Daniel J Walsh wrote:
On 08/10/2009 11:18 AM, Daniel B. Thurman wrote:
I got this AVC complaint fairly recently so please
let me know how to fix this one thanks!
File: /var/log/messages
=================================================
setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read" to
/var/log/messages (var_log_t). For complete SELinux messages. run
sealert -l 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2
$ sealert -l 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2
=================================================
Summary:
SELinux is preventing sendmail (system_mail_t) "read" to /var/log/messages
(var_log_t).
Detailed Description:
SELinux denied access requested by sendmail. It is not expected that
this access
is required by sendmail and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for /var/log/messages,
restorecon -v '/var/log/messages'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context
system_u:system_r:system_mail_t:s0-s0:c0.c1023
Target Context system_u:object_r:var_log_t:s0
Target Objects /var/log/messages [ file ]
Source sendmail
Source Path /usr/sbin/sendmail.sendmail
Port <Unknown>
Host mysystem.mydomain.com
Source RPM Packages sendmail-8.14.2-4.fc9
Target RPM Packages Policy RPM
selinux-policy-3.3.1-135.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name mysystem.mydomain.com
Platform Linux mysystem.mydomain.com
2.6.27.25-78.2.56.fc9.i686 #1
SMP Thu Jun 18 12:47:50 EDT 2009 i686 i686
Alert Count 1
First Seen Mon Aug 10 04:47:23 2009
Last Seen Mon Aug 10 04:47:23 2009
Local ID 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2
Line Numbers
Raw Audit Messages
node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350):
avc: denied { read } for pid=16757 comm="sendmail"
path="/var/log/messages" dev=sda6 ino=86361
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=file
node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350):
avc: denied { read } for pid=16757 comm="sendmail"
path="/var/log/secure" dev=sda6 ino=86369
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=file
node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350):
avc: denied { read } for pid=16757 comm="sendmail"
path="/var/log/maillog" dev=sda6 ino=4956165
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=file
node=mysystem.mydomain.com type=SYSCALL msg=audit(1249904843.352:37350):
arch=40000003 syscall=11 success=yes exit=0 a0=8f4e3d0 a1=8f4e458
a2=8f4da48 a3=0 items=0 ppid=16704 pid=16757 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=6305
comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Well Number one Fedora 9 is no longer supported. Please upgrade to F10 or preferably F11.
If you do not want to do this, you can add custom policy
# grep sendmail /var/log/audit/audit.log | audit2allow -M mysendmail
# semodule -i mysendmail.pp
Thanks!
Dan
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
