FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-29-2010, 12:41 PM
Moray Henderson
 
Default Policy prevents sendmail restarting

We have an email configuration package that often needs to restart
sendmail when it is upgraded. To make updates as easy as possible for
the users, it has a trigger script on sendmail that contains
"/etc/rc.d/init.d/sendmail condrestart", so that they don't have to
remember to do that themselves.

This worked fine on CentOS 4. On CentOS 5 it has a problem:

# rpm -qa selinux*
selinux-policy-targeted-2.4.6-255.el5_4.3
selinux-policy-2.4.6-255.el5_4.3
selinux-policy-devel-2.4.6-255.el5_4.3

Apr 29 12:40:27 ict sm-msp-queue[4024]: unable to write pid to
/var/run/sm-client.pid: Permission denied
time->Thu Apr 29 12:40:27 2010
type=SYSCALL msg=audit(1272541227.852:97659096): arch=40000003
syscall=196 success=no exit=-13 a0=bfec70d8 a1=bfec6f70 a2=4efff4 a3=3
items=0 ppid=4023 pid=4024 auid=783 uid=51 gid=51 euid=51 suid=51
fsuid=51 egid=51 sgid=51 fsgid=51 tty=(none) ses=23989 comm="sendmail"
exe="/usr/sbin/sendmail.sendmail" subj=user_u:system_r:system_mail_t:s0
key=(null)
type=AVC msg=audit(1272541227.852:97659096): avc: denied { getattr }
for pid=4024 comm="sendmail" path="/var/run/sm-client.pid" dev=dm-4
ino=1097779 scontext=user_u:system_r:system_mail_t:s0
tcontext=system_ubject_r:sendmail_var_run_t:s0 tclass=file

A manual restart of sendmail works. This is because of the following
transition rules:

type_transition unconfined_t sendmail_exec_t : process sendmail_t;
type_transition initrc_t sendmail_exec_t : process sendmail_t;
type_transition rpm_script_t sendmail_exec_t : process system_mail_t;

In other words, being run from an rpm script does not give sendmail
enough access to restart. I don't know why there wasn't a similar error
for /var/run/sendmail.pid, though.


Moray.
"To err is human.* To purr, feline"






--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-29-2010, 02:47 PM
Daniel J Walsh
 
Default Policy prevents sendmail restarting

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2010 08:41 AM, Moray Henderson wrote:
> We have an email configuration package that often needs to restart
> sendmail when it is upgraded. To make updates as easy as possible for
> the users, it has a trigger script on sendmail that contains
> " condrestart", so that they don't have to
> remember to do that themselves.
>
> This worked fine on CentOS 4. On CentOS 5 it has a problem:
>
> # rpm -qa selinux*
> selinux-policy-targeted-2.4.6-255.el5_4.3
> selinux-policy-2.4.6-255.el5_4.3
> selinux-policy-devel-2.4.6-255.el5_4.3
>
> Apr 29 12:40:27 ict sm-msp-queue[4024]: unable to write pid to
> /var/run/sm-client.pid: Permission denied
> time->Thu Apr 29 12:40:27 2010
> type=SYSCALL msg=audit(1272541227.852:97659096): arch=40000003
> syscall=196 success=no exit=-13 a0=bfec70d8 a1=bfec6f70 a2=4efff4 a3=3
> items=0 ppid=4023 pid=4024 auid=783 uid=51 gid=51 euid=51 suid=51
> fsuid=51 egid=51 sgid=51 fsgid=51 tty=(none) ses=23989 comm="sendmail"
> exe="/usr/sbin/sendmail.sendmail" subj=user_u:system_r:system_mail_t:s0
> key=(null)
> type=AVC msg=audit(1272541227.852:97659096): avc: denied { getattr }
> for pid=4024 comm="sendmail" path="/var/run/sm-client.pid" dev=dm-4
> ino=1097779 scontext=user_u:system_r:system_mail_t:s0
> tcontext=system_ubject_r:sendmail_var_run_t:s0 tclass=file
>
> A manual restart of sendmail works. This is because of the following
> transition rules:
>
> type_transition unconfined_t sendmail_exec_t : process sendmail_t;
> type_transition initrc_t sendmail_exec_t : process sendmail_t;
> type_transition rpm_script_t sendmail_exec_t : process system_mail_t;
>
> In other words, being run from an rpm script does not give sendmail
> enough access to restart. I don't know why there wasn't a similar error
> for /var/run/sendmail.pid, though.
>
>
> Moray.
> "To err is human. To purr, feline"
>
>
>
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>

I think
/etc/rc.d/init.d/sendmail
is mislabeled.

Run restorecon on it.

Because using the init script with the correct label it should be

unconfined_t -> initrc_exec_t -> initrc_t -> sendmain_exec_t -> sendmail_t

rpm_script_t > initrc_exec_t -> initrc_t -> sendmain_exec_t -> sendmail_t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvZm/oACgkQrlYvE4MpobMMdgCgh4pf9J2ykj+cQqj52vnaQVPc
yIgAn16EpHtWl3PRektuFqPqo3gWZRhg
=jyFu
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-29-2010, 03:37 PM
Moray Henderson
 
Default Policy prevents sendmail restarting

Daniel J Walsh wrote:
>On 04/29/2010 08:41 AM, Moray Henderson wrote:
>> We have an email configuration package that often needs to restart
>> sendmail when it is upgraded. To make updates as easy as possible
for
>> the users, it has a trigger script on sendmail that contains
>> " condrestart", so that they don't have to
>> remember to do that themselves.
>>
>> This worked fine on CentOS 4. On CentOS 5 it has a problem:
>>
>> # rpm -qa selinux*
>> selinux-policy-targeted-2.4.6-255.el5_4.3
>> selinux-policy-2.4.6-255.el5_4.3
>> selinux-policy-devel-2.4.6-255.el5_4.3
>>
>> Apr 29 12:40:27 ict sm-msp-queue[4024]: unable to write pid to
>> /var/run/sm-client.pid: Permission denied
>> time->Thu Apr 29 12:40:27 2010
>> type=SYSCALL msg=audit(1272541227.852:97659096): arch=40000003
>> syscall=196 success=no exit=-13 a0=bfec70d8 a1=bfec6f70 a2=4efff4
a3=3
>> items=0 ppid=4023 pid=4024 auid=783 uid=51 gid=51 euid=51 suid=51
>> fsuid=51 egid=51 sgid=51 fsgid=51 tty=(none) ses=23989
comm="sendmail"
>> exe="/usr/sbin/sendmail.sendmail"
subj=user_u:system_r:system_mail_t:s0
>> key=(null)
>> type=AVC msg=audit(1272541227.852:97659096): avc: denied { getattr
}
>> for pid=4024 comm="sendmail" path="/var/run/sm-client.pid" dev=dm-4
>> ino=1097779 scontext=user_u:system_r:system_mail_t:s0
>> tcontext=system_ubject_r:sendmail_var_run_t:s0 tclass=file
>>
>> A manual restart of sendmail works. This is because of the following
>> transition rules:
>>
>> type_transition unconfined_t sendmail_exec_t : process sendmail_t;
>> type_transition initrc_t sendmail_exec_t : process sendmail_t;
>> type_transition rpm_script_t sendmail_exec_t : process system_mail_t;
>>
>> In other words, being run from an rpm script does not give sendmail
>> enough access to restart. I don't know why there wasn't a similar
error
>> for /var/run/sendmail.pid, though.
>>
>>
>> Moray.
>> "To err is human. To purr, feline"
>>
>>
>>
>>
>>
>>
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>
>I think
>/etc/rc.d/init.d/sendmail
>is mislabeled.
>
>Run restorecon on it.
>
>Because using the init script with the correct label it should be
>
>unconfined_t -> initrc_exec_t -> initrc_t -> sendmain_exec_t ->
sendmail_t
>
>rpm_script_t > initrc_exec_t -> initrc_t -> sendmain_exec_t ->
sendmail_t

Ah, that was it:

restorecon reset /etc/rc.d/init.d/sendmail context
rootbject_r:etc_t:s0->system_ubject_r:initrc_exec_t:s0

I'll work out how that happened, and get it to stop. Thank you.


Moray.
"To err is human.* To purr, feline"

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 08:44 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org