Summary: SELinux is preventing /usr/bin/file "getattr" access on /usr/sbin/sendmail.sendmail. Detailed Description: [file has a permissive type (boinc_t). This access was not denied.] SELinux denied access requested by file. It is not expected that this access is required by file and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:boinc_t:s0 Target Context system_u:object_r:sendmail_exec_t:s0 Target Objects /usr/sbin/sendmail.sendmail [ file ] Source file Source Path /usr/bin/file Port <Unknown> Host (removed) Source RPM Packages file-5.04-3.fc13 Target RPM Packages sendmail-8.14.4-4.fc13 Policy RPM selinux-policy-3.7.19-10.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33.3-72.fc13.x86_64 #1 SMP Wed Apr 28 15:48:01 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Wed 05 May 2010 22:25:51 BST Last Seen Wed 05 May 2010 22:25:51 BST Local ID b9651017-9629-4fc5-a910-88bc453a756e Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1273094751.265:13): avc: denied { getattr } for pid=1744 comm="file" path="/usr/sbin/sendmail.sendmail" dev=dm-0 ino=163595 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1273094751.265:13): arch=c000003e syscall=4 success=yes exit=0 a0=7fff0a86fea2 a1=7fff0a86f0e0 a2=7fff0a86f0e0 a3=22 items=0 ppid=1681 pid=1744 auid=4294967295 uid=492 gid=482 euid=492 suid=492 fsuid=492 egid=482 sgid=482 fsgid=482 tty=(none) ses=4294967295 comm="file" exe="/usr/bin/file" subj=system_u:system_r:boinc_t:s0 key=(null) Hash String generated from catchall,file,boinc_t,sendmail_exec_t,file,getattr audit2allow suggests: #============= boinc_t ============== allow boinc_t sendmail_exec_t:file getattr;
I also get the following (both of these are on logging in): Summary: SELinux is preventing /usr/bin/file "read" access on /usr/sbin/sendmail.sendmail. Detailed Description: [file has a permissive type (boinc_t). This access was not denied.] SELinux denied access requested by file. It is not expected that this access is required by file and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:boinc_t:s0 Target Context system_u:object_r:sendmail_exec_t:s0 Target Objects /usr/sbin/sendmail.sendmail [ file ] Source file Source Path /usr/bin/file Port <Unknown> Host Shaggy Source RPM Packages file-5.04-3.fc13 Target RPM Packages sendmail-8.14.4-4.fc13 Policy RPM selinux-policy-3.7.19-10.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name Shaggy Platform Linux Shaggy 2.6.33.3-72.fc13.x86_64 #1 SMP Wed Apr 28 15:48:01 UTC 2010 x86_64 x86_64 Alert Count 4 First Seen Wed 05 May 2010 22:25:51 BST Last Seen Wed 05 May 2010 22:25:51 BST Local ID 1a9bdad3-f9fa-42e3-95f1-e93e1ad86851 Line Numbers Raw Audit Messages node=Shaggy type=AVC msg=audit(1273094751.265:14): avc: denied { read } for pid=1744 comm="file" name="sendmail.sendmail" dev=dm-0 ino=163595 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file node=Shaggy type=AVC msg=audit(1273094751.265:14): avc: denied { open } for pid=1744 comm="file" name="sendmail.sendmail" dev=dm-0 ino=163595 scontext=system_u:system_r:boinc_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file node=Shaggy type=SYSCALL msg=audit(1273094751.265:14): arch=c000003e syscall=2 success=yes exit=4 a0=7fff0a86fea2 a1=0 a2=7fff0a86f0e0 a3=22 items=0 ppid=1681 pid=1744 auid=4294967295 uid=492 gid=482 euid=492 suid=492 fsuid=492 egid=482 sgid=482 fsgid=482 tty=(none) ses=4294967295 comm="file" exe="/usr/bin/file" subj=system_u:system_r:boinc_t:s0 key=(null)
I guess boinc sends mail? Fixed in selinux-policy-3.7.19-13.fc13.noarch
selinux-policy-3.7.19-13.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-13.fc13
selinux-policy-3.7.19-13.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-13.fc13
This still seems to occur with -13.
Can you attach your latest avc messages. sesearch -A -s boinc_t -t sendmail_exec_t Found 3 semantic av rules: allow boinc_t file_type : filesystem getattr ; allow boinc_t mta_exec_type : file { read getattr execute open } ; allow boinc_t mta_exec_type : lnk_file { read getattr } ; I am using slightly newer policy rpm -q selinux-policy selinux-policy-3.7.19-14.fc13.noarch
Actually, it appears as if setroubleshoot is telling me about AVCs from the 9th of May for some reason.
So is it fixed or not?
Sorry, I'm making about as much sense as a hamster in a tumble dryer. Yes it is fixed now, sorry for the confusion.
selinux-policy-3.7.19-33.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.