Bug 357871 - SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "read write" to /tmp/xxxxxxxx (deleted) (apcupsd_t).
Summary: SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "read write...
Keywords:
Status: CLOSED DUPLICATE of bug 247162
Alias: None
Product: Fedora
Classification: Fedora
Component: apcupsd
Version: 7
Hardware: All
OS: Linux
low
high
Target Milestone: ---
Assignee: Orion Poplawski
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-10-30 09:30 UTC by Ignacio Vazquez-Abrams
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-10-30 13:55:54 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Ignacio Vazquez-Abrams 2007-10-30 09:30:13 UTC 
I'm not certain that the SELinux policy is necessarily the best/only place for a
fix for this, but I had to start somewhere.

Summary
    SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "read
    write" to /tmp/xxxxxxxx (deleted) (apcupsd_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not
    expected that this access is required by /usr/sbin/sendmail.sendmail and
    this access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                user_u:system_r:system_mail_t
Target Context                user_u:system_r:apcupsd_t
Target Objects                /tmp/xxxxxxxx (deleted) [ tcp_socket ]
Affected RPM Packages         sendmail-8.14.1-4.2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-45.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     ignacio.ignacio.lan
Platform                      Linux ignacio.ignacio.lan 2.6.22.9-91.fc7 #1 SMP
                              Thu Sep 27 23:10:59 EDT 2007 i686 athlon
Alert Count                   1
First Seen                    Tue 16 Oct 2007 05:43:12 AM EDT
Last Seen                     Tue 16 Oct 2007 05:43:12 AM EDT
Local ID                      31bee1df-446a-4d86-8d2e-c69045b3b438
Line Numbers                  

Raw Audit Messages            

avc: denied { read, write } for comm="sendmail" dev=sockfs egid=51 euid=0
exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=0 gid=0 items=0 name=""
path=2F746D702F52734E72614D6861202864656C6574656429 pid=3419
scontext=user_u:system_r:system_mail_t:s0 sgid=51
subj=user_u:system_r:system_mail_t:s0 suid=0 tclass=tcp_socket
tcontext=user_u:system_r:apcupsd_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2007-10-30 10:32:23 UTC 
This looks like a leaked file descriptory in apcupsd.  All open file descriptors
in apcuspd need to be closed on exec before execing sendmail

fctnl(fd, F_SETFD, FD_CLOEXEC)
Comment 2 Orion Poplawski 2007-10-30 13:55:54 UTC 
It's not.  It is apcupsd writing a message to /tmp and calling sendmail to send it.

*** This bug has been marked as a duplicate of 247162 ***
Note You need to log in before you can comment on or make changes to this bug.