FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 11-20-2007, 11:33 AM
"Adam Huffman"
 
Default Problems with sendmail after upgrade to F8

After yum upgrading from F7 to F8, I'm seeing alerts whenever
fetchmail brings in new mail, even after a complete relabelling of the
system:



Summary
SELinux is preventing sendmail (sendmail_t) "search" to <Unknown>
(unconfined_home_dir_t).

Detailed Description
SELinux denied access requested by sendmail. It is not expected that this
access is required by sendmail and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of
the application is causing it to require additional access.

Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for <Unknown>, restorecon -v
<Unknown> If this does not work, there is currently no automatic way to
allow this access. Instead, you can generate a local policy module to allow
this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information

Source Context system_u:system_r:sendmail_t
Target Context unconfined_ubject_r:unconfined_home_dir_t
Target Objects None [ dir ]
Affected RPM Packages
Policy RPM selinux-policy-3.0.8-56.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name saintloup.smith.man.ac.uk
Platform Linux saintloup.smith.man.ac.uk 2.6.23.1-49.fc8 #1
SMP Thu Nov 8 22:14:09 EST 2007 x86_64 x86_64
Alert Count 18
First Seen Tue Nov 20 12:15:53 2007
Last Seen Tue Nov 20 12:30:59 2007
Local ID 3c789a3b-b8f8-4b21-a34a-bc198b90be73
Line Numbers

Raw Audit Messages

avc: denied { search } for comm=sendmail dev=dm-1 name=adam pid=5161
scontext=system_u:system_r:sendmail_t:s0 tclass=dir
tcontext=unconfined_ubject_r:unconfined_home_dir _t:s0

Summary
SELinux is preventing /usr/sbin/sendmail.sendmail (sendmail_t) "getattr" to
/home/adam (unconfined_home_dir_t).

Detailed Description
SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not
expected that this access is required by /usr/sbin/sendmail.sendmail and
this access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access.

Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for /home/adam, restorecon -v
/home/adam If this does not work, there is currently no automatic way to
allow this access. Instead, you can generate a local policy module to allow
this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information

Source Context system_u:system_r:sendmail_t
Target Context unconfined_ubject_r:unconfined_home_dir_t
Target Objects /home/adam [ dir ]
Affected RPM Packages sendmail-8.14.1-4.2.fc8 [application]
Policy RPM selinux-policy-3.0.8-56.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name saintloup.smith.man.ac.uk
Platform Linux saintloup.smith.man.ac.uk 2.6.23.1-49.fc8 #1
SMP Thu Nov 8 22:14:09 EST 2007 x86_64 x86_64
Alert Count 66
First Seen Tue Nov 20 12:15:53 2007
Last Seen Tue Nov 20 12:30:59 2007
Local ID a9ca1470-2510-4d05-baa4-48f8aa3b4474
Line Numbers

Raw Audit Messages

avc: denied { getattr } for comm=sendmail dev=dm-1 egid=500 euid=500
exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=500 fsuid=500 gid=500 items=0
path=/home/adam pid=5161 scontext=system_u:system_r:sendmail_t:s0 sgid=500
subj=system_u:system_r:sendmail_t:s0 suid=500 tclass=dir
tcontext=unconfined_ubject_r:unconfined_home_dir _t:s0 tty=(none) uid=0


I've not seen anything about sendmail in recent selinux-policy builds
- is something else wrong here?

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-20-2007, 12:32 PM
Daniel J Walsh
 
Default Problems with sendmail after upgrade to F8

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adam Huffman wrote:
> After yum upgrading from F7 to F8, I'm seeing alerts whenever
> fetchmail brings in new mail, even after a complete relabelling of the
> system:
>
>
>
> Summary
> SELinux is preventing sendmail (sendmail_t) "search" to <Unknown>
> (unconfined_home_dir_t).
>
> Detailed Description
> SELinux denied access requested by sendmail. It is not expected that this
> access is required by sendmail and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of
> the application is causing it to require additional access.
>
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore the default system file context for <Unknown>, restorecon -v
> <Unknown> If this does not work, there is currently no automatic way to
> allow this access. Instead, you can generate a local policy module to allow
> this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
> Or you can disable SELinux protection altogether. Disabling SELinux
> protection is not recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
>
> Additional Information
>
> Source Context system_u:system_r:sendmail_t
> Target Context unconfined_ubject_r:unconfined_home_dir_t
> Target Objects None [ dir ]
> Affected RPM Packages
> Policy RPM selinux-policy-3.0.8-56.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.catchall_file
> Host Name saintloup.smith.man.ac.uk
> Platform Linux saintloup.smith.man.ac.uk 2.6.23.1-49.fc8 #1
> SMP Thu Nov 8 22:14:09 EST 2007 x86_64 x86_64
> Alert Count 18
> First Seen Tue Nov 20 12:15:53 2007
> Last Seen Tue Nov 20 12:30:59 2007
> Local ID 3c789a3b-b8f8-4b21-a34a-bc198b90be73
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { search } for comm=sendmail dev=dm-1 name=adam pid=5161
> scontext=system_u:system_r:sendmail_t:s0 tclass=dir
> tcontext=unconfined_ubject_r:unconfined_home_dir _t:s0
>
> Summary
> SELinux is preventing /usr/sbin/sendmail.sendmail (sendmail_t) "getattr" to
> /home/adam (unconfined_home_dir_t).
>
> Detailed Description
> SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not
> expected that this access is required by /usr/sbin/sendmail.sendmail and
> this access may signal an intrusion attempt. It is also possible that the
> specific version or configuration of the application is causing it to
> require additional access.
>
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore the default system file context for /home/adam, restorecon -v
> /home/adam If this does not work, there is currently no automatic way to
> allow this access. Instead, you can generate a local policy module to allow
> this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
> Or you can disable SELinux protection altogether. Disabling SELinux
> protection is not recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
>
> Additional Information
>
> Source Context system_u:system_r:sendmail_t
> Target Context unconfined_ubject_r:unconfined_home_dir_t
> Target Objects /home/adam [ dir ]
> Affected RPM Packages sendmail-8.14.1-4.2.fc8 [application]
> Policy RPM selinux-policy-3.0.8-56.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.catchall_file
> Host Name saintloup.smith.man.ac.uk
> Platform Linux saintloup.smith.man.ac.uk 2.6.23.1-49.fc8 #1
> SMP Thu Nov 8 22:14:09 EST 2007 x86_64 x86_64
> Alert Count 66
> First Seen Tue Nov 20 12:15:53 2007
> Last Seen Tue Nov 20 12:30:59 2007
> Local ID a9ca1470-2510-4d05-baa4-48f8aa3b4474
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { getattr } for comm=sendmail dev=dm-1 egid=500 euid=500
> exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=500 fsuid=500 gid=500 items=0
> path=/home/adam pid=5161 scontext=system_u:system_r:sendmail_t:s0 sgid=500
> subj=system_u:system_r:sendmail_t:s0 suid=500 tclass=dir
> tcontext=unconfined_ubject_r:unconfined_home_dir _t:s0 tty=(none) uid=0
>
>
> I've not seen anything about sendmail in recent selinux-policy builds
> - is something else wrong here?
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Does everything seem to be working correctly? IE Are you getting your mail?

This looks like sendmail is being executed from your home dir and it is
doing a getattr on it (On current working directory), which is
generating the AVC. If is not causing a problem. YOu should use
audit2allow to generate dontaudit rule.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHQuH5rlYvE4MpobMRAvsAAKDp8LXKk1nkcywmn7GIPl 2Q9qAaXwCfarGN
5QOtH0QW6efPg1Zt5BL45nk=
=poHR
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 10:10 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org