Bug 330561
Summary: | SELINUX prevents Spamassassin to statr | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jan Willem Huijbers <jan.willem> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NOTABUG | QA Contact: | Ben Levenson <benl> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 7 | Keywords: | Reopened |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-10-18 13:13:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Willem Huijbers
2007-10-13 09:38:32 UTC
This says that smapd is searching a mail directory which is labeled httpd_sys_content_t. This loooks like a labeling problem. If you find the directory that is mislabeled you will need to execute restorecon -F -v mail You're correct, but the relabeling the etc/mail directory (and subdirs) fixed this issue, but created a problem with squirrelmail sending mails through sendmail. See bug 312181 additional for info on that. Below the "new" Sealert messages when sending an messages created in webmail Oct 15 20:28:51 fedora-pc setsebool: The httpd_can_sendmail policy boolean was changed to 1 by root Oct 15 20:29:30 fedora-pc setroubleshoot: SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially mislabeled files anon_inode:[eventpoll] (anon_inodefs_t). For complete SELinux messages. run sealert -l b1d79fa7-d7f6-4b8c-b94e-3b43b60229bb Oct 15 20:29:30 fedora-pc setroubleshoot: SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially mislabeled files mail (etc_mail_t). For complete SELinux messages. run sealert -l 5ce8af75-5ef0- 4c33-a371-2f5067356977 Oct 15 20:29:30 fedora-pc setroubleshoot: SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially mislabeled files mail (etc_mail_t). For complete SELinux messages. run sealert -l 5ce8af75-5ef0- 4c33-a371-2f5067356977 Oct 15 20:29:30 fedora-pc setroubleshoot: SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially mislabeled files /etc/mail (etc_mail_t). For complete SELinux messages. run sealert - l c605f30f-9512-4d7b-b7f7-a39d5f62cd74 Oct 15 20:29:30 fedora-pc setroubleshoot: SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t) "create" to <Unknown> (httpd_sys_script_t). For complete SELinux messages. run sealert -l eec295ce-257d-4ce7-ac56-c771da1c854c What is /usr/sbin/sendmail.sendmail labeled as? matchpathcon /usr/sbin/sendmail.sendmail Seems like a transition is not happeing here. Could you attach your audit.log? [root@fedora-pc ~]# matchpathcon /usr/sbin/sendmail.sendmail /usr/sbin/sendmail.sendmail system_u:object_r:sendmail_exec_t [root@fedora-pc ~]# tail -f /var/log/audit/audit.log type=USER_ACCT msg=audit(1192512734.706:2885): user pid=3666 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: accounting acct=janwillem : exe="/usr/sbin/sshd" (hostname=chieftec-xp- 64.huijbers.net, addr=192.168.1.85, terminal=ssh res=success)' type=CRED_ACQ msg=audit(1192512735.100:2886): user pid=3666 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: setcred acct=janwillem : exe="/usr/sbin/sshd" (hostname=chieftec-xp-64.huijbers.net, addr=192.168.1.85, terminal=ssh res=success)' type=LOGIN msg=audit(1192512735.139:2887): login pid=3666 uid=0 old auid=4294967295 new auid=500 type=USER_START msg=audit(1192512735.144:2888): user pid=3666 uid=0 auid=500 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: session open acct=janwillem : exe="/usr/sbin/sshd" (hostname=chieftec-xp-64.huijbers.net, addr=192.168.1.85, terminal=ssh res=success)' type=CRED_REFR msg=audit(1192512735.150:2889): user pid=3668 uid=0 auid=500 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: setcred acct=janwillem : exe="/usr/sbin/sshd" (hostname=chieftec-xp-64.huijbers.net, addr=192.168.1.85, terminal=ssh res=success)' type=USER_LOGIN msg=audit(1192512735.189:2890): user pid=3666 uid=0 auid=500 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='uid=500: exe="/usr/sbin/sshd" (hostname=chieftec-xp-64.huijbers.net, addr=192.168.1.85, terminal=/dev/pts/0 res=success)' type=USER_AUTH msg=audit(1192512740.470:2891): user pid=3697 uid=500 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: authentication acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)' type=USER_ACCT msg=audit(1192512740.472:2892): user pid=3697 uid=500 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: accounting acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)' type=USER_START msg=audit(1192512740.483:2893): user pid=3697 uid=500 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session open acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)' type=CRED_ACQ msg=audit(1192512740.485:2894): user pid=3697 uid=500 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)' type=USER_AUTH msg=audit(1192512858.798:2895): user pid=3739 uid=0 auid=4294967295 subj=system_u:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=janwillem : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=127.0.0.1, addr=127.0.0.1, terminal=dovecot res=success)' type=USER_ACCT msg=audit(1192512858.808:2896): user pid=3739 uid=0 auid=4294967295 subj=system_u:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=janwillem : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=127.0.0.1, addr=127.0.0.1, terminal=dovecot res=success)' type=USER_AUTH msg=audit(1192512859.331:2897): user pid=3743 uid=0 auid=4294967295 subj=system_u:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=janwillem : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=127.0.0.1, addr=127.0.0.1, terminal=dovecot res=success)' type=USER_ACCT msg=audit(1192512859.340:2898): user pid=3743 uid=0 auid=4294967295 subj=system_u:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=janwillem : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=127.0.0.1, addr=127.0.0.1, terminal=dovecot res=success)' type=USER_AUTH msg=audit(1192512859.637:2899): user pid=3750 uid=0 auid=4294967295 subj=system_u:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=janwillem : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=127.0.0.1, addr=127.0.0.1, terminal=dovecot res=success)' type=USER_ACCT msg=audit(1192512859.645:2900): user pid=3750 uid=0 auid=4294967295 subj=system_u:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=janwillem : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=127.0.0.1, addr=127.0.0.1, terminal=dovecot res=success)' type=AVC msg=audit(1192512878.561:2901): avc: denied { read write } for pid=3757 comm="sendmail" name="[eventpoll]" dev=anon_inodefs ino=270 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file type=SYSCALL msg=audit(1192512878.561:2901): arch=40000003 syscall=11 success=yes exit=0 a0=839dda0 a1=839e120 a2=839dea0 a3=40 items=0 ppid=2503 pid=3757 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC_PATH msg=audit(1192512878.561:2901): path="anon_inode:[eventpoll]" type=AVC msg=audit(1192512878.579:2902): avc: denied { search } for pid=3757 comm="sendmail" name="mail" dev=dm-0 ino=36930447 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir type=SYSCALL msg=audit(1192512878.579:2902): arch=40000003 syscall=195 success=no exit=-13 a0=800f81c0 a1=bfdee3c0 a2=5ecff4 a3=3 items=0 ppid=2503 pid=3757 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1192512878.582:2903): avc: denied { search } for pid=3757 comm="sendmail" name="mail" dev=dm-0 ino=36930447 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir type=SYSCALL msg=audit(1192512878.582:2903): arch=40000003 syscall=195 success=no exit=-13 a0=bfde9988 a1=bfde9820 a2=5ecff4 a3=3 items=0 ppid=2503 pid=3757 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1192512878.584:2904): avc: denied { getattr } for pid=3757 comm="sendmail" name="mail" dev=dm-0 ino=36930447 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir type=SYSCALL msg=audit(1192512878.584:2904): arch=40000003 syscall=196 success=no exit=-13 a0=bfdd4878 a1=bfdc0760 a2=5ecff4 a3=3 items=0 ppid=2503 pid=3757 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC_PATH msg=audit(1192512878.584:2904): path="/etc/mail" type=AVC msg=audit(1192512878.587:2905): avc: denied { create } for pid=3757 comm="sendmail" scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=unix_dgram_socket type=SYSCALL msg=audit(1192512878.587:2905): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bfdea088 a2=5ecff4 a3=14 items=0 ppid=2503 pid=3757 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) ls -lZ /usr/sbin/sendmail.sendmail [janwillem@fedora-pc ~]$ ls -lZ /usr/sbin/sendmail.sendmail -rwxr-sr-x root smmsp system_u:object_r:httpd_sys_content_t /usr/sbin/sendmail.sendmail # restorecon -F -v /usr/sbin/sendmail.sendmail File should be labeled /usr/sbin/sendmail.sendmail system_u:object_r:sendmail_exec_t The file is labeled incorrectly. If an setroubleshoot plugin told you to label this, this way please report that as a bug on setroubleshoot. |