| Summary: | SELinux is preventing /usr/sbin/sendmail.postfix from using the execstack access on a process | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Trevor Meyer <meyer> |
| Component: | sendmail | Assignee: | Jaroslav Škarvada <jskarvad> |
| Status: | CLOSED DUPLICATE | QA Contact: | qe-baseos-daemons |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.1 | CC: | dwalsh |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-01-24 15:41:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
This is a bad access. Most likely you have a bad library or accidently marked with the execstack flag. *** This bug has been marked as a duplicate of bug 652297 *** I tried, but I was not able to reproduce (I tried both RHEL-6.1 and latest nightly). So you can not get this to happen again? Maybe we can just close this as a hickup and reopen if it happens again. |
Description of problem: SELinux is preventing /usr/sbin/sendmail.postfix from using the execstack access on a process. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that sendmail.postfix should be allowed execstack access on processes labeled sendmail_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sendmail /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:sendmail_t:s0-s0:c0.c1023 Target Context system_u:system_r:sendmail_t:s0-s0:c0.c1023 Target Objects Unknown [ process ] Source sendmail Source Path /usr/sbin/sendmail.postfix Port <Unknown> Host e.hblm.info Source RPM Packages postfix-2.6.6-2.2.el6_1 Target RPM Packages Policy RPM selinux-policy-3.7.19-126.el6_2.4 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name e.hblm.info Platform Linux e.hblm.info 2.6.32-220.2.1.el6.x86_64 #1 SMP Fri Dec 23 02:21:33 CST 2011 x86_64 x86_64 Alert Count 1 First Seen Mon Jan 23 18:10:15 2012 Last Seen Mon Jan 23 18:10:15 2012 Local ID bf912dce-0ef1-4537-8a7f-33eeb46f33aa Raw Audit Messages type=AVC msg=audit(1327360215.998:43735): avc: denied { execstack } for pid=12021 comm="sendmail" scontext=system_u:system_r:sendmail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sendmail_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1327360215.998:43735): avc: denied { execmem } for pid=12021 comm="sendmail" scontext=system_u:system_r:sendmail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sendmail_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1327360215.998:43735): arch=x86_64 syscall=mprotect success=yes exit=0 a0=7fffacc0a000 a1=1000 a2=1000007 a3=7fbe77561000 items=0 ppid=1 pid=12021 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sendmail exe=/usr/sbin/sendmail.postfix subj=system_u:system_r:sendmail_t:s0-s0:c0.c1023 key=(null) Hash: sendmail,sendmail_t,sendmail_t,process,execstack audit2allow #============= sendmail_t ============== allow sendmail_t self:process { execstack execmem }; audit2allow -R #============= sendmail_t ============== allow sendmail_t self:process { execstack execmem }; Version-Release number of selected component (if applicable): libselinux.x86_64 2.0.94-5.2.el6 @base libselinux-python.x86_64 2.0.94-5.2.el6 @base libselinux-utils.x86_64 2.0.94-5.2.el6 @base selinux-policy.noarch 3.7.19-126.el6_2.4 @updates selinux-policy-targeted.noarch 3.7.19-126.el6_2.4 @updates How reproducible: Steps to Reproduce: 1. yum update 2. shutdown -r now 3. Actual results: Expected results: Before the package update, SELinux had not conflicts with Postfix. Additional info: