FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 06-28-2008, 10:11 AM
Frank Murphy
 
Default Fedora 9 SELinux is preventing sendmail (exim_t) "getattr" to pipe (system_crond_t)

I think this has to do with exim trying to send logs?
Should I actually bug-report?
or just use the
audit2allow -M local < /tmp/avcs

Frank

Summary:

SELinux is preventing sendmail (exim_t) "getattr" to pipe
(system_crond_t).

Detailed Description:

SELinux denied access requested by sendmail. It is not expected that
this access
is required by sendmail and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:exim_t:s0
Target Context system_u:system_r:system_crond_t:s0
Target Objects pipe [ fifo_file ]
Source sendmail
Source Path /usr/sbin/exim
Port <Unknown>
Host frank-01
Source RPM Packages exim-4.69-4.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-69.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name frank-01
Platform Linux frank-01 2.6.25.6-55.fc9.i686 #1 SMP
Tue Jun
10 16:27:49 EDT 2008 i686 i686
Alert Count 3
First Seen Sat 28 Jun 2008 11:01:27 IST
Last Seen Sat 28 Jun 2008 11:01:27 IST
Local ID 675df78e-7627-418a-8d0b-2f9943cd7033
Line Numbers

Raw Audit Messages

host=frank-01 type=AVC msg=audit(1214647287.324:61): avc: denied
{ getattr } for pid=16267 comm="sendmail" path="pipe:[94447]"
dev=pipefs ino=94447 scontext=system_u:system_r:exim_t:s0
tcontext=system_u:system_r:system_crond_t:s0 tclass=fifo_file

host=frank-01 type=SYSCALL msg=audit(1214647287.324:61): arch=40000003
syscall=197 success=no exit=-13 a0=1 a1=bf812f64 a2=981ff4 a3=b805d84c
items=0 ppid=1 pid=16267 auid=4294967295 uid=93 gid=93 euid=93 suid=93
fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295
comm="sendmail" exe="/usr/sbin/exim" subj=system_u:system_r:exim_t:s0
key=(null)



--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-30-2008, 12:36 PM
Daniel J Walsh
 
Default Fedora 9 SELinux is preventing sendmail (exim_t) "getattr" to pipe (system_crond_t)

Frank Murphy wrote:
> I think this has to do with exim trying to send logs?
> Should I actually bug-report?
> or just use the
> audit2allow -M local < /tmp/avcs
>
> Frank
>
> Summary:
>
> SELinux is preventing sendmail (exim_t) "getattr" to pipe
> (system_crond_t).
>
> Detailed Description:
>
> SELinux denied access requested by sendmail. It is not expected that
> this access
> is required by sendmail and this access may signal an intrusion attempt.
> It is
> also possible that the specific version or configuration of the
> application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:exim_t:s0
> Target Context system_u:system_r:system_crond_t:s0
> Target Objects pipe [ fifo_file ]
> Source sendmail
> Source Path /usr/sbin/exim
> Port <Unknown>
> Host frank-01
> Source RPM Packages exim-4.69-4.fc9
> Target RPM Packages
> Policy RPM selinux-policy-3.3.1-69.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name frank-01
> Platform Linux frank-01 2.6.25.6-55.fc9.i686 #1 SMP
> Tue Jun
> 10 16:27:49 EDT 2008 i686 i686
> Alert Count 3
> First Seen Sat 28 Jun 2008 11:01:27 IST
> Last Seen Sat 28 Jun 2008 11:01:27 IST
> Local ID 675df78e-7627-418a-8d0b-2f9943cd7033
> Line Numbers
>
> Raw Audit Messages
>
> host=frank-01 type=AVC msg=audit(1214647287.324:61): avc: denied
> { getattr } for pid=16267 comm="sendmail" path="pipe:[94447]"
> dev=pipefs ino=94447 scontext=system_u:system_r:exim_t:s0
> tcontext=system_u:system_r:system_crond_t:s0 tclass=fifo_file
>
> host=frank-01 type=SYSCALL msg=audit(1214647287.324:61): arch=40000003
> syscall=197 success=no exit=-13 a0=1 a1=bf812f64 a2=981ff4 a3=b805d84c
> items=0 ppid=1 pid=16267 auid=4294967295 uid=93 gid=93 euid=93 suid=93
> fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295
> comm="sendmail" exe="/usr/sbin/exim" subj=system_u:system_r:exim_t:s0
> key=(null)
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I will update policy to allow this. Although this probably does not
stop anything from functioning properly.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:06 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org