Description of problem: When rkhunter is run via its daily cron job it produces a selinux denial. Version-Release number of selected component (if applicable): selinux-policy-3.0.8-93.fc8 How reproducible: every day Steps to Reproduce: 1.Install rkhunter using yum 2.Wait until daily rkhunter cron job runs 3. Actual results: Summary: SELinux is preventing sendmail (system_mail_t) "append" to /var/rkhunter/tmp/rkhcronlog.wSLuzk5001 (var_t). Detailed Description: SELinux denied access requested by sendmail. It is not expected that this access is required by sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/rkhunter/tmp/rkhcronlog.wSLuzk5001, restorecon -v '/var/rkhunter/tmp/rkhcronlog.wSLuzk5001' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:system_mail_t:s0 Target Context system_u:object_r:var_t:s0 Target Objects /var/rkhunter/tmp/rkhcronlog.wSLuzk5001 [ file ] Source sendmail Source Path /usr/sbin/sendmail.sendmail Port <Unknown> Host griffon.cc.ku.edu Source RPM Packages sendmail-8.14.2-1.fc8 Target RPM Packages Policy RPM selinux-policy-3.0.8-93.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name griffon.cc.ku.edu Platform Linux griffon.cc.ku.edu 2.6.24.3-34.fc8 #1 SMP Wed Mar 12 18:17:20 EDT 2008 i686 i686 Alert Count 1 First Seen Wed 19 Mar 2008 10:56:18 AM CDT Last Seen Wed 19 Mar 2008 10:56:18 AM CDT Local ID 5ab0ec93-baf8-4f2a-bb30-1bc75ac0298d Line Numbers Raw Audit Messages host=griffon.cc.ku.edu type=AVC msg=audit(1205942178.16:221): avc: denied { append } for pid=22609 comm="sendmail" path="/var/rkhunter/tmp/rkhcronlog.wSLuzk5001" dev=dm-0 ino=3143636 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file host=griffon.cc.ku.edu type=SYSCALL msg=audit(1205942178.16:221): arch=40000003 syscall=11 success=yes exit=0 a0=805848b a1=889560c a2=bfb56108 a3=889560c items=0 ppid=1 pid=22609 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null) Expected results: No daily selinux denial. Additional info:
Please put log files in a reasonable location like /var/log/rkhunter/ This is simple redirection of sendmail and will not prevent anything from working.
rkhunter uses /var/rkhunter/tmp/ for all it's temp files... including this file which is part of it's email it's constructing for it's nightly cron job. It already puts it's log in /var/log/rkhunter.log I can change both or either of those if need be, but can't selinux handle the current setup? Note that rkhunter docs say never to use /tmp as your temp dir as that will leak information about a running rkhunter process. Thoughts? Ideas? Questions? Expansion of the comments in Comment #1?
Well SELinux can handle this path, But it is an unusual path and not standard. /var/run/rkhunter should be a place for tmp files and any files that you do not care if they survice a reboot. /var/log/rkhunter for log files. /var/lib/rkhunter for files that rkhunter needs to write to and keep (Not temporary). This is the way almost every service application is coded. Then we can talk about writing SELinux policy for rkhunter.
All very solid suggestions. I have made a first attempt at moving things around in the just tagged and built version: rkhunter-1.3.2-2.fc9 Dan: Can you check this version and see if there is any further improvement/changes I can make to make this app more selinux friendly? Thanks.
Hey Dan. Have you had a chance to look over the current package? Anything I can do to modify the package to get it selinux friendly? Let me know...
Well system_mail_t is allowed to append to log files so this problem should be fixed. I just installed the Fedora 9 package on my machine, and will watch for avc's. We looked into confining this application but it is way to intrusive to be confinable. :^)
rkhunter-1.3.2-3.fc8 has been submitted as an update for Fedora 8
rkhunter-1.3.2-3.fc7 has been submitted as an update for Fedora 7
rkhunter-1.3.2-3.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
rkhunter-1.3.2-3.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.