Red Hat Bugzilla – Bug 245130
selinux prevents sendmail access temp files
Last modified: 2007-11-30 17:12:08 EST
Description of problem: selinux prevent sendmail to create tmp files. Version-Release number of selected component (if applicable): selinux-policy-2.6.4-14.fc7 How reproducible: Just let the system try to send e-mails locally Additional info: Summary SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "read" to /var/tmp/tmp2CPspUEPYLOG/tmpFfkXMqFILT (var_log_t). Detailed Description SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not expected that this access is required by /usr/sbin/sendmail.sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/tmp/tmp2CPspUEPYLOG/tmpFfkXMqFILT, restorecon -v /var/tmp/tmp2CPspUEPYLOG/tmpFfkXMqFILT If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:system_mail_t Target Context system_u:object_r:var_log_t Target Objects /var/tmp/tmp2CPspUEPYLOG/tmpFfkXMqFILT [ file ] Affected RPM Packages sendmail-8.14.1-2 [application] Policy RPM selinux-policy-2.6.4-14.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name xp2000.leafamily.org Platform Linux xp2000.leafamily.org 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 15:37:31 EDT 2007 i686 athlon Alert Count 1 First Seen jeu 21 jun 2007 12:07:11 CEST Last Seen jeu 21 jun 2007 12:07:11 CEST Local ID 4ecf78f5-11aa-409d-9500-c69dc1e2dad2 Line Numbers Raw Audit Messages avc: denied { read } for comm="sendmail" dev=sda7 egid=51 euid=0 exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=0 gid=0 items=0 name="secure" path="/var/tmp/tmp2CPspUEPYLOG/tmpFfkXMqFILT" pid=4416 scontext=system_u:system_r:system_mail_t:s0 sgid=51 subj=system_u:system_r:system_mail_t:s0 suid=0 tclass=file tcontext=system_u:object_r:var_log_t:s0 tty=(none) uid=0
This is strange. You have a file labeled var_log_t under /tmp and sendmail is trying to read it? Is there some tool moving files from /var/log to tmp and then executing sendmail?
Maybe, I have install epylog? PS: I have remove sendmail and re-install it and sendmail no more will send local mails, I have try to fix that but without any success at this time.
Could you check the labeling on your system. touch /.autorelabel reboot will setup default labeling. From the looks of the bug above some kind of labeling is wrong.
I had try this too but the problem reappeared always because of the fact that the temp file was create and remove by sendmail. I have not find why sendmail would no more do the job and the live is too short to try to understand the obscure sendmail doc ;-), so I have switched to exim and all rework like expect. Thanks for your investigation