FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-08-2009, 07:49 PM
Derek Atkins
 
Default Strange Mailman/Sendmail Audit messages in Fedora-10?

Hey,

I'm working on getting a new Fedora-10 server up and running. I've
set up mailman and have lists configured. Mail even seems to be
flowing, but for some reason I'm getting a strange audit message on
each incoming message. I find it interesting that there are three
unix_socket AVCs and I have three milters connected to sendmail.

The settroubleshoot viewer gives me the following information.

I'm hoping someone could help me understand these log messages,
and maybe help me make them go away?

Thanks,

-derek


Summary

SELinux is preventing mailman (mailman_mail_t) "read write" sendmail_t.

Detailed Description

SELinux denied access requested by mailman. It is not expected that this access is required by mailman and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.

Allowing Access

You can generate a local policy module to allow this access - see FAQ
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report against this
package.

Additional Information
Source Context:**system_u:system_r:mailman_mail_t:s0
Target Context:**system_u:system_r:sendmail_t:s0
Target Objects:**socket [ unix_stream_socket ]
Source:**mailman
Source Path:**/usr/lib/mailman/mail/mailman
Port:**<Unknown>
Host:**<redacted>
Source RPM Packages:**mailman-2.1.11-3.fc10
Target RPM Packages:**
Policy RPM:**selinux-policy-3.5.13-41.fc10
Selinux Enabled:**True
Policy Type:**targeted
MLS Enabled:**True
Enforcing Mode:**Enforcing
Plugin Name:**catchall
Host Name:**code.gnucash.org
Platform:**Linux code.gnucash.org 2.6.27.12-170.2.5.fc10.i686 #1 SMP Wed Jan 21 02:09:37 EST 2009 i686 athlon
Alert Count:**1
First Seen:**Sun 08 Feb 2009 11:28:40 AM EST
Last Seen:**Sun 08 Feb 2009 03:04:01 PM EST
Local ID:**606e93dc-55fc-4454-acfa-1081a87deb63
Line Numbers:**

Raw Audit Messages :

node=code.gnucash.org type=AVC msg=audit(1234123441.829:421): avc:
denied { read write } for pid=17455 comm="mailman"
path="socket:[105075]" dev=sockfs ino=105075
scontext=system_u:system_r:mailman_mail_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket

node=code.gnucash.org type=AVC msg=audit(1234123441.829:421): avc:
denied { read write } for pid=17455 comm="mailman"
path="socket:[105077]" dev=sockfs ino=105077
scontext=system_u:system_r:mailman_mail_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket

node=code.gnucash.org type=AVC msg=audit(1234123441.829:421): avc:
denied { read write } for pid=17455 comm="mailman"
path="socket:[105079]" dev=sockfs ino=105079
scontext=system_u:system_r:mailman_mail_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket

node=code.gnucash.org type=SYSCALL msg=audit(1234123441.829:421):
arch=40000003 syscall=11 success=yes exit=0 a0=8d42e38 a1=8d42f20
a2=8d42508 a3=0 items=0 ppid=17454 pid=17455 auid=4294967295 uid=8
gid=12 euid=8 suid=8 fsuid=8 egid=41 sgid=41 fsgid=41 tty=(none)
ses=4294967295 comm="mailman" exe="/usr/lib/mailman/mail/mailman"
subj=system_u:system_r:mailman_mail_t:s0 key=(null)

--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-09-2009, 08:15 AM
Paul Howarth
 
Default Strange Mailman/Sendmail Audit messages in Fedora-10?

Derek Atkins wrote:

Hey,

I'm working on getting a new Fedora-10 server up and running. I've
set up mailman and have lists configured. Mail even seems to be
flowing, but for some reason I'm getting a strange audit message on
each incoming message. I find it interesting that there are three
unix_socket AVCs and I have three milters connected to sendmail.

The settroubleshoot viewer gives me the following information.

I'm hoping someone could help me understand these log messages,
and maybe help me make them go away?

Thanks,

-derek


Summary

SELinux is preventing mailman (mailman_mail_t) "read write" sendmail_t.

Detailed Description

SELinux denied access requested by mailman. It is not expected that this access is required by mailman and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.


Allowing Access

You can generate a local policy module to allow this access - see FAQ
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report against this
package.

Additional Information
Source Context: system_u:system_r:mailman_mail_t:s0
Target Context: system_u:system_r:sendmail_t:s0
Target Objects: socket [ unix_stream_socket ]
Source: mailman
Source Path: /usr/lib/mailman/mail/mailman
Port: <Unknown>
Host: <redacted>
Source RPM Packages: mailman-2.1.11-3.fc10
Target RPM Packages:
Policy RPM: selinux-policy-3.5.13-41.fc10

Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Enforcing
Plugin Name: catchall
Host Name: code.gnucash.org
Platform: Linux code.gnucash.org 2.6.27.12-170.2.5.fc10.i686 #1 SMP Wed Jan 21 02:09:37 EST 2009 i686 athlon
Alert Count: 1
First Seen: Sun 08 Feb 2009 11:28:40 AM EST
Last Seen: Sun 08 Feb 2009 03:04:01 PM EST
Local ID: 606e93dc-55fc-4454-acfa-1081a87deb63
Line Numbers:


Raw Audit Messages :

node=code.gnucash.org type=AVC msg=audit(1234123441.829:421): avc:
denied { read write } for pid=17455 comm="mailman"
path="socket:[105075]" dev=sockfs ino=105075
scontext=system_u:system_r:mailman_mail_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket

node=code.gnucash.org type=AVC msg=audit(1234123441.829:421): avc:
denied { read write } for pid=17455 comm="mailman"
path="socket:[105077]" dev=sockfs ino=105077
scontext=system_u:system_r:mailman_mail_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket

node=code.gnucash.org type=AVC msg=audit(1234123441.829:421): avc:
denied { read write } for pid=17455 comm="mailman"
path="socket:[105079]" dev=sockfs ino=105079
scontext=system_u:system_r:mailman_mail_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket

node=code.gnucash.org type=SYSCALL msg=audit(1234123441.829:421):
arch=40000003 syscall=11 success=yes exit=0 a0=8d42e38 a1=8d42f20
a2=8d42508 a3=0 items=0 ppid=17454 pid=17455 auid=4294967295 uid=8
gid=12 euid=8 suid=8 fsuid=8 egid=41 sgid=41 fsgid=41 tty=(none)
ses=4294967295 comm="mailman" exe="/usr/lib/mailman/mail/mailman"
subj=system_u:system_r:mailman_mail_t:s0 key=(null)


Do your milters exec other programs? There are a couple of sockets
involved in the milter process (one in libmilter that shows up in the
milter process itself, and one at the other end of the connection in
sendmail) that don't have close-on-exec set, so their descriptors leak
when they exec other programs, and that looks like what you're seeing
here. I've submitted patches against 8.14.3 upstream many months ago but
there hasn't been a new release since.


In the meantime, I expect you can safely dontaudit these.

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-09-2009, 04:47 PM
Derek Atkins
 
Default Strange Mailman/Sendmail Audit messages in Fedora-10?

Hi,

Paul Howarth <paul@city-fan.org> writes:

[snip]
> Do your milters exec other programs? There are a couple of sockets

I don't think so, but I don't know. I'm using clamav-milter,
spamass-milter, and milter-sender. I'm pretty sure that the
latter doesn't fork/exec. I don't know about clamav or spamass.

> involved in the milter process (one in libmilter that shows up in the
> milter process itself, and one at the other end of the connection in
> sendmail) that don't have close-on-exec set, so their descriptors leak
> when they exec other programs, and that looks like what you're seeing
> here. I've submitted patches against 8.14.3 upstream many months ago
> but there hasn't been a new release since.
>
> In the meantime, I expect you can safely dontaudit these.

Okay, how would I do that?

> Paul.

-derek

--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-09-2009, 11:15 PM
Paul Howarth
 
Default Strange Mailman/Sendmail Audit messages in Fedora-10?

On Mon, 09 Feb 2009 12:47:51 -0500
Derek Atkins <warlord@MIT.EDU> wrote:

> Hi,
>
> Paul Howarth <paul@city-fan.org> writes:
>
> [snip]
> > Do your milters exec other programs? There are a couple of sockets
>
> I don't think so, but I don't know. I'm using clamav-milter,
> spamass-milter, and milter-sender. I'm pretty sure that the
> latter doesn't fork/exec. I don't know about clamav or spamass.

spamass-milter forks and execs sendmail to deliver spam if you use the
"-b" option - that's how I discovered the problem.

The audit log entries you posted suggest that mailman inherited a
socket descriptor from sendmail.

> > involved in the milter process (one in libmilter that shows up in
> > the milter process itself, and one at the other end of the
> > connection in sendmail) that don't have close-on-exec set, so their
> > descriptors leak when they exec other programs, and that looks like
> > what you're seeing here. I've submitted patches against 8.14.3
> > upstream many months ago but there hasn't been a new release since.
> >
> > In the meantime, I expect you can safely dontaudit these.
>
> Okay, how would I do that?

You'll need to create a local policy module. I'd do it this way:

* Create a policy module development area:

# yum install make selinux-policy-devel
# cd /root
# mkdir selinux.local
# cd selinux.local
# chcon -R -t usr_t .
# ln -s /usr/share/selinux/devel/Makefile .

* Pipe the audit messages you want to eliminate through audit2allow to
create a policy module "mysendmail":

# ausearch -se sendmail |
audit2allow -m mysendmail |
sed 's/^allow /dontaudit /' > mysendmail.te

That should produce a file mysendmail.te like this:

module mysendmail 1.0;

require {
type mailman_mail_t;
type sendmail_t;
class unix_stream_socket { read write };
}

#============= mailman_mail_t ==============
dontaudit mailman_mail_t sendmail_t:unix_stream_socket { read write };


* Compile the policy module:

# make

* Install the policy module:

# semodule -i mysendmail.pp

If you later want to remove the policy module (it'll survive a reboot),
do:

# semodule -r mysendmail

Cheers, Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-09-2009, 11:56 PM
Derek Atkins
 
Default Strange Mailman/Sendmail Audit messages in Fedora-10?

Paul,

Quoting Paul Howarth <paul@city-fan.org>:


[snip]
> Do your milters exec other programs? There are a couple of sockets

I don't think so, but I don't know. I'm using clamav-milter,
spamass-milter, and milter-sender. I'm pretty sure that the
latter doesn't fork/exec. I don't know about clamav or spamass.


spamass-milter forks and execs sendmail to deliver spam if you use the
"-b" option - that's how I discovered the problem.


Thanks. But I'm not using the -b option. It's run with:

-p /path/to/sock -P /path/to/pid -m -r 5 -i ...


The audit log entries you posted suggest that mailman inherited a
socket descriptor from sendmail.


I believe that.. Yet it doesn't look like it actually stopped anything
from happening.. The mail seemed to flow okay. But it would be
nice to fix this. I don't like getting audit warnings. Maybe sendmail
is leaking fds as you suggest? Should I file a bug with fedora
about this?

[snip]

Okay, how would I do that?


You'll need to create a local policy module. I'd do it this way:


[instructions snipped]

Thanks, Paul. I'll consider doing this.

Is there any easy way to figure out what's connected to the sockets
that it's complaining about? I certainly can't find anything via
lsof or netstat -a. Most likely because the sockets get closed
before I see the audit message and try to track it down.


Cheers, Paul.


And to you! Thanks.

-derek

--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-10-2009, 01:12 PM
Paul Howarth
 
Default Strange Mailman/Sendmail Audit messages in Fedora-10?

Derek Atkins wrote:

Paul,

Quoting Paul Howarth <paul@city-fan.org>:


[snip]
> Do your milters exec other programs? There are a couple of sockets

I don't think so, but I don't know. I'm using clamav-milter,
spamass-milter, and milter-sender. I'm pretty sure that the
latter doesn't fork/exec. I don't know about clamav or spamass.


spamass-milter forks and execs sendmail to deliver spam if you use the
"-b" option - that's how I discovered the problem.


Thanks. But I'm not using the -b option. It's run with:

-p /path/to/sock -P /path/to/pid -m -r 5 -i ...


Yes, all the logs you posted appear to be mailman-related.


The audit log entries you posted suggest that mailman inherited a
socket descriptor from sendmail.


I believe that.. Yet it doesn't look like it actually stopped anything
from happening.. The mail seemed to flow okay. But it would be
nice to fix this. I don't like getting audit warnings. Maybe sendmail
is leaking fds as you suggest? Should I file a bug with fedora
about this?


Well you could but it's not really causing a problem other than log
noise and upstream already have a fix for it though they're not in a
rush to do a new release.



[snip]

Okay, how would I do that?


You'll need to create a local policy module. I'd do it this way:


[instructions snipped]

Thanks, Paul. I'll consider doing this.

Is there any easy way to figure out what's connected to the sockets
that it's complaining about? I certainly can't find anything via
lsof or netstat -a. Most likely because the sockets get closed
before I see the audit message and try to track it down.


There's no easy way that I know of. In the end I got the spamass-milter
ones from running strace on the processes (I've since discovered how to
use the audit subsystem to get a little more targeted information of
this nature) and looking at the source code to follow what was going on.


If you're in enforcing mode then the kernel will actually be closing
down the descriptors at the time the AVCs are generated.


Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-10-2009, 01:18 PM
Daniel J Walsh
 
Default Strange Mailman/Sendmail Audit messages in Fedora-10?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Derek Atkins wrote:
> Paul,
>
> Quoting Paul Howarth <paul@city-fan.org>:
>
>>> [snip]
>>> > Do your milters exec other programs? There are a couple of sockets
>>>
>>> I don't think so, but I don't know. I'm using clamav-milter,
>>> spamass-milter, and milter-sender. I'm pretty sure that the
>>> latter doesn't fork/exec. I don't know about clamav or spamass.
>>
>> spamass-milter forks and execs sendmail to deliver spam if you use the
>> "-b" option - that's how I discovered the problem.
>
> Thanks. But I'm not using the -b option. It's run with:
>
> -p /path/to/sock -P /path/to/pid -m -r 5 -i ...
>
>> The audit log entries you posted suggest that mailman inherited a
>> socket descriptor from sendmail.
>
> I believe that.. Yet it doesn't look like it actually stopped anything
> from happening.. The mail seemed to flow okay. But it would be
> nice to fix this. I don't like getting audit warnings. Maybe sendmail
> is leaking fds as you suggest? Should I file a bug with fedora
> about this?
>
> [snip]
>>> Okay, how would I do that?
>>
>> You'll need to create a local policy module. I'd do it this way:
>>
> [instructions snipped]
>
> Thanks, Paul. I'll consider doing this.
>
> Is there any easy way to figure out what's connected to the sockets
> that it's complaining about? I certainly can't find anything via
> lsof or netstat -a. Most likely because the sockets get closed
> before I see the audit message and try to track it down.
>
>> Cheers, Paul.
>
> And to you! Thanks.
>
> -derek
>
Yes any leaked file descriptors should be reported.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmRjLMACgkQrlYvE4MpobNzTACfZEluAaWq3Z 0KXxyqAVXfQImz
/ZsAoLoGlwB/Sh1iWq8J3tAg+ReW2YhR
=wuve
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-10-2009, 01:19 PM
Daniel J Walsh
 
Default Strange Mailman/Sendmail Audit messages in Fedora-10?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel J Walsh wrote:
> Derek Atkins wrote:
>> Paul,
>
>> Quoting Paul Howarth <paul@city-fan.org>:
>
>>>> [snip]
>>>>> Do your milters exec other programs? There are a couple of sockets
>>>> I don't think so, but I don't know. I'm using clamav-milter,
>>>> spamass-milter, and milter-sender. I'm pretty sure that the
>>>> latter doesn't fork/exec. I don't know about clamav or spamass.
>>> spamass-milter forks and execs sendmail to deliver spam if you use the
>>> "-b" option - that's how I discovered the problem.
>> Thanks. But I'm not using the -b option. It's run with:
>
>> -p /path/to/sock -P /path/to/pid -m -r 5 -i ...
>
>>> The audit log entries you posted suggest that mailman inherited a
>>> socket descriptor from sendmail.
>> I believe that.. Yet it doesn't look like it actually stopped anything
>> from happening.. The mail seemed to flow okay. But it would be
>> nice to fix this. I don't like getting audit warnings. Maybe sendmail
>> is leaking fds as you suggest? Should I file a bug with fedora
>> about this?
>
>> [snip]
>>>> Okay, how would I do that?
>>> You'll need to create a local policy module. I'd do it this way:
>>>
>> [instructions snipped]
>
>> Thanks, Paul. I'll consider doing this.
>
>> Is there any easy way to figure out what's connected to the sockets
>> that it's complaining about? I certainly can't find anything via
>> lsof or netstat -a. Most likely because the sockets get closed
>> before I see the audit message and try to track it down.
>
>>> Cheers, Paul.
>> And to you! Thanks.
>
>> -derek
>
> Yes any leaked file descriptors should be reported.

Actually Paul's response is better then mine.


- --
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmRjPMACgkQrlYvE4MpobPRbgCfSrn+ZRBBFW YlLZYlUy4wD5w3
bwwAnRA/WWkXDY6eH2eTAz9Ug6J7Hcto
=Ue3T
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-13-2009, 02:31 PM
Derek Atkins
 
Default Strange Mailman/Sendmail Audit messages in Fedora-10?

Daniel J Walsh <dwalsh@redhat.com> writes:

> Yes any leaked file descriptors should be reported.

Done. https://bugzilla.redhat.com/show_bug.cgi?id=485426

-derek

--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 12:58 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org