LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   SELinux prevents access to perl script (http://www.linuxquestions.org/questions/linux-security-4/selinux-prevents-access-to-perl-script-4175455968/)

legolasthehansy 03-28-2013 07:44 PM

SELinux prevents access to perl script
 
I've configured Bugzilla to send e-mails through the Amazon SES SMTP server. With the SELinux shut down,any bug updates triggers an e-mail (which invokes sendmail on the local box and forwards it to the Amazon SMTP host) to me. With SELinux running, I get this. I really need to run SELinux on this box so shutting it down isn't an option I can take.

It looks like Sendmail is prevented from executing the Amazon perl script on /usr/share/amazon/ses-send-email.pl. I'm not sure what the rule is to be allowed for this.

From /var/log/maillog

Code:

Mar 27 13:31:18 HOST sendmail6986: r2RHVITp006986: to=user@hostname, ctladdr=user1@host (48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=32627, relay=http://127.0.0.1 http://127.0.0.1, dsn=2.0.0, stat=Sent (r2RHVIeG006989 Message accepted for delivery)
Mar 27 13:31:18 hostname sendmail6992: r2RHVIeG006989: SYSERR(root): Cannot exec /usr/share/amazon/ses-send-email.pl: Permission denied
Mar 27 13:31:18 hostname sendmail6991: r2RHVIeG006989: to=<user@hostname>, delay=00:00:00, xdelay=00:00:00, mailer=aws-email, pri=122864, relay=., dsn=5.0.0, stat=Service unavailable


From /var/log/audit/audit.log

Code:

type=AVC msg=audit(1364405192.770:2818): avc: denied { execute } for pid=6670 comm="sendmail" name="ses-send-email.pl" dev=xvde1 ino=42960 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:sendmail_t:s0 tclass=file
type=SYSCALL msg=audit(1364405192.770:2818): arch=c000003e syscall=59 success=no exit=-13 a0=7ff588f89ef0 a1=7fff7aa5c160 a2=7ff587691200 a3=7fff7aa5bdd0 items=1 ppid=6669 pid=6670 auid=0 uid=8 gid=12 euid=8 suid=8 fsuid=8 egid=12 sgid=12 fsgid=12 tty=(none) ses=29 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=unconfined_u:system_r:sendmail_t:s0 key=(null)
type=CWD msg=audit(1364405192.770:2818): cwd="/var/spool/mqueue"
type=PATH msg=audit(1364405192.770:2818): item=0 name="/usr/share/amazon/ses-send-email.pl" inode=42960 dev=ca:41 mode=0100555 ouid=8 ogid=0 rdev=00:00 obj=unconfined_u:object_r:sendmail_t:s0
type=AVC msg=audit(1364405192.810:2819): avc: denied { execute } for pid=6673 comm="sendmail" name="ses-send-email.pl" dev=xvde1 ino=42960 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:sendmail_t:s0 tclass=file


unSpawn 03-29-2013 02:41 AM

Pipe these /var/log/audit/audit.log lines through audit2allow to see what rules they would result in. Then do the same but see 'man audit2allow for what "-M" causes. Once you've used that the instruction to load your custom policy addition will be printed on screen.

legolasthehansy 03-30-2013 05:27 PM

Thanks unSpawn.

Though I was able to get the rules using audit2allow, running those gave errors. I finally had to run the sendmail program as a daemon after sendmail as a whole,

service sendmail stop;

sendmail -bd -O loglevel 2 > /tmp/sendmail.log (if I remember right)

Now e-mails from Bugzilla seems to flow through. I'm guessing sendmail itself has no problems now with SeLinux given this is running. It may be the smmsp program which is giving problems as this isn't running now.

unSpawn 04-01-2013 04:35 PM

Quote:

Originally Posted by legolasthehansy (Post 4921839)
Though I was able to get the rules using audit2allow, running those gave errors.

What steps did you take (commands please) and what (exact!) errors did that produce?


Quote:

Originally Posted by legolasthehansy (Post 4921839)
It may be the smmsp program which is giving problems as this isn't running now.

AFAIK the default "targeted" policy should have Sendmail mailer daemon, shell and submission agent rules already.

legolasthehansy 04-03-2013 02:50 PM

I was not able to get the exact sequence of commands from my history. The errors I saw were posted on a Red Hat's bugzilla, It was something like this,

Code:

root@host grep /usr/sbin/sendmail.sendmail /var/log/audit/audit.log | audit2allow -M mypol
compilation failed:
mypol.te:6:ERROR 'syntax error' at token '' on line 6

I finally had to make sendmail start up as a daemon without the queue. I know this is not the solution and I'm going to spend some more time on this after a few weeks.

Thanks!

unSpawn 04-04-2013 01:44 PM

Quote:

Originally Posted by legolasthehansy (Post 4924544)
I was not able to get the exact sequence of commands from my history. The errors I saw were posted on a Red Hat's bugzilla,

Pity because I'd rather see the errors relevant to your system. But then again "it works" so maybe save proper troubleshooting for next time...

legolasthehansy 11-20-2013 12:29 PM

I had to redo the setup again and after finding more time to look into SELinux, it was only a matter of entering a single command,

chcon -t sendmail_exec_t /usr/share/amazon/ses-send-email.pl

Hope this helps someone.
Thanks!


All times are GMT -5. The time now is 11:35 AM.