Description of problem: I have logwatch configured to send mail to me. This morning (after updating selinux-policy last night), I got: --------- /etc/cron.daily/0logwatch: Can't exec "sendmail": Permission denied at /usr/sbin/logwatch line 1032, <TESTFILE> line 2. Can't execute sendmail -t: Permission denied --------- In audit.log, I see type=SELINUX_ERR msg=audit(1279896003.502:31721): security_compute_sid: invalid context system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 for scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process Version-Release number of selected component (if applicable): 3.7.19-39.fc13 I'm guessing this is due to bug 614698
Getting the same here - "logwatch" email is not received: type=SELINUX_ERR msg=audit(1279953314.126:44): security_compute_sid: invalid context system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 for scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process $ uname -r 2.6.33.6-147.fc13.i686.PAE $ rpm -q logwatch selinux-policy logwatch-7.3.6-51.fc13.noarch selinux-policy-3.7.19-39.fc13.noarch
Just a me to here: selinux-policy-3.7.19-39.fc13.noarch logwatch-7.3.6-51.fc13.noarch
Fully reproducible here too. logwatch-7.3.6-51.fc13.noarch selinux-policy-3.7.19-39.fc13.noarch
I observe the same issue on all of my Fedora 13 systems (both 32 and 64 bit). It appears to be a permissions problem somewhere. It works as normal with no issue if I manually execute logwatch as root. 2.6.33.6-147.fc13.x86_64 logwatch-7.3.6-51.fc13.noarch selinux-policy-3.7.19-39.fc13.noarch
It was fixed in selinux-policy-3.7.19-40.fc13.noarch selinux-policy and selinux-policy-targeted packages are available for now from koji http://koji.fedoraproject.org/koji/buildinfo?buildID=186159
(In reply to comment #5) > It was fixed in selinux-policy-3.7.19-40.fc13.noarch I just installed and can verify that it is fixed. (I tested from root's cron.) Thanks.
*** Bug 617899 has been marked as a duplicate of this bug. ***
*** Bug 617928 has been marked as a duplicate of this bug. ***
I think 3.7.19-40.fc13 doesn't completely solve the problem. What I'm seeing from anacron after installing the policy update is: /etc/cron.daily/0logwatch: sendmail: fatal: chdir /var/spool/postfix: Permission denied This isn't the same failure as with 3.7.19-39.fc13, but is a failure still.
What AVC are you seeing? ausearch -m avc -ts recent
(In reply to comment #10) > What AVC are you seeing? > > ausearch -m avc -ts recent [root@hydra uckelman]# ausearch -m avc -ts recent <no matches> I'm not getting an AVC which is logged, which puzzles me. For the record, I was getting the same error message as in Comment 0, but not that AVC either. I have no idea why this is---I've had other AVCs in the audit.log within the past few days.
Ah, I found the message in the audit.log by looking for it by hand: type=AVC msg=audit(1280139552.870:9392): avc: denied { read } for pid=26659 comm="sendmail" name="unix" dev=proc ino=4026531958 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=SYSCALL msg=audit(1280139552.870:9392): arch=c000003e syscall=21 success=no exit=-13 a0=7fffffa254c0 a1=4 a2=7fffffa254ce a3=ffffffffffffffa8 items=0 ppid=26546 pid=26659 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1284 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) I'm not sure why ausearch didn't see it.
Joel, can you execute # semanage permissive -a logwatch_mail_t and test it. Then grab the output from ausearch -m avc -su logwatch_mail_t So we can get all of the AVC messages. Thanks.
(In reply to comment #13) > Joel, > can you execute > > # semanage permissive -a logwatch_mail_t > > and test it. Do you know how I can make cron run /etc/cron.daily/0logwatch right now, so it's run from the right context? (Otherwise, I can just wait until tomorrow to get the output.)
Miroslav I think we need to change some system_mail_t calls to user_mail_domain kernel_read_system_state(user_mail_domain) kernel_read_network_state(user_mail_domain) kernel_request_load_module(user_mail_domain) FOr example.
> Do you know how I can make cron run /etc/cron.daily/0logwatch right now, so > it's run from the right context? (Otherwise, I can just wait until tomorrow to > get the output.) You can remove /var/spool/anacron/cron.daily and restart the cron service (it will still take an hour to kick in). You might also try just copying 0logwatch to /etc/cron.hourly to make it run hourly (or set it up to run more frequently via /etc/crontab)
(In reply to comment #13) > Joel, > can you execute > > # semanage permissive -a logwatch_mail_t > > and test it. > > Then grab the output from > > ausearch -m avc -su logwatch_mail_t > > > So we can get all of the AVC messages. Thanks. I have two F13 machines where I had the original logwatch problem. I've installed the 3.7.19-40.fc13 policy RPMs on both of them. One I set to be permissive for logwatch_mail_t, the other I didn't change. On the permissive machine, I got: * no additional AVCs * the logwatch email, as expected * this error email from cron: > /etc/cron.daily/0logwatch: > > You have old files in your logwatch tmpdir (/var/cache/logwatch): > logwatch.C0aNS7fD > The directories listed above were most likely created by a > logwatch run that failed to complete successfully. If so, you > may delete these directories. On the impermissive machine, I got: * another copy of the same AVC as in Comment #12 * no logwatch email * this error email from cron: > /etc/cron.daily/0logwatch: > > You have old files in your logwatch tmpdir (/var/cache/logwatch): > logwatch.cgf57GcR > The directories listed above were most likely created by a > logwatch run that failed to complete successfully. If so, you > may delete these directories. > > sendmail: fatal: chdir /var/spool/postfix: Permission denied
(In reply to comment #15) > Miroslav I think we need to change some system_mail_t calls to user_mail_domain > > kernel_read_system_state(user_mail_domain) > kernel_read_network_state(user_mail_domain) > kernel_request_load_module(user_mail_domain) I am adding it to selinux-policy-3.7.19-41.fc13. Joel, thanks for testing.
(In reply to comment #18) > > I am adding it to selinux-policy-3.7.19-41.fc13. > I'm testing 3.7-19-41.fc13 now.
Joel, does it work?
Does not work with postfix: # rpm -qa | grep selinux-policy selinux-policy-targeted-3.7.19-41.fc13.noarch selinux-policy-3.7.19-41.fc13.noarch /etc/cron.daily/0logwatch: You have old files in your logwatch tmpdir (/var/cache/logwatch): logwatch.uNHRXvK5 The directories listed above were most likely created by a logwatch run that failed to complete successfully. If so, you may delete these directories. sendmail: fatal: chdir /var/spool/postfix: Permission denied
selinux-policy-3.7.19-41.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-41.fc13
the selinux-policy-targeted-3.7.19-41.fc13.noarch and selinux-policy-3.7.19-41.fc13.noarch, didn't fix the error with postfix and logwatch I got this email: /etc/cron.daily/0logwatch: sendmail: fatal: chdir /var/spool/postfix: Permission denied Gabriel
Reproduced here after upgrade to Fedora 13 from Fedora 12 using preupgrade yesterday.
We will fix it as soon as buildsystem and CVS work again. Thanks for testing.
(In reply to comment #22) > selinux-policy-3.7.19-41.fc13 has been submitted as an update for Fedora 13. > http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-41.fc13 This update did fix the problem on one of our systems. We're using sendmail rather than postfix though.
On my "impermissive" system with 3.7.19-41.fc13 I'm getting the same AVC as with build 40: [uckelman@one ~]$ sudo ausearch -m avc -su logwatch_mail_t ... output trimmed ... --- time->Wed Jul 28 03:44:24 2010 type=SYSCALL msg=audit(1280313864.353:13788): arch=c000003e syscall=21 success=no exit=-13 a0=7fff3f12f460 a1=4 a2=7fff3f12f46e a3=ffffffffffffffa8 items=0 ppid=19730 pid=19837 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1928 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1280313864.353:13788): avc: denied { read } for pid=19837 comm="sendmail" name="unix" dev=proc ino=4026531958 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Reproduced here after update in some F13 systems. The error is: /etc/cron.daily/0logwatch: Can't exec "sendmail": Permission denied at /usr/sbin/logwatch line 1032, <TESTFILE> line 1. Can't execute sendmail -t: Permission denied when I do ls -lh /usr/sbin/logwatch lrwxrwxrwx. 1 root root 45 jul 29 08:41 /usr/sbin/logwatch -> ../..//usr/share/logwatch/scripts/logwatch.pl The link seems to be wrong with those ../../ in the beginning. It is created by logwatch-7.3.6-51.fc13.noarch package. For my case, the problem seems to be in that package, instead of selinux-policy, and the error is the same as the description of this bug report. kind regards
selinux-policy-3.7.19-41.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-41.fc13
I'm still getting the same AVC denial with 3.7.19-41.fc13, so you know.
(In reply to comment #28) > when I do > ls -lh /usr/sbin/logwatch > lrwxrwxrwx. 1 root root 45 jul 29 08:41 /usr/sbin/logwatch -> > ../..//usr/share/logwatch/scripts/logwatch.pl > > The link seems to be wrong with those ../../ in the beginning. Just an update. I changed the link to a correct path /usr/share/logwatch/scripts/logwatch.pl and it works again. I did not update the selinux-policy package. In my case, although it is the same error, the problem is in logwatch-7.3.6-51.fc13.noarch package. kind regards
Domingo is right. Correcting this link, solved it for me. (without the update to selinux-policy) best regards
The symlink is not wrong. I have F11 and F12 servers that have the exact same link as the F13. It was the selinux-policy update that stopped logwatch.
selinux-policy-3.7.19-40 resolved the issue I reported at Comment 1 above - Thanks!
I have to revert my Comment #32. I run it from a root console. Running from regular cron job will produce the error from Comment 28. selinux-policy-3.7.19-40 resolved that. Sorry for the noise. Thank you.
Can confirm this works for me again too. I have selinux-policy-3.7.19-41.fc13.noarch installed.
(In reply to comment #23) > the selinux-policy-targeted-3.7.19-41.fc13.noarch and > selinux-policy-3.7.19-41.fc13.noarch, didn't fix the error with postfix and > logwatch I got this email: > > > /etc/cron.daily/0logwatch: > > sendmail: fatal: chdir /var/spool/postfix: Permission denied > > > > Gabriel Fixed in selinux-policy-3.7.19-42.fc13.
selinux packages are available from koji http://koji.fedoraproject.org/koji/taskinfo?taskID=2373358
(In reply to comment #37) > > Fixed in selinux-policy-3.7.19-42.fc13. Works fine. Thank you. Gabriel
(In reply to comment #37) > > Fixed in selinux-policy-3.7.19-42.fc13. > I believe we have a winner. This build works for me. Thanks!
(In reply to comment #37) > Fixed in selinux-policy-3.7.19-42.fc13. thanks that fixed the problem with postfix and logwatch Gabriel
selinux-policy-3.7.19-41.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
As mentioned in several comments, this bug is NOT completely fixed in selinux-policy-3.7.19-41.fc13 , but only in selinux-policy-3.7.19-42.fc13 . Reopened until the latter is released as stable update.
selinux-policy-3.7.19-44.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-44.fc13
selinux-policy-3.7.19-44.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-44.fc13
selinux-policy-3.7.19-44.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.