Summary: SELinux is preventing /usr/sbin/sendmail.sendmail "getattr" access on /etc/mail/sendmail.cf. Detailed Description: SELinux denied access requested by sendmail. It is not expected that this access is required by sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 Target Context system_u:object_r:etc_mail_t:s0 Target Objects /etc/mail/sendmail.cf [ file ] Source sendmail Source Path /usr/sbin/sendmail.sendmail Port <Unknown> Host (removed) Source RPM Packages sendmail-8.14.4-9.fc14 Target RPM Packages sendmail-8.14.4-9.fc14 Policy RPM selinux-policy-3.8.8-8.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.35-0.56.rc6.git1.fc14.x86_64 #1 SMP Sat Jul 24 00:49:49 UTC 2010 x86_64 x86_64 Alert Count 4 First Seen Thu 29 Jul 2010 11:49:07 AM CLT Last Seen Fri 30 Jul 2010 10:20:05 AM CLT Local ID b8362124-579b-4f74-804d-4430da611ada Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1280499605.476:92): avc: denied { getattr } for pid=11066 comm="sendmail" path="/etc/mail/sendmail.cf" dev=dm-0 ino=1294875 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_mail_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1280499605.476:92): arch=c000003e syscall=4 success=no exit=-13 a0=7fff39a53680 a1=7fff39a546e0 a2=7fff39a546e0 a3=7fff39a57e40 items=0 ppid=11015 pid=11066 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=9 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,sendmail,logwatch_mail_t,etc_mail_t,file,getattr audit2allow suggests: #============= logwatch_mail_t ============== allow logwatch_mail_t etc_mail_t:file getattr;
I have a locally generated sendmail.cf
It seems quite nonsensical that sendmail can't stat(2) or similar its main configuration file... BTW, what the heck is getattr? The man pages know nothing of such a system call...
(In reply to comment #2) > It seems quite nonsensical that sendmail can't stat(2) or similar its main > configuration file... It will be fixed in the next F14 selinux-policy release. > BTW, what the heck is getattr? The man pages know nothing of such a system > call... 'getattr' is SELinux permission which gets attributes for object such as access mode (for example - stat(), some ioctls) From AVC message we know that syscall=4 # ausyscall 4 stat