LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-28-2013, 07:44 PM   #1
legolasthehansy
LQ Newbie
 
Registered: Dec 2006
Posts: 16

Rep: Reputation: 1
SELinux prevents access to perl script


I've configured Bugzilla to send e-mails through the Amazon SES SMTP server. With the SELinux shut down,any bug updates triggers an e-mail (which invokes sendmail on the local box and forwards it to the Amazon SMTP host) to me. With SELinux running, I get this. I really need to run SELinux on this box so shutting it down isn't an option I can take.

It looks like Sendmail is prevented from executing the Amazon perl script on /usr/share/amazon/ses-send-email.pl. I'm not sure what the rule is to be allowed for this.

From /var/log/maillog

Code:
Mar 27 13:31:18 HOST sendmail6986: r2RHVITp006986: to=user@hostname, ctladdr=user1@host (48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=32627, relay=http://127.0.0.1 http://127.0.0.1, dsn=2.0.0, stat=Sent (r2RHVIeG006989 Message accepted for delivery)
Mar 27 13:31:18 hostname sendmail6992: r2RHVIeG006989: SYSERR(root): Cannot exec /usr/share/amazon/ses-send-email.pl: Permission denied
Mar 27 13:31:18 hostname sendmail6991: r2RHVIeG006989: to=<user@hostname>, delay=00:00:00, xdelay=00:00:00, mailer=aws-email, pri=122864, relay=., dsn=5.0.0, stat=Service unavailable

From /var/log/audit/audit.log

Code:
type=AVC msg=audit(1364405192.770:2818): avc: denied { execute } for pid=6670 comm="sendmail" name="ses-send-email.pl" dev=xvde1 ino=42960 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:sendmail_t:s0 tclass=file
type=SYSCALL msg=audit(1364405192.770:2818): arch=c000003e syscall=59 success=no exit=-13 a0=7ff588f89ef0 a1=7fff7aa5c160 a2=7ff587691200 a3=7fff7aa5bdd0 items=1 ppid=6669 pid=6670 auid=0 uid=8 gid=12 euid=8 suid=8 fsuid=8 egid=12 sgid=12 fsgid=12 tty=(none) ses=29 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=unconfined_u:system_r:sendmail_t:s0 key=(null)
type=CWD msg=audit(1364405192.770:2818): cwd="/var/spool/mqueue"
type=PATH msg=audit(1364405192.770:2818): item=0 name="/usr/share/amazon/ses-send-email.pl" inode=42960 dev=ca:41 mode=0100555 ouid=8 ogid=0 rdev=00:00 obj=unconfined_u:object_r:sendmail_t:s0
type=AVC msg=audit(1364405192.810:2819): avc: denied { execute } for pid=6673 comm="sendmail" name="ses-send-email.pl" dev=xvde1 ino=42960 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:sendmail_t:s0 tclass=file
 
Old 03-29-2013, 02:41 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Pipe these /var/log/audit/audit.log lines through audit2allow to see what rules they would result in. Then do the same but see 'man audit2allow for what "-M" causes. Once you've used that the instruction to load your custom policy addition will be printed on screen.
 
1 members found this post helpful.
Old 03-30-2013, 05:27 PM   #3
legolasthehansy
LQ Newbie
 
Registered: Dec 2006
Posts: 16

Original Poster
Rep: Reputation: 1
Thanks unSpawn.

Though I was able to get the rules using audit2allow, running those gave errors. I finally had to run the sendmail program as a daemon after sendmail as a whole,

service sendmail stop;

sendmail -bd -O loglevel 2 > /tmp/sendmail.log (if I remember right)

Now e-mails from Bugzilla seems to flow through. I'm guessing sendmail itself has no problems now with SeLinux given this is running. It may be the smmsp program which is giving problems as this isn't running now.
 
Old 04-01-2013, 04:35 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Quote:
Originally Posted by legolasthehansy View Post
Though I was able to get the rules using audit2allow, running those gave errors.
What steps did you take (commands please) and what (exact!) errors did that produce?


Quote:
Originally Posted by legolasthehansy View Post
It may be the smmsp program which is giving problems as this isn't running now.
AFAIK the default "targeted" policy should have Sendmail mailer daemon, shell and submission agent rules already.
 
Old 04-03-2013, 02:50 PM   #5
legolasthehansy
LQ Newbie
 
Registered: Dec 2006
Posts: 16

Original Poster
Rep: Reputation: 1
I was not able to get the exact sequence of commands from my history. The errors I saw were posted on a Red Hat's bugzilla, It was something like this,

Code:
root@host grep /usr/sbin/sendmail.sendmail /var/log/audit/audit.log | audit2allow -M mypol
compilation failed:
mypol.te:6:ERROR 'syntax error' at token '' on line 6
I finally had to make sendmail start up as a daemon without the queue. I know this is not the solution and I'm going to spend some more time on this after a few weeks.

Thanks!

Last edited by legolasthehansy; 04-03-2013 at 02:51 PM.
 
Old 04-04-2013, 01:44 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Quote:
Originally Posted by legolasthehansy View Post
I was not able to get the exact sequence of commands from my history. The errors I saw were posted on a Red Hat's bugzilla,
Pity because I'd rather see the errors relevant to your system. But then again "it works" so maybe save proper troubleshooting for next time...
 
Old 11-20-2013, 12:29 PM   #7
legolasthehansy
LQ Newbie
 
Registered: Dec 2006
Posts: 16

Original Poster
Rep: Reputation: 1
I had to redo the setup again and after finding more time to look into SELinux, it was only a matter of entering a single command,

chcon -t sendmail_exec_t /usr/share/amazon/ses-send-email.pl

Hope this helps someone.
Thanks!
 
1 members found this post helpful.
  


Reply

Tags
selinux, sendmail


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to execute a Perl script in ~/.procmailrc with SELinux set to Enforcing? thomasz Linux - Security 1 03-14-2008 05:25 AM
SELinux - disabling in CentOS 5.1 prevents LVM from loading and/or booting tiber Linux - Software 2 02-09-2008 04:51 AM
selinux prevents login Steve Riley Red Hat 1 01-08-2008 10:44 AM
SELinux prevents adding users in FC3? Phaethar Fedora 0 12-27-2004 09:54 AM


All times are GMT -5. The time now is 05:15 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration