FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 11-25-2007, 07:45 AM
"Knute Johnson"
 
Default Weird selinux problem with sendmail

I loaded F8 onto my old mail server computer and started to
reassemble it. But I'm getting a strange message from sendmail and a
selinux avc to go with it. I do not have a .forward file and I have
an almost identical system running that doesn't have one either and
doesn't give any errors. I don't know if this is a sendmail problem
or a selinux problem. The mail comes and goes OK. Any ideas?

Thanks,

knute...

Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward
/home/knute/.forward.www: Permission denied
Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward
/home/knute/.forward: Permission denied

Nov 25 00:40:55 www kernel: audit(1195980055.494:277): avc: denied
{ getattr } for pid=7949 comm="sendmail" path="/home/knute" dev=dm-0
ino=262146 scontext=unconfined_u:system_r:sendmail_t:s0
tcontext=unconfined_ubject_r:unconfined_home_dir _t:s0 tclass=dir
--
Knute Johnson
Molon Labe...


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-26-2007, 12:34 PM
"Adam Huffman"
 
Default Weird selinux problem with sendmail

On Nov 25, 2007 8:45 AM, Knute Johnson <knute@frazmtn.com> wrote:
> I loaded F8 onto my old mail server computer and started to
> reassemble it. But I'm getting a strange message from sendmail and a
> selinux avc to go with it. I do not have a .forward file and I have
> an almost identical system running that doesn't have one either and
> doesn't give any errors. I don't know if this is a sendmail problem
> or a selinux problem. The mail comes and goes OK. Any ideas?
>
> Thanks,
>
> knute...
>
> Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward
> /home/knute/.forward.www: Permission denied
> Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward
> /home/knute/.forward: Permission denied
>
> Nov 25 00:40:55 www kernel: audit(1195980055.494:277): avc: denied
> { getattr } for pid=7949 comm="sendmail" path="/home/knute" dev=dm-0
> ino=262146 scontext=unconfined_u:system_r:sendmail_t:s0
> tcontext=unconfined_ubject_r:unconfined_home_dir _t:s0 tclass=dir


I don't have any ideas for solving it but I'm seeing very similar
messages, on a box upgraded from F7 to F8.

Adam

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-26-2007, 04:49 PM
Paul Howarth
 
Default Weird selinux problem with sendmail

Knute Johnson wrote:
I loaded F8 onto my old mail server computer and started to
reassemble it. But I'm getting a strange message from sendmail and a
selinux avc to go with it. I do not have a .forward file and I have
an almost identical system running that doesn't have one either and
doesn't give any errors. I don't know if this is a sendmail problem
or a selinux problem. The mail comes and goes OK. Any ideas?


Thanks,

knute...

Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward
/home/knute/.forward.www: Permission denied
Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward
/home/knute/.forward: Permission denied


Nov 25 00:40:55 www kernel: audit(1195980055.494:277): avc: denied
{ getattr } for pid=7949 comm="sendmail" path="/home/knute" dev=dm-0
ino=262146 scontext=unconfined_u:system_r:sendmail_t:s0
tcontext=unconfined_ubject_r:unconfined_home_dir _t:s0 tclass=dir


This looks to be sendmail checking to see if you have a .forward file
and getting an SELinux denial when it does so. Since you don't have one,
the failure doesn't have an impact.


I don't know where the unconfined_home_dir_t comes from though. I'm
running F8 with targeted policy and the home directories are
user_home_dir_t rather than unconfined_home_dir_t.


What's the output of:

# sestatus

and:

# ls -lZ /home/knute

and:

# restorecon -Fv /home/knute

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-26-2007, 09:27 PM
Morgan Read
 
Default Weird selinux problem with sendmail

On Mon, 2007-11-26 at 13:34 +0000, Adam Huffman wrote:
> On Nov 25, 2007 8:45 AM, Knute Johnson <knute@frazmtn.com> wrote:
> > I loaded F8 onto my old mail server computer and started to
> > reassemble it. But I'm getting a strange message from sendmail and a
> > selinux avc to go with it. I do not have a .forward file and I have
> > an almost identical system running that doesn't have one either and
> > doesn't give any errors. I don't know if this is a sendmail problem
> > or a selinux problem. The mail comes and goes OK. Any ideas?
> >
> > Thanks,
> >
> > knute...
> >
> > Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward
> > /home/knute/.forward.www: Permission denied
> > Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward
> > /home/knute/.forward: Permission denied
> >
> > Nov 25 00:40:55 www kernel: audit(1195980055.494:277): avc: denied
> > { getattr } for pid=7949 comm="sendmail" path="/home/knute" dev=dm-0
> > ino=262146 scontext=unconfined_u:system_r:sendmail_t:s0
> > tcontext=unconfined_ubject_r:unconfined_home_dir _t:s0 tclass=dir

(I'd like to jump in here - I was about to file a bug against sendmail,
but thought I'd check the lists first!)

I have a similar looking problem after moving to f8 and setting up
my /etc/aliases so that user "morgan" is the person that should get
root's mail (as I have done previously). Similar ref to
unconfined_home_dir_t - but I know little about this stuff. I'm not
getting my mail.

I've copied at bottom three example selinux_alerts, the most recent from
each of three streams of alerts I seem to be accumulating in the
"setroubleshoot browser".

Hope this helps, and I'm interested in any answers.

Regards,
M.

selinux_alert_22-11-07-1.45
Summary
SELinux is preventing sendmail (sendmail_t) "getattr"
to /home/morgan
(unconfined_home_dir_t).

Detailed Description
SELinux denied access requested by sendmail. It is not expected that
this
access is required by sendmail and this access may signal an
intrusion
attempt. It is also possible that the specific version or
configuration of
the application is causing it to require additional access.

Allowing Access
Sometimes labeling problems can cause SELinux denials. You could
try to
restore the default system file context for /home/morgan, restorecon
-v
/home/morgan If this does not work, there is currently no automatic
way to
allow this access. Instead, you can generate a local policy module
to allow
this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.

Additional Information

Source Context system_u:system_r:sendmail_t
Target Context
unconfined_ubject_r:unconfined_home_dir_t
Target Objects /home/morgan [ dir ]
Affected RPM Packages
Policy RPM selinux-policy-3.0.8-56.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name morgansmachine.lan
Platform Linux morgansmachine.lan 2.6.23.1-49.fc8
#1 SMP
Thu Nov 8 21:41:26 EST 2007 i686 i686
Alert Count 2
First Seen Wed 21 Nov 2007 09:50:53 AM NZDT
Last Seen Thu 22 Nov 2007 01:45:01 PM NZDT
Local ID 33456cfd-f6bf-4857-8690-f681680cd24c
Line Numbers

Raw Audit Messages

avc: denied { getattr } for comm=sendmail dev=dm-1 path=/home/morgan
pid=14769
scontext=system_u:system_r:sendmail_t:s0 tclass=dir
tcontext=unconfined_ubject_r:unconfined_home_dir _t:s0


selinux_alert_27-11-07-9.45
Summary
SELinux is preventing sendmail (sendmail_t) "search" to <Unknown>
(unconfined_home_dir_t).

Detailed Description
SELinux denied access requested by sendmail. It is not expected that
this
access is required by sendmail and this access may signal an
intrusion
attempt. It is also possible that the specific version or
configuration of
the application is causing it to require additional access.

Allowing Access
Sometimes labeling problems can cause SELinux denials. You could
try to
restore the default system file context for <Unknown>, restorecon -v
<Unknown> If this does not work, there is currently no automatic way
to
allow this access. Instead, you can generate a local policy module
to allow
this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.

Additional Information

Source Context system_u:system_r:sendmail_t
Target Context
unconfined_ubject_r:unconfined_home_dir_t
Target Objects None [ dir ]
Affected RPM Packages
Policy RPM selinux-policy-3.0.8-56.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name morgansmachine.lan
Platform Linux morgansmachine.lan 2.6.23.1-49.fc8
#1 SMP
Thu Nov 8 21:41:26 EST 2007 i686 i686
Alert Count 5
First Seen Wed 21 Nov 2007 09:50:53 AM NZDT
Last Seen Tue 27 Nov 2007 09:45:51 AM NZDT
Local ID b60f5a23-575f-4489-89c7-ab71e8be786d
Line Numbers

Raw Audit Messages

avc: denied { search } for comm=sendmail dev=dm-1 name=morgan pid=5918
scontext=system_u:system_r:sendmail_t:s0 tclass=dir
tcontext=unconfined_ubject_r:unconfined_home_dir _t:s0


selinux_alert_27-11-07-10.10
Summary
SELinux is preventing sendmail (sendmail_t) "getattr"
to /home/morgan
(unconfined_home_dir_t).

Detailed Description
SELinux denied access requested by sendmail. /home/morgan may be a
mislabeled. /home/morgan default SELinux type is
<B>user_home_dir_t</B>,
while its current type is <B>unconfined_home_dir_t</B>. Changing
this file
back to the default type, may fix your problem. File contexts can
get
assigned to a file can following ways. <ul> <li>Files created in a
directory recieve the file context of the parent directory by
default.
<li>Users can change the file context on a file using tools like
chcon, or
restorecon. <li>The kernel can decide via policy that an application
running
as context A Creating a file in a directory labeled B will create
files
labeled C. </ul> This file could have been mislabeled either by user
error,
or if an normally confined application was run under the wrong
domain. Of
course this could also indicate a bug in SELinux, in that the file
should
not be labeled with this type. If you believe this is a bug, please
file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.

Allowing Access
You can restore the default system context to this file by executing
the
restorecon command. restorecon /home/morgan, if this file is a
directory,
you can recursively restore using restorecon -R /home/morgan.

The following command will allow this access:
restorecon /home/morgan

Additional Information

Source Context system_u:system_r:sendmail_t
Target Context
unconfined_ubject_r:unconfined_home_dir_t
Target Objects /home/morgan [ dir ]
Affected RPM Packages
Policy RPM selinux-policy-3.0.8-56.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.restorecon
Host Name morgansmachine.lan
Platform Linux morgansmachine.lan 2.6.23.1-49.fc8
#1 SMP
Thu Nov 8 21:41:26 EST 2007 i686 i686
Alert Count 9
First Seen Fri 23 Nov 2007 07:04:40 PM NZDT
Last Seen Tue 27 Nov 2007 10:10:04 AM NZDT
Local ID 96c556ec-4c09-4641-90d0-8c4be7082c66
Line Numbers

Raw Audit Messages

avc: denied { getattr } for comm=sendmail dev=dm-1 path=/home/morgan
pid=7760
scontext=system_u:system_r:sendmail_t:s0 tclass=dir
tcontext=unconfined_ubject_r:unconfined_home_dir _t:s0

--
Getting errors: "There are problems with the signature" (or similar)?
Update your system by installing certificates from CAcert Inc, see here:
http://wiki.cacert.org/wiki/BrowserClients?#head-259758ec5ba51c5205cfb179cf60e0b54d9e378b
Or, if Internet Explorer is your default browser, simply click this link:
http://www.cacert.org/index.php?id=17

Morgan Read
NEW ZEALAND
<mailto:mstuffATreadDOTorgDOTnz>

fedora: Freedom Forever!
http://fedoraproject.org/wiki/Overview

"By choosing not to ship any proprietary or binary drivers, Fedora does
differ from other distributions. ..."
Quote: Max Spevik
http://interviews.slashdot.org/article.pl?sid=06/08/17/177220

RMS on fedora:
http://fedoraproject.org/wiki/FreeSoftwareAnalysis/FSF
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-26-2007, 09:48 PM
"Knute Johnson"
 
Default Weird selinux problem with sendmail

>On Nov 25, 2007 8:45 AM, Knute Johnson <knute@frazmtn.com> wrote:
>> I loaded F8 onto my old mail server computer and started to
>> reassemble it. But I'm getting a strange message from sendmail and a
>> selinux avc to go with it. I do not have a .forward file and I have
>> an almost identical system running that doesn't have one either and
>> doesn't give any errors. I don't know if this is a sendmail problem
>> or a selinux problem. The mail comes and goes OK. Any ideas?
>>
>> Thanks,
>>
>> knute...
>>
>> Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward
>> /home/knute/.forward.www: Permission denied
>> Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward
>> /home/knute/.forward: Permission denied
>>
>> Nov 25 00:40:55 www kernel: audit(1195980055.494:277): avc: denied
>> { getattr } for pid=7949 comm="sendmail" path="/home/knute" dev=dm-0
>> ino=262146 scontext=unconfined_u:system_r:sendmail_t:s0
>> tcontext=unconfined_ubject_r:unconfined_home_dir _t:s0 tclass=dir
>
>
>I don't have any ideas for solving it but I'm seeing very similar
>messages, on a box upgraded from F7 to F8.
>
>Adam

Well then by now it has probably resolved itself if you done an
upgrade. Mine took about an hour after the upgrade to stop the
messages.

--
Knute Johnson
Molon Labe...


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 11-26-2007, 09:48 PM
"Knute Johnson"
 
Default Weird selinux problem with sendmail

>Knute Johnson wrote:
>> I loaded F8 onto my old mail server computer and started to
>> reassemble it. But I'm getting a strange message from sendmail and a
>> selinux avc to go with it. I do not have a .forward file and I have
>> an almost identical system running that doesn't have one either and
>> doesn't give any errors. I don't know if this is a sendmail problem
>> or a selinux problem. The mail comes and goes OK. Any ideas?
>>
>> Thanks,
>>
>> knute...
>>
>> Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward
>> /home/knute/.forward.www: Permission denied
>> Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward
>> /home/knute/.forward: Permission denied
>>
>> Nov 25 00:40:55 www kernel: audit(1195980055.494:277): avc: denied
>> { getattr } for pid=7949 comm="sendmail" path="/home/knute" dev=dm-0
>> ino=262146 scontext=unconfined_u:system_r:sendmail_t:s0
>> tcontext=unconfined_ubject_r:unconfined_home_dir _t:s0 tclass=dir
>
>This looks to be sendmail checking to see if you have a .forward file
>and getting an SELinux denial when it does so. Since you don't have one,
>the failure doesn't have an impact.
>
>I don't know where the unconfined_home_dir_t comes from though. I'm
>running F8 with targeted policy and the home directories are
>user_home_dir_t rather than unconfined_home_dir_t.
>
>What's the output of:
>
># sestatus
>
>and:
>
># ls -lZ /home/knute
>
>and:
>
># restorecon -Fv /home/knute
>
>Paul.

The problem resolved itself about an hour after I did a yum update.

--
Knute Johnson
Molon Labe...


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 09:02 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org