Description of problem: Summary: SELinux is preventing the sendmail from using potentially mislabeled files (2F746D702F2E4E5350522D41464D2D363336332D3261616263383066633837302E30202864656C6574656429). Detailed Description: SELinux has denied sendmail access to potentially mislabeled file(s) (2F746D702F2E4E5350522D41464D2D363336332D3261616263383066633837302E30202864656C6574656429). This means that SELinux will not allow sendmail to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want sendmail to access this files, you need to relabel them using restorecon -v '2F746D702F2E4E5350522D41464D2D363336332D3261616263383066633837302E30202864656C6574656429'. You might want to relabel the entire directory using restorecon -R -v ''. Additional Information: Source Context system_u:system_r:system_mail_t Target Context system_u:object_r:httpd_tmp_t Target Objects 2F746D702F2E4E5350522D41464D2D363336332D3261616263 383066633837302E30202864656C6574656429 [ file ] Source sendmail Source Path /usr/sbin/sendmail.sendmail Port <Unknown> Host LS1000.tmch.com Source RPM Packages sendmail-8.13.8-2.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-137.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name LS1000.tmch.com Platform Linux LS1000.tmch.com 2.6.18-92.1.1.el5 #1 SMP Thu May 22 09:01:47 EDT 2008 x86_64 x86_64 Alert Count 2 First Seen Mon 23 Jun 2008 02:40:26 PM CDT Last Seen Mon 23 Jun 2008 02:40:27 PM CDT Local ID 413eb782-5b3f-4543-a9f3-ceee3ad22e54 Line Numbers Raw Audit Messages host=LS1000.tmch.com type=AVC msg=audit(1214250027.124:570): avc: denied { read write } for pid=32570 comm="sendmail" path=2F746D702F2E4E5350522D41464D2D363336332D3261616263383066633837302E30202864656C6574656429 dev=dm-2 ino=98310 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file host=LS1000.tmch.com type=AVC msg=audit(1214250027.124:570): avc: denied { read } for pid=32570 comm="sendmail" path="eventpoll:[347445]" dev=eventpollfs ino=347445 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file host=LS1000.tmch.com type=SYSCALL msg=audit(1214250027.124:570): arch=c000003e syscall=59 success=yes exit=0 a0=18357d70 a1=18357de0 a2=18356d00 a3=3 items=0 ppid=15844 pid=32570 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null) Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Created attachment 310239 [details] Sendmail Alert Mislabeled Files
This path is strange - I do not know what exactly this should be. Do you have more information?
Taking these AVC's and applying to Fedora 12 setroubleshoot shows. Summary: SELinux is preventing /usr/sbin/sendmail.sendmail access to a leaked /tmp/.NSPR-AFM-6363-2aabc80fc870.0 (deleted) file descriptor. Detailed Description: [sendmail has a permissive type (system_mail_t). This access was not denied.] SELinux denied access requested by the sendmail command. It looks like this is either a leaked descriptor or sendmail output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /tmp/.NSPR-AFM-6363-2aabc80fc870.0 (deleted). You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Additional Information: Source Context system_u:system_r:system_mail_t:s0 Target Context system_u:object_r:httpd_tmp_t:s0 Target Objects /tmp/.NSPR-AFM-6363-2aabc80fc870.0 (deleted) [ file ] Source sendmail Source Path /usr/sbin/sendmail.sendmail Port <Unknown> Host <Unknown> Source RPM Packages sendmail-8.14.3-8.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-33.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name leaks Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.31.1-48.fc12.x86_64 #1 SMP Fri Sep 25 16:57:40 EDT 2009 x86_64 x86_64 Alert Count 1 First Seen Mon Jun 23 15:40:27 2008 Last Seen Mon Jun 23 15:40:27 2008 Local ID d97e260c-b582-4acd-8013-265954378cba Line Numbers 1, 2, 4 Raw Audit Messages type=AVC msg=audit(1214250027.124:570): avc: denied { read write } for pid=32570 comm="sendmail" path=2F746D702F2E4E5350522D41464D2D363336332D3261616263383066633837302E30202864656C6574656429 dev=dm-2 ino=98310 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file type=AVC msg=audit(1214250027.124:570): avc: denied { read } for pid=32570 comm="sendmail" path="eventpoll:[347445]" dev=eventpollfs ino=347445 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file type=SYSCALL msg=audit(1214250027.124:570): arch=c000003e syscall=59 success=yes exit=0 a0=18357d70 a1=18357de0 a2=18356d00 a3=3 items=0 ppid=15844 pid=32570 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null)
This is not a sendmail or an selinux policy bug. This indicates that the apache scripts/modules you are using a leaking files to the sendmail program. You can safely ignore these errors, since SELinux will close the access. If you want to allow the access you can use audit2allow to generate a policy module. # grep sendmail /var/log/audit/audit.log | audit2allow -m mysendmail # semodule -i mysendmail.pp I can not tell from the AVC which apache module is leaking the descriptors, but you should report this as a bug to those apps to close the descriptors on exec. fcntl(fd, F_SETFD, FD_CLOEXEC)