Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   F12: Selinux 'sendmail' denials on /var/log/message logfile (http://www.linux-archive.org/fedora-selinux-support/336634-f12-selinux-sendmail-denials-var-log-message-logfile.html)

"Daniel B. Thurman" 03-05-2010 05:16 PM

F12: Selinux 'sendmail' denials on /var/log/message logfile
 
Problems with sendmail:
======================================

Summary:

SELinux is preventing /usr/sbin/sendmail.sendmail "read" access on
/var/log/messages.

Detailed Description:

[sendmail has a permissive type (system_mail_t). This access was not
denied.]

SELinux denied access requested by sendmail. It is not expected that
this access
is required by sendmail and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023
Target Context system_u:object_r:var_log_t:s0
Target Objects /var/log/messages [ file ]
Source sendmail
Source Path /usr/sbin/sendmail.sendmail
Port <Unknown>
Host host.domain.com
Source RPM Packages sendmail-8.14.3-8.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-92.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name host.domain.com
Platform Linux host.domain.com
2.6.31.12-174.2.22.fc12.i686
#1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686
Alert Count 12
First Seen Tue 02 Mar 2010 03:12:05 AM PST
Last Seen Fri 05 Mar 2010 03:13:28 AM PST
Local ID 420ceb87-17a4-4e9b-ae71-356723aa6b9f
Line Numbers

Raw Audit Messages

node=host.domain.com type=AVC msg=audit(1267787608.324:42763): avc:
denied { read } for pid=14919 comm="sendmail" path="/var/log/messages"
dev=sdb8 ino=20167
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=file

node=host.domain.com type=AVC msg=audit(1267787608.324:42763): avc:
denied { read } for pid=14919 comm="sendmail" path="/var/log/secure"
dev=sdb8 ino=20415
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=file

node=host.domain.com type=AVC msg=audit(1267787608.324:42763): avc:
denied { read } for pid=14919 comm="sendmail" path="/var/log/maillog"
dev=sdb8 ino=21877
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=file

node=host.domain.com type=SYSCALL msg=audit(1267787608.324:42763):
arch=40000003 syscall=11 success=yes exit=0 a0=85088a0 a1=8508928
a2=8507eb0 a3=8508928 items=0 ppid=14865 pid=14919 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=486 sgid=486 fsgid=486 tty=(none) ses=246
comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 03-05-2010 05:28 PM

F12: Selinux 'sendmail' denials on /var/log/message logfile
 
On 03/05/2010 07:16 PM, Daniel B. Thurman wrote:

> node=host.domain.com type=AVC msg=audit(1267787608.324:42763): avc:
> denied { read } for pid=14919 comm="sendmail" path="/var/log/messages"
> dev=sdb8 ino=20167
> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_log_t:s0 tclass=file
>
> node=host.domain.com type=AVC msg=audit(1267787608.324:42763): avc:
> denied { read } for pid=14919 comm="sendmail" path="/var/log/secure"
> dev=sdb8 ino=20415
> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_log_t:s0 tclass=file
>
> node=host.domain.com type=AVC msg=audit(1267787608.324:42763): avc:
> denied { read } for pid=14919 comm="sendmail" path="/var/log/maillog"
> dev=sdb8 ino=21877
> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_log_t:s0 tclass=file
>
> node=host.domain.com type=SYSCALL msg=audit(1267787608.324:42763):
> arch=40000003 syscall=11 success=yes exit=0 a0=85088a0 a1=8508928
> a2=8507eb0 a3=8508928 items=0 ppid=14865 pid=14919 auid=0 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=486 sgid=486 fsgid=486 tty=(none) ses=246
> comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
> subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)

Not sure why sendmail would need to read these files. It is obviously
not allowed.

Odd thing is that sendmail is allowed to append to "logfiles".

# sesearch --allow -s system_mail_t -t var_log_t
Found 4 semantic av rules:
allow application_domain_type logfile : file { getattr append } ;
allow system_mail_t var_log_t : dir { ioctl read write getattr lock
add_name remove_name search open } ;
allow system_mail_t logfile : file { ioctl getattr lock append open } ;
allow system_mail_t logfile : dir { getattr search open } ;

If this access is legitimate. Than it is a bug in policy.
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 09:55 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.