Bug 617472
| Summary: | logwatch cannot execute sendmail | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Mark Wielaard <mjw> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 6.0 | CC: | dwalsh, jturner, mgrepl, mmalik, syeghiay |
| Target Milestone: | rc | Keywords: | RHELNAK |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-35.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-08-13 10:25:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Mark Wielaard
2010-07-23 07:26:47 UTC
This issue has been proposed when we are only considering blocker issues in the current Red Hat Enterprise Linux release. ** If you would still like this issue considered for the current release, ask your support representative to file as a blocker on your behalf. Otherwise ask that it be considered for the next Red Hat Enterprise Linux release. ** We are missing role statement
role system_r types logwatch_mail_t;
Mark,
you can allow it using
# cat > mylogwatch.te << _EOF
policy_module(mylogwatch,1.0)
require{
type logwatch_mail_t;
role system_r;
}
role system_r types logwatch_mail_t;
_EOF
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mylogwatch.pp
Miroslav you need these lines in logwatch.te mta_base_mail_template(logwatch) mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) role system_r types logwatch_mail_t; logging_read_all_logs(logwatch_mail_t) manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t) This is definitely a blocker. Miroslav, also make sure this change is in mta.if interface(`mta_sendmail_domtrans',` gen_require(` attribute mta_exec_type; ') files_search_usr($1) allow $1 mta_exec_type:lnk_file read_lnk_file_perms; corecmd_read_bin_symlinks($1) domtrans_pattern($1, mta_exec_type, $2) ') Fixed in selinux-policy-3.7.19-34.el6.noarch Even after installing selinux-policy-3.7.19-34.el6 and forcing a relabel, I'm getting the following during the anacron logwatch runs: sendmail: fatal: chdir /var/spool/postfix: Permission denied This is made all the more interesting by the fact I cannot seem to reproduce this by calling anacron (or even run-parts) directly. The permission problem appears to only occur during the scheduled anacron runs. Flipping back to Assigned. Jay what AVC's are you seeing? Oddly enough, nothing!. There's nothing in syslog, nothing in the audit.log, nothing anywhere to explain why this is failing. Made all the more odd by the fact I'm able to run this script manually without fail. I cannot put my finger on what is happening in the anacron run that leads to the permission denial. Miroslav should have a fix for this soon. Any progress here? I'm still hitting this issue and appears people are hitting this with F13 as well (https://bugzilla.redhat.com/show_bug.cgi?id=617790) Fixed in selinux-policy-3.7.19-35.el6.noarch. logwatch appears to be performing well with -35.el6. Moving to verified and will continue to watch the system for proper behavior. |