LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-19-2009, 03:52 AM   #1
mail2mphani
Member
 
Registered: Jan 2009
Location: INDIA
Distribution: REDHAT
Posts: 64

Rep: Reputation: 16
Thumbs up sendmail selinux error


hi i configured sendmail with squirrelmail in RHEL5.3

it is working fine. i can send the mail and receive the mail .

but when i try to send the mail a selinux error is coming[but mail is sending successfully ]. i don't under stand this message.



Quote:
Summary:

SELinux is preventing sendmail (system_mail_t) "read" to eventpoll (httpd_t).

Detailed Description:

SELinux denied access requested by sendmail. It is not expected that this access
is required by sendmail and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for eventpoll,

restorecon -v 'eventpoll'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinu...fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:system_mail_t
Target Context system_u:system_r:httpd_t
Target Objects eventpoll [ file ]
Source sendmail
Source Path /usr/sbin/sendmail.sendmail
Port <Unknown>
Host mail.example.com
Source RPM Packages sendmail-8.13.8-2.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-203.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name mail.example.com
Platform Linux mail.example.com 2.6.18-128.el5 #1 SMP Wed
Dec 17 11:42:39 EST 2008 i686 i686
Alert Count 1
First Seen Wed 19 Aug 2009 06:30:39 PM IST
Last Seen Wed 19 Aug 2009 06:30:39 PM IST
Local ID ca349210-0a7a-4ff3-8fc6-39ba268c6ac8
Line Numbers

Raw Audit Messages

host=mail.example.com type=AVC msg=audit(1250686839.94:107): avc: denied { read } for pid=4249 comm="sendmail" path="eventpoll:[7625]" dev=eventpollfs ino=7625 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file

host=mail.example.com type=SYSCALL msg=audit(1250686839.94:107): arch=40000003 syscall=11 success=yes exit=0 a0=87abd90 a1=87ac120 a2=87abea0 a3=40 items=0 ppid=2295 pid=4249 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null)

 
Old 08-19-2009, 05:42 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Running the raw messages through 'audit2allow' shows you need a local policy of:
Code:
#============= system_mail_t ==============
allow system_mail_t httpd_t:file read;
so I'm wondering what does running 'getsebool -a|egrep -ie "(mail|http)"' return?

Last edited by unSpawn; 08-19-2009 at 05:45 AM. Reason: //more *is* more...
 
Old 08-19-2009, 07:04 AM   #3
mail2mphani
Member
 
Registered: Jan 2009
Location: INDIA
Distribution: REDHAT
Posts: 64

Original Poster
Rep: Reputation: 16
Quote:
getsebool -a|egrep -ie "(mail|http)"' return?
it returns
Quote:
allow_httpd_anon_write --> off
allow_httpd_bugzilla_script_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_nagios_script_anon_write --> off
allow_httpd_prewikka_script_anon_write --> off
allow_httpd_squid_script_anon_write --> off
allow_httpd_sys_script_anon_write --> off
allow_postfix_local_write_mail_spool --> off
fetchmail_disable_trans --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_rotatelogs_disable_trans --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_nfs --> off
mail_read_content --> off
mailman_mail_disable_trans --> off
 
Old 08-19-2009, 03:01 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
OK. I don't see no boolean that would "allow system_mail_t httpd_t:file read;", so for the time being you could adjust your local policy, see: Creating Custom SELinux Policy Modules with audit2allow and let us know if that didn't work.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
squirrelmail selinux error mail2mphani Linux - Security 1 06-30-2009 08:37 AM
SELinux Error :( Fedora 10 - help manuleka Linux - Newbie 6 06-02-2009 08:09 PM
SELinux problem while using Sendmail(webmail) mail2mphani Linux - Security 2 03-09-2009 01:53 AM
SELinux problem :: setsebool error custangro Linux - Security 3 10-25-2008 03:21 AM
Sendmail won't work with SELinux enabled? jimwillsher Linux - Security 1 03-15-2005 09:16 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration