681680cd24c
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm=sendmail dev=dm-1 path=/home/morgan
pid=14769
scontext=system_u:system_r:sendmail_t:s0 tclass=dir
tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0


selinux_alert_27-11-07-9.45
Summary
    SELinux is preventing sendmail (sendmail_t) "search" to <Unknown>
    (unconfined_home_dir_t).

Detailed Description
    SELinux denied access requested by sendmail. It is not expected that
this
    access is required by sendmail and this access may signal an
intrusion
    attempt. It is also possible that the specific version or
configuration of
    the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could
try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way
to
    allow this access. Instead,  you can generate a local policy module
to allow
    this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.

Additional Information        

Source Context                system_u:system_r:sendmail_t
Target Context
unconfined_u:object_r:unconfined_home_dir_t
Target Objects                None [ dir ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.8-56.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     morgansmachine.lan
Platform                      Linux morgansmachine.lan 2.6.23.1-49.fc8
#1 SMP
                              Thu Nov 8 21:41:26 EST 2007 i686 i686
Alert Count                   5
First Seen                    Wed 21 Nov 2007 09:50:53 AM NZDT
Last Seen                     Tue 27 Nov 2007 09:45:51 AM NZDT
Local ID                      b60f5a23-575f-4489-89c7-ab71e8be786d
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm=sendmail dev=dm-1 name=morgan pid=5918
scontext=system_u:system_r:sendmail_t:s0 tclass=dir
tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0


selinux_alert_27-11-07-10.10
Summary
    SELinux is preventing sendmail (sendmail_t) "getattr"
to /home/morgan
    (unconfined_home_dir_t).

Detailed Description
    SELinux denied access requested by sendmail. /home/morgan may be a
    mislabeled.  /home/morgan default SELinux type is
<B>user_home_dir_t</B>,
    while its current type is <B>unconfined_home_dir_t</B>. Changing
this file
    back to the default type, may fix your problem. File contexts can
get
    assigned to a file can following ways.  <ul> <li>Files created in a
    directory recieve the file context of the parent directory by
default.
    <li>Users can change the file context on a file using tools like
chcon, or
    restorecon. <li>The kernel can decide via policy that an application
running
    as context A Creating a file in a directory labeled B will create
files
    labeled C. </ul> This file could have been mislabeled either by user
error,
    or if an normally confined application was run under the wrong
domain. Of
    course this could also indicate a bug in SELinux, in that the file
should
    not be labeled with this type.  If you believe this is a bug, please
file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.

Allowing Access
    You can restore the default system context to this file by executing
the
    restorecon command.  restorecon /home/morgan, if this file is a
directory,
    you can recursively restore using restorecon -R /home/morgan.

    The following command will allow this access:
    restorecon /home/morgan

Additional Information        

Source Context                system_u:system_r:sendmail_t
Target Context
unconfined_u:object_r:unconfined_home_dir_t
Target Objects                /home/morgan [ dir ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.8-56.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.restorecon
Host Name                     morgansmachine.lan
Platform                      Linux morgansmachine.lan 2.6.23.1-49.fc8
#1 SMP
                              Thu Nov 8 21:41:26 EST 2007 i686 i686
Alert Count                   9
First Seen                    Fri 23 Nov 2007 07:04:40 PM NZDT
Last Seen                     Tue 27 Nov 2007 10:10:04 AM NZDT
Local ID                      96c556ec-4c09-4641-90d0-8c4be7082c66
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm=sendmail dev=dm-1 path=/home/morgan
pid=7760
scontext=system_u:system_r:sendmail_t:s0 tclass=dir
tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0

-- 
Getting errors: "There are problems with the signature" (or similar)?
Update your system by installing certificates from CAcert Inc, see here:
http://wiki.cacert.org/wiki/BrowserClients?#head-259758ec5ba51c5205cfb179cf60e0b54d9e378b
Or, if Internet Explorer is your default browser, simply click this link:
http://www.cacert.org/index.php?id=17

Morgan Read
NEW ZEALAND
<mailto:mstuffATreadDOTorgDOTnz>

fedora: Freedom Forever!
http://fedoraproject.org/wiki/Overview

"By choosing not to ship any proprietary or binary drivers, Fedora does
differ from other distributions. ..."
Quote: Max Spevik
       http://interviews.slashdot.org/article.pl?sid=06/08/17/177220

RMS on fedora:
       http://fedoraproject.org/wiki/FreeSoftwareAnalysis/FSF

Attachment: smime.p7s
Description: S/MIME cryptographic signature

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux