Description of problem: In the default Fedora setup smartd will send a warning mail to root if it detects a disk problem (such as Current_Pending_Sector > 0). Unfortunately, this does not work with SElinux set to enforcing and using exim (did not test with other mtas). Version-Release number of selected component (if applicable): exim-4.66-3.fc7 selinux-policy-2.6.4-40.fc7 smartmontools-5.37-3.1.fc7 How reproducible: Always Steps to Reproduce: 1. Set SElinux to enforcing 2. Edit /etc/smartd.conf: Remove *SMARTD*AUTOGENERATED* to prevent that the config file will be overwritten at next startup. Configure smart that it sends a test message at every startup by adding "-M test", e.g. /dev/sdb -d ata -H -m root -M test Restart smartd 3. look at the selinux error log Actual results: In /var/log/messages something like this will appear: Sep 8 13:59:09 ws2 smartd[17638]: Test of mail to root produced unexpected output (438 bytes) to STDOUT/STDERR: 2007-09- 08 13:59:09 1ITyxx-0004aX-79 Cannot open main log file "/var/log/exim/main.log": Permission denied: euid=93 egid=93 2007-0 9-08 13:59:09 1ITyxx-0004aX-79 Failed to create spool file /var/spool/exim/input//1ITyxx-0004aX-79-D: Permission denied 20 07-09-08 13:59:09 1ITyxx-0004aX-79 Cannot open main log file "/var/log/exim/main.log": Permission denied: euid=93 egid=93 I add the exact SElinux error messages etc. as attachements. Expected results: The warning message should be sent.
Created attachment 190701 [details] first selinux denial (complete output of sealert)
Created attachment 190711 [details] extracted selinux denials
Created attachment 190721 [details] generated policy addition with audit2allow
Added rudimentary exim policy selinux-policy-2.6.4-43.fc7.src.rpm
A recent upgrade to selinux-policy-2.6.4-43.fc7 (or possibly -targeted-) seems to cause exim to be denied for many cases. eg type=AVC msg=audit(1191268740.384:7357): avc: denied { entrypoint } for pid=9568 comm="crond" name="exim" dev=md2 ino=259656 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:exim_exec_t:s0 tclass=file I'm a complete novice with SELinux, but I'll attach the .te file I knocked together to circumvent this.
Created attachment 213581 [details] Bodged extra allowals for exim over selinux-policy-2.6.4-43.fc7 I suspect the beginning of this .te file is bogus; I freely admit that I didn't know what I was doing. I did seem to need all the allows though. [before I updated to 2.6.4-43 I had no problems running exim]
Could you attach the audit.log used to generate these rules. Thanks.
Created attachment 222791 [details] result of grepping for exim through an audit log I think this attachment covers them. I've been away and logrotate has run...
Bulk closing a old selinux policy bugs that were in the modified state. If the bug is still not fixed. Please reopen.