Description of problem: mimedefang 2.64 sendmail 8.14.2 SELinux is preventing sendmail (sendmail_t) "write" to mimedefang.sock (var_spool_t). Detailed Description: SELinux is preventing sendmail (sendmail_t) "write" to mimedefang.sock (var_spool_t). The SELinux type var_spool_t, is a generic type for all files in the directory and very few processes (SELinux Domains) are allowed to write to this SELinux type. This type of denial usual indicates a mislabeled file. By default a file created in a directory has the gets the context of the parent directory, but SELinux policy has rules about the creation of directories, that say if a process running in one SELinux Domain (D1) creates a file in a directory with a particular SELinux File Context (F1) the file gets a different File Context (F2). The policy usually allows the SELinux Domain (D1) the ability to write, unlink, and append on (F2). But if for some reason a file (mimedefang.sock) was created with the wrong context, this domain will be denied. The usual solution to this problem is to reset the file context on the target file, restorecon -v 'mimedefang.sock'. If the file context does not change from var_spool_t, then this is probably a bug in policy. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy package. If it does change, you can try your application again to see if it works. The file context could have been mislabeled by editing the file or moving the file from a different directory, if the file keeps getting mislabeled, check the init scripts to see if they are doing something to mislabel the file. Additional Information: Source Context system_u:system_r:sendmail_t:s0 Target Context system_u:object_r:var_spool_t:s0 Target Objects mimedefang.sock [ sock_file ] Source sendmail Source Path /usr/sbin/sendmail.sendmail Port <Unknown> Host fedora1.kantors.net Source RPM Packages sendmail-8.14.2-1.fc8 Target RPM Packages Policy RPM selinux-policy-3.0.8-95.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name mislabeled_file Host Name fedora1.kantors.net Platform Linux fedora1.kantors.net 2.6.24.4-64.fc8 #1 SMP Sat Mar 29 09:54:46 EDT 2008 i686 i686 Alert Count 2 First Seen Sat 12 Apr 2008 01:16:45 PM EDT Last Seen Sat 12 Apr 2008 01:20:20 PM EDT Local ID 858e460f-6088-44fd-b120-9b13381c603e Line Numbers Raw Audit Messages host=fedora1.kantors.net type=AVC msg=audit(1208020820.312:798): avc: denied { write } for pid=24992 comm="sendmail" name="mimedefang.sock" dev=dm-0 ino=4751385 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=sock_file host=fedora1.kantors.net type=SYSCALL msg=audit(1208020820.312:798): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfcedb40 a2=b7f3a31c a3=0 items=0 ppid=24917 pid=24992 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null)
Reassigning to selinux-policy, as it has to be fixed there. Daniel, are you able to take care about it? It is a mimedefang specific thing which is not yet handled in the policy.
*** Bug 442207 has been marked as a duplicate of this bug. ***
Hello Bruce, I'll need your assistance. Download these packages and test mimedefang in permissive mode, and then send me your AVC's please. http://people.redhat.com/jkubin/selinux/F8/ 1) rpm -U selinux-policy* 2) # setenforce 1; setenforce 0 3) # > /var/log/audit/audit.log 4) ... play with mimedefang & sendmail ... 5) attach your audit.log Thank you!
Josef, did you write a mimedefang selinux policy?
Yes, I'm working on it. I need to test my policy ;-).
I'm also interested in testing it, but I've (mimedefang downstream) got Rawhide and would need either the src.rpm or a unified diff of the relevant policy.
I've just put it on my location http://people.redhat.com/jkubin/selinux/F8/ download it please. Thank you!
I just tried to install the packages and received the following errors - rpm -U /tmp/selinux/selinux-policy* error: Failed dependencies: policycoreutils-newrole >= 2.0.23-1 is needed by selinux-policy-mls-3.0.8-103.fc8.noarch setransd is needed by selinux-policy-mls-3.0.8-103.fc8.noarch Please advise. Thanks.
Dependencies are easily solved by yum, but mls is unnecessary to install for my purpose. # ls selinux-policy-3.0.8-103.fc8.noarch.rpm selinux-policy-mls-3.0.8-103.fc8.noarch.rpm selinux-policy-devel-3.0.8-103.fc8.noarch.rpm selinux-policy-targeted-3.0.8-103.fc8.noarch.rpm # yum -y install selinux-policy-*
/usr/local/bin/mimedefang -- gen_context(system_u:object_r:mimedefang_exec_t,s0) is just broken. Please do a "yum install mimedefang -y && rpm -qvl mimedefang" first and have a look what pops up there in the file list.
Created attachment 305999 [details] /var/log/audit/audit.log Josef, I applied the packages, and attached is a copy of /var/log/audit/audit.log. Thanks. Bruce
Josef do you have the mimedefang policy?
I put memdefang under spamd policy. So it will run with spamd privs in Fedora 9 and 10.
Daniel, will you be creating an updated spamd policy for Fedora 8?
3.0.8-116.fc8 will have the fixes
Fixed in selinux-policy-3.0.8-116.fc8
User jkubin's account has been closed
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.