On 08/10/2009 11:18 AM, Daniel B. Thurman wrote: > > I got this AVC complaint fairly recently so please > let me know how to fix this one thanks! > > File: /var/log/messages > ================================================= > setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read" to > /var/log/messages (var_log_t). For complete SELinux messages. run > sealert -l 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2 > > > $ sealert -l 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2 > ================================================= > Summary: > > SELinux is preventing sendmail (system_mail_t) "read" to /var/log/messages > (var_log_t). > > Detailed Description: > > SELinux denied access requested by sendmail. It is not expected that > this access > is required by sendmail and this access may signal an intrusion attempt. > It is > also possible that the specific version or configuration of the > application is > causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to > restore > the default system file context for /var/log/messages, > > restorecon -v '/var/log/messages' > > If this does not work, there is currently no automatic way to allow this > access. > Instead, you can generate a local policy module to allow this access - > see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context > system_u:system_r:system_mail_t:s0-s0:c0.c1023 > Target Context system_u:object_r:var_log_t:s0 > Target Objects /var/log/messages [ file ] > Source sendmail > Source Path /usr/sbin/sendmail.sendmail > Port <Unknown> > Host mysystem.mydomain.com > Source RPM Packages sendmail-8.14.2-4.fc9 > Target RPM Packages Policy RPM > selinux-policy-3.3.1-135.fc9 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name mysystem.mydomain.com > Platform Linux mysystem.mydomain.com > 2.6.27.25-78.2.56.fc9.i686 #1 > SMP Thu Jun 18 12:47:50 EDT 2009 i686 i686 > Alert Count 1 > First Seen Mon Aug 10 04:47:23 2009 > Last Seen Mon Aug 10 04:47:23 2009 > Local ID 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2 > Line Numbers > Raw Audit Messages > node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350): > avc: denied { read } for pid=16757 comm="sendmail" > path="/var/log/messages" dev=sda6 ino=86361 > scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:var_log_t:s0 tclass=file > > node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350): > avc: denied { read } for pid=16757 comm="sendmail" > path="/var/log/secure" dev=sda6 ino=86369 > scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:var_log_t:s0 tclass=file > > node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350): > avc: denied { read } for pid=16757 comm="sendmail" > path="/var/log/maillog" dev=sda6 ino=4956165 > scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:var_log_t:s0 tclass=file > > node=mysystem.mydomain.com type=SYSCALL msg=audit(1249904843.352:37350): > arch=40000003 syscall=11 success=yes exit=0 a0=8f4e3d0 a1=8f4e458 > a2=8f4da48 a3=0 items=0 ppid=16704 pid=16757 auid=0 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=6305 > comm="sendmail" exe="/usr/sbin/sendmail.sendmail" > subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Well Number one Fedora 9 is no longer supported. Please upgrade to F10 or preferably F11. If you do not want to do this, you can add custom policy # grep sendmail /var/log/audit/audit.log | audit2allow -M mysendmail # semodule -i mysendmail.pp -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
