Description of problem: rkhunter run by cron SELinux is preventing /usr/bin/mailx from 'append' accesses on the file /var/lib/rkhunter/rkhcronlog.F7vKob6O00. ***** Plugin restorecon (93.9 confidence) suggests ************************* If you want to fix the label. /var/lib/rkhunter/rkhcronlog.F7vKob6O00 default label should be var_lib_t. Then you can run restorecon. Do # /sbin/restorecon -v /var/lib/rkhunter/rkhcronlog.F7vKob6O00 ***** Plugin leaks (6.10 confidence) suggests ****************************** If you want to ignore mailx trying to append access the rkhcronlog.F7vKob6O00 file, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do # grep /usr/bin/mailx /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp ***** Plugin catchall (1.43 confidence) suggests *************************** If you believe that mailx should be allowed append access on the rkhcronlog.F7vKob6O00 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mail /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023 Target Context system_u:object_r:cron_var_lib_t:s0 Target Objects /var/lib/rkhunter/rkhcronlog.F7vKob6O00 [ file ] Source mail Source Path /usr/bin/mailx Port <Unknown> Host (removed) Source RPM Packages mailx-12.5-7.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-67.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.7.2-201.fc18.x86_64 #1 SMP Fri Jan 11 22:16:23 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-01-20 10:19:49 CET Last Seen 2013-01-20 10:19:49 CET Local ID d93e3ab0-c789-4ec4-881d-d82c2e31c12f Raw Audit Messages type=AVC msg=audit(1358673589.665:686): avc: denied { append } for pid=22030 comm="mail" path="/var/lib/rkhunter/rkhcronlog.F7vKob6O00" dev="dm-2" ino=2622012 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1358673589.665:686): arch=x86_64 syscall=execve success=yes exit=0 a0=190d4f0 a1=18bf6f0 a2=153a520 a3=28 items=0 ppid=7363 pid=22030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=37 tty=(none) comm=mail exe=/usr/bin/mailx subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) Hash: mail,system_mail_t,cron_var_lib_t,file,append audit2allow #============= system_mail_t ============== allow system_mail_t cron_var_lib_t:file append; audit2allow -R #============= system_mail_t ============== allow system_mail_t cron_var_lib_t:file append; Additional info: hashmarkername: setroubleshoot kernel: 3.7.2-201.fc18.x86_64 type: libreport Potential duplicate: bug 659651
I thought it has been fixed. https://bugzilla.redhat.com/show_bug.cgi?id=660544
It was in the default config... can you attach your /etc/rkhunter.conf file here?
Created attachment 683936 [details] rkhunter.conf
Yeah, the problem is the MAIL-ON-WARNING= being set. Unset that and it should work fine. Or do you have some use case for it? I'll see about getting upstream to remove it, as it's not very useful.
I also have $MAILTO in /etc/sysconfig/rkhunter set so it does it's job I guess. But when $MAIL-ON-WARNING is unset it blames in scan log: "No MAIL-ON-WARNING option has been configured." ...which I don't mind, I guess.
MAIL-ON-WARNING is pretty useless. MAILTO will give you a report if anything happens. I'll ask upstream to consider removing the MAIL-ON-WARNING option...
This message is a reminder that Fedora 18 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 18. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '18'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 18's end of life. Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 18 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 18's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 18 changed to end-of-life (EOL) status on 2014-01-14. Fedora 18 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.