Re: Strange Mailman/Sendmail Audit messages in Fedora-10?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Derek Atkins wrote:

Paul,

Quoting Paul Howarth <paul@xxxxxxxxxxxx>:


[snip]
> Do your milters exec other programs? There are a couple of sockets

I don't think so, but I don't know.  I'm using clamav-milter,
spamass-milter, and milter-sender.  I'm pretty sure that the
latter doesn't fork/exec.  I don't know about clamav or spamass.


spamass-milter forks and execs sendmail to deliver spam if you use the
"-b" option - that's how I discovered the problem.


Thanks.  But I'm not using the -b option.  It's run with:

 -p /path/to/sock -P /path/to/pid -m -r 5 -i ...


Yes, all the logs you posted appear to be mailman-related.


The audit log entries you posted suggest that mailman inherited a
socket descriptor from sendmail.


I believe that..  Yet it doesn't look like it actually stopped anything
from happening..  The mail seemed to flow okay.  But it would be
nice to fix this.   I don't like getting audit warnings.  Maybe sendmail
is leaking fds as you suggest?   Should I file a bug with fedora
about this?
Well you could but it's not really causing a problem other than log noise and upstream already have a fix for it though they're not in a rush to do a new release. 


[snip]

Okay, how would I do that?


You'll need to create a local policy module. I'd do it this way:


[instructions snipped]

Thanks, Paul.  I'll consider doing this.

Is there any easy way to figure out what's connected to the sockets
that it's complaining about?   I certainly can't find anything via
lsof or netstat -a.   Most likely because the sockets get closed
before I see the audit message and try to track it down.
There's no easy way that I know of. In the end I got the spamass-milter ones from running strace on the processes (I've since discovered how to use the audit subsystem to get a little more targeted information of this nature) and looking at the source code to follow what was going on.
If you're in enforcing mode then the kernel will actually be closing down the descriptors at the time the AVCs are generated. 

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux