Summary: SELinux is preventing /bin/mailx "append" access to /var/lib/rkhunter/rkhcronlog.SLnAMmgUcm. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by mail. /var/lib/rkhunter/rkhcronlog.SLnAMmgUcm may be a mislabeled. /var/lib/rkhunter/rkhcronlog.SLnAMmgUcm default SELinux type is var_lib_t, but its current type is cron_var_lib_t. Changing this file back to the default type, may fix your problem. File contexts can be assigned to a file in the following ways. * Files created in a directory receive the file context of the parent directory by default. * The SELinux policy might override the default label inherited from the parent directory by specifying a process running in context A which creates a file in a directory labeled B will instead create the file with label C. An example of this would be the dhcp client running with the dhclient_t type and creating a file in the directory /etc. This file would normally receive the etc_t type due to parental inheritance but instead the file is labeled with the net_conf_t type because the SELinux policy specifies this. * Users can change the file context on a file using tools such as chcon, or restorecon. This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. However, this might also indicate a bug in SELinux because the file should not have been labeled with this type. If you believe this is a bug, please file a bug report against this package. Allowing Access: You can restore the default system context to this file by executing the restorecon command. restorecon '/var/lib/rkhunter/rkhcronlog.SLnAMmgUcm', if this file is a directory, you can recursively restore using restorecon -R '/var/lib/rkhunter/rkhcronlog.SLnAMmgUcm'. Fix Command: /sbin/restorecon '/var/lib/rkhunter/rkhcronlog.SLnAMmgUcm' Additional Information: Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023 Target Context system_u:object_r:cron_var_lib_t:s0 Target Objects /var/lib/rkhunter/rkhcronlog.SLnAMmgUcm [ file ] Source mail Source Path /bin/mailx Port <Unknown> Host cmstat.localdomain Source RPM Packages mailx-12.5-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-14.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name restorecon Host Name cmstat.localdomain Platform Linux cmstat.localdomain 2.6.35.9-64.fc14.x86_64 #1 SMP Fri Dec 3 12:19:41 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Tue 07 Dec 2010 11:35:14 AM HKT Last Seen Tue 07 Dec 2010 11:35:14 AM HKT Local ID 7c136649-d924-47d9-a986-efd9a447c90f Line Numbers Raw Audit Messages node=cmstat.localdomain type=AVC msg=audit(1291692914.616:40): avc: denied { append } for pid=3036 comm="mail" path="/var/lib/rkhunter/rkhcronlog.SLnAMmgUcm" dev=dm-0 ino=1705793 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file node=cmstat.localdomain type=SYSCALL msg=audit(1291692914.616:40): arch=c000003e syscall=59 success=yes exit=0 a0=207bcd0 a1=2068110 a2=1d3d500 a3=8 items=0 ppid=8580 pid=3036 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="mail" exe="/bin/mailx" subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
Summary: SELinux is preventing /bin/mailx "ioctl" access to /var/lib/rkhunter/rkhcronlog.SLnAMmgUcm. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by mail. /var/lib/rkhunter/rkhcronlog.SLnAMmgUcm may be a mislabeled. /var/lib/rkhunter/rkhcronlog.SLnAMmgUcm default SELinux type is var_lib_t, but its current type is cron_var_lib_t. Changing this file back to the default type, may fix your problem. File contexts can be assigned to a file in the following ways. * Files created in a directory receive the file context of the parent directory by default. * The SELinux policy might override the default label inherited from the parent directory by specifying a process running in context A which creates a file in a directory labeled B will instead create the file with label C. An example of this would be the dhcp client running with the dhclient_t type and creating a file in the directory /etc. This file would normally receive the etc_t type due to parental inheritance but instead the file is labeled with the net_conf_t type because the SELinux policy specifies this. * Users can change the file context on a file using tools such as chcon, or restorecon. This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. However, this might also indicate a bug in SELinux because the file should not have been labeled with this type. If you believe this is a bug, please file a bug report against this package. Allowing Access: You can restore the default system context to this file by executing the restorecon command. restorecon '/var/lib/rkhunter/rkhcronlog.SLnAMmgUcm', if this file is a directory, you can recursively restore using restorecon -R '/var/lib/rkhunter/rkhcronlog.SLnAMmgUcm'. Fix Command: /sbin/restorecon '/var/lib/rkhunter/rkhcronlog.SLnAMmgUcm' Additional Information: Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023 Target Context system_u:object_r:cron_var_lib_t:s0 Target Objects /var/lib/rkhunter/rkhcronlog.SLnAMmgUcm [ file ] Source mail Source Path /bin/mailx Port <Unknown> Host cmstat.localdomain Source RPM Packages mailx-12.5-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-14.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name restorecon Host Name cmstat.localdomain Platform Linux cmstat.localdomain 2.6.35.9-64.fc14.x86_64 #1 SMP Fri Dec 3 12:19:41 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Tue 07 Dec 2010 11:35:14 AM HKT Last Seen Tue 07 Dec 2010 11:35:14 AM HKT Local ID 3119e381-37d2-4c84-b355-508c86028094 Line Numbers Raw Audit Messages node=cmstat.localdomain type=AVC msg=audit(1291692914.621:41): avc: denied { ioctl } for pid=3036 comm="mail" path="/var/lib/rkhunter/rkhcronlog.SLnAMmgUcm" dev=dm-0 ino=1705793 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file node=cmstat.localdomain type=SYSCALL msg=audit(1291692914.621:41): arch=c000003e syscall=16 success=no exit=-25 a0=1 a1=5401 a2=7fff9e060c10 a3=8 items=0 ppid=8580 pid=3036 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="mail" exe="/bin/mailx" subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
Summary: SELinux is preventing /usr/sbin/sendmail.sendmail "getattr" access to /var/lib/rkhunter/rkhcronlog.SLnAMmgUcm. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by sendmail. /var/lib/rkhunter/rkhcronlog.SLnAMmgUcm may be a mislabeled. /var/lib/rkhunter/rkhcronlog.SLnAMmgUcm default SELinux type is var_lib_t, but its current type is cron_var_lib_t. Changing this file back to the default type, may fix your problem. File contexts can be assigned to a file in the following ways. * Files created in a directory receive the file context of the parent directory by default. * The SELinux policy might override the default label inherited from the parent directory by specifying a process running in context A which creates a file in a directory labeled B will instead create the file with label C. An example of this would be the dhcp client running with the dhclient_t type and creating a file in the directory /etc. This file would normally receive the etc_t type due to parental inheritance but instead the file is labeled with the net_conf_t type because the SELinux policy specifies this. * Users can change the file context on a file using tools such as chcon, or restorecon. This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. However, this might also indicate a bug in SELinux because the file should not have been labeled with this type. If you believe this is a bug, please file a bug report against this package. Allowing Access: You can restore the default system context to this file by executing the restorecon command. restorecon '/var/lib/rkhunter/rkhcronlog.SLnAMmgUcm', if this file is a directory, you can recursively restore using restorecon -R '/var/lib/rkhunter/rkhcronlog.SLnAMmgUcm'. Fix Command: /sbin/restorecon '/var/lib/rkhunter/rkhcronlog.SLnAMmgUcm' Additional Information: Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023 Target Context system_u:object_r:cron_var_lib_t:s0 Target Objects /var/lib/rkhunter/rkhcronlog.SLnAMmgUcm [ file ] Source sendmail Source Path /usr/sbin/sendmail.sendmail Port <Unknown> Host cmstat.localdomain Source RPM Packages sendmail-8.14.4-10.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-14.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name restorecon Host Name cmstat.localdomain Platform Linux cmstat.localdomain 2.6.35.9-64.fc14.x86_64 #1 SMP Fri Dec 3 12:19:41 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Tue 07 Dec 2010 11:35:14 AM HKT Last Seen Tue 07 Dec 2010 11:35:14 AM HKT Local ID 731212be-7c8f-49d9-9812-66ed27091020 Line Numbers Raw Audit Messages node=cmstat.localdomain type=AVC msg=audit(1291692914.636:42): avc: denied { getattr } for pid=3037 comm="sendmail" path="/var/lib/rkhunter/rkhcronlog.SLnAMmgUcm" dev=dm-0 ino=1705793 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file node=cmstat.localdomain type=SYSCALL msg=audit(1291692914.636:42): arch=c000003e syscall=5 success=yes exit=0 a0=1 a1=7fff2d0f79e0 a2=7fff2d0f79e0 a3=7fff2d0f7750 items=0 ppid=1 pid=3037 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=3 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
You can allow it using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp I am finding a solution for rkhunter.
*** Bug 659651 has been marked as a duplicate of this bug. ***
The problem is if the rkhunter is executed by cron, then runs in system_cronjob_t domain. And system_cronjob_t domain is allowed to create lib files with cron_var_lib_t label.
Is this really a file you want to hang onto, or should this be written to /var/log? rkhunter seems to ship with /var/lib/rkhunter directory. So we could put a label on it and allow cron to write to it and mail to read from it. I think years ago, I tried to write policy for rkhunter but failed, because it requires so much access that confining it made no sense.
My first thought was I could treat rkhunter with sectoolm policy but it ended up really bad :^). So as you mentioned # rpm -ql rkhunter | egrep "(run|log)" /etc/logrotate.d/rkhunter /var/log/rkhunter /var/run/rkhunter We can add a proper label for these dirs.
*** Bug 661670 has been marked as a duplicate of this bug. ***
Workaround for now # chcon -Rt cron_spool_t /var/lib/rkhunter/
That seems as good a solution as any, unless we go down the path of creating policy for rkhunter.
(In reply to comment #9) > Workaround for now > > # chcon -Rt cron_spool_t /var/lib/rkhunter/ After applying the fix yesterday. Still ended up with practically a duplicate to op this morning.
Created attachment 468136 [details] AVC Rkhunter
Can rkhunter put its log files in /var/log/rkhunter?
It already does, but it sounds like this is due to the cron job output that it generates and mails? Thats set in /etc/cron.daily/rkhunter: TMPFILE1=`/bin/mktemp -p /var/lib/rkhunter rkhcronlog.XXXXXXXXXX` || exit 1 Happy to change it if needed...
But why would mail be trying to append to this file?
One of these two lines ends up sending mail? /bin/nice -n 10 $RKHUNTER --update --nocolors 2>&1 >> $TMPFILE1 /bin/echo -e "\n---------------------- Start Rootkit Hunter Scan ----------------------" \ >> $TMPFILE1 /bin/nice -n 10 $RKHUNTER $RKHUNTER_FLAGS 2>&1 >> $TMPFILE1 While this one a few lines below, should work fine. /bin/cat $TMPFILE1 | /bin/mail -s "rkhunter Daily Run on $(hostname)" $MAILTO
Oh yeah, this is the stupid: "[rkhunter] Warnings found for ${HOST_NAME}" email it sends anytime it's run and there are any issues. Is that whats causing it? If you change: MAIL-ON-WARNING="root" to MAIL-ON-WARNING="" in /etc/rkhunter.conf does that fix it?
*** Bug 664287 has been marked as a duplicate of this bug. ***
(In reply to comment #17) > Oh yeah, this is the stupid: > > "[rkhunter] Warnings found for ${HOST_NAME}" email it sends anytime it's run > and there are any issues. > > Is that whats causing it? > > If you change: > > MAIL-ON-WARNING="root" > > to > MAIL-ON-WARNING="" > > in /etc/rkhunter.conf does that fix it? It prevents any record showing up in "logwatch" (mailed log), will have to wait for a warning scan to check anything else.
*** Bug 665185 has been marked as a duplicate of this bug. ***
ping: Dan, Miroslav. This has happened again after this mornings update(s) you can run restorecon. # /sbin/restorecon -v /var/lib/rkhunter/rkhcronlog.uMYjNIACPb When restore context is clicked: Enter root pw into box, then this box comes up: " failed to connect to server: global name 'load_plugins' is not defined " rpm -qa selinux* selinux-policy-targeted-3.9.7-20.fc14.noarch selinux-policy-3.9.7-20.fc14.noarch
*** Bug 672508 has been marked as a duplicate of this bug. ***
Any fix for this error yet? Raw Audit Messages type=AVC msg=audit(1300180566.329:32): avc: denied { append } for pid=8878 comm="mail" path="/var/lib/rkhunter/rkhcronlog.OmRFCZOynG" dev=dm-3 ino=525519 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file Fedora 14 64bit.
I added a bug to the rkhunter sourceforge page. This had not been reported there. I don't like many of the work arounds as it gives access to the rkhunter directory. The developer should use an accepted means of doing report mailings.
Well, I'm happy to adjust the cron job however required. Could someone test my theory from comment 17 and confirm that that is what is causing this?
Can you move the log files to /var/log/rkhunter?
Well, the log files already are moved... it's the TMPFILE from the cron job that might be generating this. I think it might be best to just drop the "please check this machine" emails as they seem to me to be redundent with the report emails.
I tried your suggestion from comment 17 and that did seem to cause the problem to go away.
ok, I have changed this in rawhide to no longer send that email. I'm not sure it's worth a update in stable releases, but I suppose I could be convinced. It should go to them with the next real needed update there. In the mean time, just set MAIL-ON-WARNING="" and things should be ok.
If the rkhunter does not send e-mail that I receive notification of any problem?
It will still send email on any issues. It just won't also send a second email that says "host foo may be infected, please check it'.
*** Bug 874070 has been marked as a duplicate of this bug. ***