Description of problem: I got the following avc denied messages during the last sendmail upgrade - but I've got also MIMEDefang running, maybe one or another message is caused by this combination?! type=AVC msg=audit(1139661606.854:756741): avc: denied { dac_override } for pid=23207 comm="newaliases" capability=1 scontext=user_u:system_r:system_mail_t: s0-s0:c0.c255 tcontext=user_u:system_r:system_mail_t:s0-s0:c0.c255 tclass=capability type=AVC msg=audit(1139661606.854:756741): avc: denied { getattr } for pid=23207 comm="newaliases" name="mimedefang.sock" dev=cciss/c0d0p2 ino=2801677 scontext=user_u:system_r:system_mail_t:s0-s0:c0.c255 tcontext=user_u:object_r: var_spool_t:s0 tclass=sock_file type=SYSCALL msg=audit(1139661606.854:756741): arch=40000003 syscall=196 success=yes exit=0 a0=bf8e0728 a1=bf8e05c0 a2=f67ff4 a3=3 items=1 pid=23207 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 comm="newaliases" exe="/usr/sbin/sendmail.sendmail" type=AVC_PATH msg=audit(1139661606.854:756741): path="/var/spool/MIMEDefang/ mimedefang.sock" type=CWD msg=audit(1139661606.854:756741): cwd="/" type=PATH msg=audit(1139661606.854:756741): item=0 name="/var/spool/MIMEDefang/ mimedefang.sock" flags=0 inode=2801677 dev=68:02 mode=0140750 ouid=103 ogid=103 rdev=00:00 type=AVC msg=audit(1139661609.634:756742): avc: denied { read } for pid=23239 comm="hostname" name="submit.mc" dev=cciss/c0d0p2 ino=721256 scontext=user_u: system_r:hostname_t:s0-s0:c0.c255 tcontext=system_u:object_r:etc_mail_t:s0 tclass=file type=AVC msg=audit(1139661609.634:756742): avc: denied { read } for pid=23239 comm="hostname" name="cf.m4" dev=cciss/c0d0p2 ino=2736232 scontext=user_u: system_r:hostname_t:s0-s0:c0.c255 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1139661609.634:756742): arch=40000003 syscall=11 success=yes exit=0 a0=9128d38 a1=9127f88 a2=9128b40 a3=9128208 items=2pid=23239 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hostname" exe="/bin/hostname" type=AVC_PATH msg=audit(1139661609.634:756742): path="/usr/share/sendmail-cf/ m4/cf.m4" type=AVC_PATH msg=audit(1139661609.634:756742): path="/etc/mail/submit.mc" type=CWD msg=audit(1139661609.634:756742): cwd="/etc/mail" type=PATH msg=audit(1139661609.634:756742): item=0 name="/bin/hostname" flags=101 inode=1261747 dev=68:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1139661609.634:756742): item=1 flags=101 inode=2965544 dev=68:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 Version-Release number of selected component (if applicable): selinux-policy-targeted-2.2.11-1 Expected results: No avc messages ;-)
Sendmail is leaking file descriptors to /etc/mail/submit.mc and mimedefang.sock You need to make sure file descriptors are closed on exec.
Should /var/spool/MIMEDefang/ be labeled mail_spool_t?
MIMEDefang is not part of sendmail. Are sou sure, that this is a problem of sendmail and not mimedefang?
I'm not sure, as I already wrote. But audit 1139661609.634 looks to be sendmail related, because nothing in my / etc/mail/submit.mc is directly pointing to MIMEDefang. Or am I wrong? Nevertheless, maybe there should be a upstream selinux-policy for MIMEDefang? ;)
Is this fixed with the current devel tree? Thanks, Florian La Roche