Description of problem: setroubleshoot: For complete SELinux messages. run sealert -l bd943cc6-c3e2-4e7b-ab4b-dfa98ed7c89a sealert -l bd943cc6-c3e2-4e7b-ab4b-dfa98ed7c89a Summary: SELinux is preventing sendmail (system_mail_t) "read write" clamd_t. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by sendmail. It is not expected that this access is required by sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:system_mail_t:s0 Target Context system_u:system_r:clamd_t:s0 Target Objects socket [ unix_stream_socket ] Source sendmail Source Path /usr/sbin/sendmail.sendmail Port <Unknown> Host ls2ka.elton-intra.net Source RPM Packages sendmail-8.14.3-3.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-53.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name ls2ka.elton-intra.net Platform Linux ls2ka.elton-intra.net 2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23 13:21:22 EST 2009 i686 i686 Alert Count 1 First Seen Fri Mar 27 13:32:19 2009 Last Seen Fri Mar 27 13:32:19 2009 Local ID bd943cc6-c3e2-4e7b-ab4b-dfa98ed7c89a Line Numbers Raw Audit Messages node=ls2ka.elton-intra.net type=AVC msg=audit(1238157139.735:342): avc: denied { read write } for pid=6904 comm="sendmail" path="socket:[117730]" dev=sockfs ino=117730 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:clamd_t:s0 tclass=unix_stream_socket node=ls2ka.elton-intra.net type=AVC msg=audit(1238157139.735:342): avc: denied { write } for pid=6904 comm="sendmail" path="/tmp/clamav-29d44677d5f610a32bffba613579d076/msg.7oUflm" dev=sda2 ino=1474598 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:clamd_tmp_t:s0 tclass=file node=ls2ka.elton-intra.net type=SYSCALL msg=audit(1238157139.735:342): arch=40000003 syscall=11 success=yes exit=0 a0=8231650 a1=8231750 a2=8230af0 a3=0 items=0 ppid=2648 pid=6904 auid=4294967295 uid=492 gid=489 euid=492 suid=492 fsuid=492 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null) Version-Release number of selected component (if applicable): selinux-policy-3.5.13-53.fc10.noarch libselinux-2.0.78-1.fc10.i386 libselinux-utils-2.0.78-1.fc10.i386 libselinux-python-2.0.78-1.fc10.i386 selinux-policy-targeted-3.5.13-53.fc10.noarch clamav-milter-sysv-0.94.2-1.fc10.i386 clamav-server-0.94.2-1.fc10.i386 clamav-data-0.94.2-1.fc10.i386 clamav-filesystem-0.94.2-1.fc10.i386 clamav-milter-core-0.94.2-1.fc10.i386 clamav-0.94.2-1.fc10.i386 clamav-update-0.94.2-1.fc10.i386 clamav-milter-sendmail-0.94.2-1.fc10.i386 clamav-lib-0.94.2-1.fc10.i386 clamav-milter-0.94.2-1.fc10.i386 clamav-server-sysv-0.94.2-1.fc10.i386 sendmail-doc-8.14.3-3.fc10.i386 sendmail-cf-8.14.3-3.fc10.i386 sendmail-devel-8.14.3-3.fc10.i386 sendmail-8.14.3-3.fc10.i386 clamav-milter-sendmail-0.94.2-1.fc10.i386 perl-Mail-Sendmail-0.79-10.fc9.noarch How reproducible: install sendmail, clamav and SELinux and make them work together. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
This is a leaked file descriptor from clamd. Please make sure all file descroptors are closed on exec when launching sendmail. fcntl(fd, F_SETFD, FD_CLOEXEC)
These avc's can be ignored, SELinux will just close the open descriptors and the tools mail should be sent successfully. You can use audit2allow to allow the leak or tell setroubleshoot to ignore the errors.
Does this mean that messages like below are harmless? Mar 28 11:36:17 ls2ka setroubleshoot: SELinux is preventing the sendmail from using potentially mislabeled files (/tmp/clamav-29d44677d5f610a32bffba613579d076/msg.TxgyNV). For complete SELinux messages. run sealert -l e6cb5c46-79b0-4723-a7b5-9ea96b80a89c Mar 28 12:27:20 ls2ka setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read write" clamd_t. For complete SELinux messages. run sealert -l bd943cc6-c3e2-4e7b-ab4b-dfa98ed7c89a Mar 28 12:57:59 ls2ka setroubleshoot: SELinux is preventing the sendmail from using potentially mislabeled files (/tmp/clamav-29d44677d5f610a32bffba613579d076/msg.fVqadu). For complete SELinux messages. run sealert -l c64deadf-7e0e-4e57-9d44-34d58eccb31a Mar 28 13:01:32 ls2ka setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read write" clamd_t. For complete SELinux messages. run sealert -l bd943cc6-c3e2-4e7b-ab4b-dfa98ed7c89a
Also looks like a leaked file descriptor. So if mail is being sent it is also harmless. A tool like a mail program would no nothing about clamav, so if it is trying to access files generated by clamav, either clamav told the app about them through fd redirection or clamav is leaking a file descriptor and the tool does not need access.
Not seeing clamd_t messages anymore. Using: clamav-0.95.1-2.fc11.i586 clamav-data-0.95.1-2.fc11.noarch clamav-milter-0.95.1-2.fc11.i586 clamav-filesystem-0.95.1-2.fc11.noarch clamav-lib-0.95.1-2.fc11.i586 clamav-milter-sysvinit-0.95.1-2.fc11.noarch clamav-scanner-0.95.1-2.fc11.noarch clamav-server-0.95.1-2.fc11.i586 clamav-scanner-upstart-0.95.1-2.fc11.noarch clamav-update-0.95.1-2.fc11.i586 clamav-server-sysvinit-0.95.1-2.fc11.noarch clamav-scanner-sysvinit-0.95.1-2.fc11.noarch close bug?