Hide Forgot
要約: SELinux is preventing /usr/sbin/sendmail.postfix access to a leaked fifo_file file descriptor. 詳細説明: [SELinux は許容モードになっています。このアクセスは拒否されませんでした。] SELinux denied access requested by the sendmail command. It looks like this is either a leaked descriptor or sendmail output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the fifo_file. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. アクセスを許可: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) 追加情報: ソースコンテキスト system_u:system_r:sendmail_t:s0 ターゲットコンテキスト system_u:system_r:postfix_local_t:s0 ターゲットオブジェクト fifo_file [ fifo_file ] ソース sendmail ソースパス /usr/sbin/sendmail.postfix ポート <不明> ホスト (削除済み) ソース RPM パッケージ postfix-2.7.0-1.fc13 ターゲット RPM パッケージ ポリシー RPM selinux-policy-3.7.19-76.fc13 Selinux 有効化 True ポリシータイプ targeted 強制モード Permissive プラグイン名 leaks ホスト名 (削除済み) プラットフォーム Linux (削除済み) 2.6.34.7-66.fc13.x86_64 #1 SMP Wed Dec 15 07:04:30 UTC 2010 x86_64 x86_64 通知カウント 6 最初の画面 2011年01月22日 03時28分12秒 最後の画面 2011年01月24日 04時01分33秒 ローカル ID 74ed02f0-af0f-4c0e-952c-9e1926b648ec 行番号 生の監査メッセージ node=(削除済み) type=AVC msg=audit(1295809293.592:27919): avc: denied { write } for pid=15489 comm="sendmail" path="pipe:[4179224]" dev=pipefs ino=4179224 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file node=(削除済み) type=SYSCALL msg=audit(1295809293.592:27919): arch=c000003e syscall=59 success=yes exit=0 a0=19fc370 a1=19fe050 a2=19fdf90 a3=8 items=0 ppid=1 pid=15489 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:sendmail_t:s0 key=(null) Hash String generated from leaks,sendmail,sendmail_t,postfix_local_t,fifo_file,write audit2allow suggests: #============= sendmail_t ============== allow sendmail_t postfix_local_t:fifo_file write;
Created attachment 474882 [details] SELinux is preventing /usr/sbin/sendmail.postfix "getattr" access on fifo_file. Additionally, this alert followed.
Do you have postfix_local executing sendmail?
(In reply to comment #2) > Do you have postfix_local executing sendmail? Sorry, I'm not sure. How can I check that? I will attach output of: ls -Zd $(rpm -ql postfix|grep '/var\|/usr'|grep -v /doc/) > postfix-labels.lst
Created attachment 475118 [details] output of ls -Z ...postfix related files...
Do you have something like "sendmail_enable" in your postfix conf files? # grep -rv "^#" /etc/postfix/ | grep sendmail
(In reply to comment #5) > Do you have something like "sendmail_enable" in your postfix conf files? > > # grep -rv "^#" /etc/postfix/ | grep sendmail Yes, like this: # grep -rv "^#" /etc/postfix/ | grep sendmail /etc/postfix/main.cf:sendmail_path = /usr/sbin/sendmail.postfix #
Ok. Does everything work in enforcing mode?
(In reply to comment #7) > Ok. Does everything work in enforcing mode? I will try enforcing mode tonight. Please wait 24h+ ;-) BTW, I just remembered that I use procmail from postfix: mailbox_command = /usr/bin/procmail -a "$EXTENSION" and my ~/.procmailrc calls sendmail: | sendmail -f MYADDR Is this likely the cause of this problem? Is this illegal for SELinux? Anyway, my ~/.procmailrc has this label: unconfined_u:object_r:procmail_home_t:s0
Ok. Dan, I am thinking about transition from postfix_local_t to sendmail_t.
Sounds fine with me. They are both mailers...
Fixed in selinux-policy-3.7.19-87.fc13
(In reply to comment #11) > Fixed in selinux-policy-3.7.19-87.fc13 Thank you for your quick response! And, what should I do next? Should I upload the log under enforce mode? Or just waiting koji and test above rpm is enough?
You can allow it for now using # grep sendmail /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Testing the RPM would be great also.
Yes, the RPM is now available from koji http://koji.fedoraproject.org/koji/buildinfo?buildID=216524 So you can execute # semodule -r mypol and install the packages.
(In reply to comment #15) > Yes, the RPM is now available from koji > > http://koji.fedoraproject.org/koji/buildinfo?buildID=216524 > Thank you! I've successfully installed selinux-policy{,-targeted} from above. Please wait 24h+ for my result report.
(In reply to comment #15) > Yes, the RPM is now available from koji > > http://koji.fedoraproject.org/koji/buildinfo?buildID=216524 > Unfortunately, sealert still raised. I will attach audit_listener_database.xml. Note: I didn't create local policy, just installed: selinux-policy-3.7.19-88.fc13.noarch.rpm selinux-policy-targeted-3.7.19-88.fc13.noarch.rpm Am I missing? Should I restorecon somewhere?
Created attachment 476924 [details] audit_listener_database (with privacy cleanup)
Oops, my bad. Thanks for testing. Fixed in selinux-policy-3.7.19-89.fc13.
selinux-policy-3.7.19-89.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-89.fc13
selinux-policy-3.7.19-89.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-89.fc13
(In reply to comment #21) > selinux-policy-3.7.19-89.fc13 has been pushed to the Fedora 13 testing > repository. Thank you! It worked fine for me in Enforcing mode;-)
Could you update the karma https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-89.fc13 Thank you.
selinux-policy-3.7.19-89.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.