| Summary: | SELinux is preventing /usr/sbin/ssmtp from 'create' accesses on the file dead.letter. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tomáš Trnka <tomastrnka> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 14 | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:0380db537599db54d55184c6f3b970bf6f017b3fdd4dc4beacdd45224ec08984 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-10 09:33:53 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Miroslav we have allow system_mail_t mail_home_t:file manage_file_perms; in F15 I see this also in F14. Tomas, could you try to reinstall policy # yum reinstall selinux-policy-targeted and make sure nothing blows up on reinstall. Sorry, my bad. Policy installation was failing on account of the pyzor module requiring some types from the spamassassin module that I'd disabled. Everything works now. The selinux-policy-targeted package really should throw some kind of "the sky is falling" error when it the policy fails to build (apparently, it just prints a warning that never makes it through all the packagekit stuff). (Also, the whole semodule system could use some kind of module dependency checking - if one module is disabled, automatically disable anything that depends on them instead of erroring out). We have some progress in F15 where we really have modular policy and only some modules are dependent. I guess either me or Dan will blog about that. |
SELinux is preventing /usr/sbin/ssmtp from 'create' accesses on the file dead.letter. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that ssmtp should be allowed create access on the dead.letter file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sendmail /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023 Target Context system_u:object_r:mail_home_t:s0 Target Objects dead.letter [ file ] Source sendmail Source Path /usr/sbin/ssmtp Port <Neznámé> Host (removed) Source RPM Packages ssmtp-2.61-15.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-40.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.13-91.fc14.x86_64 #1 SMP Tue May 3 13:23:06 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Ne 8. květen 2011, 18:01:41 CEST Last Seen Ne 8. květen 2011, 18:01:41 CEST Local ID 1a473458-dad0-41e8-8b18-8d8177f2d2a4 Raw Audit Messages type=AVC msg=audit(1304870501.324:23): avc: denied { create } for pid=2512 comm="sendmail" name="dead.letter" scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mail_home_t:s0 tclass=file type=SYSCALL msg=audit(1304870501.324:23): arch=x86_64 syscall=open success=no exit=EACCES a0=231f2f0 a1=441 a2=1b6 a3=0 items=0 ppid=2486 pid=2512 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=sendmail exe=/usr/sbin/ssmtp subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) Hash: sendmail,system_mail_t,mail_home_t,file,create audit2allow #============= system_mail_t ============== allow system_mail_t mail_home_t:file create; audit2allow -R #============= system_mail_t ============== allow system_mail_t mail_home_t:file create;