Re: F12: Selinux 'sendmail' denials on /var/log/message logfile

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 03/05/2010 07:16 PM, Daniel B. Thurman wrote:

> node=host.domain.com type=AVC msg=audit(1267787608.324:42763): avc:  
> denied  { read } for  pid=14919 comm="sendmail" path="/var/log/messages" 
> dev=sdb8 ino=20167 
> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:var_log_t:s0 tclass=file
> 
> node=host.domain.com type=AVC msg=audit(1267787608.324:42763): avc:  
> denied  { read } for  pid=14919 comm="sendmail" path="/var/log/secure" 
> dev=sdb8 ino=20415 
> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:var_log_t:s0 tclass=file
> 
> node=host.domain.com type=AVC msg=audit(1267787608.324:42763): avc:  
> denied  { read } for  pid=14919 comm="sendmail" path="/var/log/maillog" 
> dev=sdb8 ino=21877 
> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:var_log_t:s0 tclass=file
> 
> node=host.domain.com type=SYSCALL msg=audit(1267787608.324:42763): 
> arch=40000003 syscall=11 success=yes exit=0 a0=85088a0 a1=8508928 
> a2=8507eb0 a3=8508928 items=0 ppid=14865 pid=14919 auid=0 uid=0 gid=0 
> euid=0 suid=0 fsuid=0 egid=486 sgid=486 fsgid=486 tty=(none) ses=246 
> comm="sendmail" exe="/usr/sbin/sendmail.sendmail" 
> subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)

Not sure why sendmail would need to read these files. It is obviously
not allowed.

Odd thing is that sendmail is allowed to append to "logfiles".

# sesearch --allow -s system_mail_t -t var_log_t
Found 4 semantic av rules:
   allow application_domain_type logfile : file { getattr append } ;
   allow system_mail_t var_log_t : dir { ioctl read write getattr lock
add_name remove_name search open } ;
   allow system_mail_t logfile : file { ioctl getattr lock append open } ;
   allow system_mail_t logfile : dir { getattr search open } ;

If this access is legitimate. Than it is a bug in policy.
> 
> 
> 
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Attachment: signature.asc
Description: OpenPGP digital signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux