Bug 544755 - SELinux is preventing the sendmail from using potentially mislabeled files /etc/mail (etc_mail_t).
Summary: SELinux is preventing the sendmail from using potentially mislabeled files /e...
Keywords:
Status: CLOSED DUPLICATE of bug 538428
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:1074bda26a2...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-12-06 12:06 UTC by qtl
Modified: 2009-12-06 15:07 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-12-06 15:07:00 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description qtl 2009-12-06 12:06:06 UTC 
Summary:

SELinux is preventing the sendmail from using potentially mislabeled files
/etc/mail (etc_mail_t).

Detailed Description:

SELinux has denied the sendmail access to potentially mislabeled files
/etc/mail. This means that SELinux will not allow httpd to use these files. Many
third party apps install html files in directories that SELinux policy cannot
predict. These directories have to be labeled with a file context which httpd
can access.

Allowing Access:

If you want to change the file context of /etc/mail so that the httpd daemon can
access it, you need to execute it using chcon -t httpd_sys_content_t
'/etc/mail'. You can look at the httpd_selinux man page for additional
information.

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                system_u:object_r:etc_mail_t:s0
Target Objects                /etc/mail [ dir ]
Source                        sendmail
Source Path                   /usr/sbin/sendmail.sendmail
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           sendmail-8.14.3-5.fc11
Target RPM Packages           sendmail-8.14.3-5.fc11
Policy RPM                    selinux-policy-3.6.12-53.fc11
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   httpd_bad_labels
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.29.5-191.fc11.x86_64 #1 SMP Tue Jun 16
                              23:23:21 EDT 2009 x86_64 x86_64
Alert Count                   6
First Seen                    Tue 07 Jul 2009 02:48:08 PM CEST
Last Seen                     Tue 07 Jul 2009 02:48:08 PM CEST
Local ID                      7576858d-14b8-41c0-b399-b29889479462
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1246970888.189:28960): avc:  denied  { search } for  pid=21803 comm="sendmail" name="mail" dev=dm-0 ino=74950 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_mail_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1246970888.189:28960): arch=c000003e syscall=4 success=no exit=-13 a0=7fffaa06af40 a1=7fffaa06bfa0 a2=7fffaa06bfa0 a3=4 items=0 ppid=2662 pid=21803 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=1 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=unconfined_u:system_r:httpd_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.12-53.fc11,httpd_bad_labels,sendmail,httpd_t,etc_mail_t,dir,search
audit2allow suggests:

#============= httpd_t ==============
allow httpd_t etc_mail_t:dir search;
Comment 1 Daniel Walsh 2009-12-06 15:07:00 UTC 

*** This bug has been marked as a duplicate of bug 538428 ***
Note You need to log in before you can comment on or make changes to this bug.