Bug 457639 - SELinux is preventing sendmail (sendmail_t) "getattr" to /etc/krb5.conf (krb5_conf_t).
SELinux is preventing sendmail (sendmail_t) "getattr" to /etc/krb5.conf (krb5...
Status: CLOSED DUPLICATE of bug 457642
Product: Fedora
Classification: Fedora
Component: sendmail (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
: SELinux
Depends On:
  Show dependency treegraph
Reported: 2008-08-02 01:33 EDT by Matěj Cepl
Modified: 2008-08-18 04:12 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-08-18 04:12:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
/var/log/audit/audit.log (2.07 MB, text/plain)
2008-08-02 01:39 EDT, Matěj Cepl
no flags Details

  None (edit)
Description Matěj Cepl 2008-08-02 01:33:49 EDT

SELinux is preventing sendmail (sendmail_t) "getattr" to /etc/krb5.conf

Podrobný popis:

SELinux denied access requested by sendmail. It is not expected that this access
is required by sendmail and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /etc/krb5.conf,

restorecon -v '/etc/krb5.conf'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:sendmail_t
Kontext cíle                 system_u:object_r:krb5_conf_t
Objekty cíle                 /etc/krb5.conf [ file ]
Zdroj                         sendmail
Cesta zdroje                  /usr/sbin/sendmail.sendmail
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          sendmail-8.14.2-4.fc9
RPM balíčky cíle           krb5-libs-1.6.3-10.fc9
RPM politiky                  selinux-policy-3.3.1-82.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef #1 SMP Mon Jul
                              7 20:46:03 EDT 2008 i686 i686
Počet upozornění           41
Poprvé viděno               Pá 4. červenec 2008, 19:02:37 CEST
Naposledy viděno             So 2. srpen 2008, 07:12:37 CEST
Místní ID                   a3c7b402-396a-40dc-8dfa-2de90334ec0f
Čísla řádků              

Původní zprávy auditu      

host=viklef type=AVC msg=audit(1217653957.326:7): avc:  denied  { getattr } for
 pid=2601 comm="sendmail" path="/etc/krb5.conf" dev=dm-0 ino=2093320
tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file

host=viklef type=SYSCALL msg=audit(1217653957.326:7): arch=40000003 syscall=195
success=no exit=-13 a0=b997c0e4 a1=bfc9183c a2=64dff4 a3=b997c048 items=0
ppid=2600 pid=2601 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51
sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail"
exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null)
Comment 1 Matěj Cepl 2008-08-02 01:39:39 EDT
Created attachment 313259 [details]
Comment 2 Daniel Walsh 2008-08-04 14:18:05 EDT
This is already fixed in current policy for some reason your machine is reporting bugs that do not exist in the policy.  I suspect that policy updates are not working on your machine or you have multiple policies and the lower version is getting loaded on reboot.  You should only have one policy.* file on your machine.
Comment 3 Matěj Cepl 2008-08-18 04:12:48 EDT

*** This bug has been marked as a duplicate of bug 457642 ***

Note You need to log in before you can comment on or make changes to this bug.