Is SELinux blocking all forward-only mail agents? (esmtp/ssmtp)
NM
nico at altiva.fr
Fri Dec 12 09:53:15 UTC 2008
I didn't want to have a full-fledged MTA on my machines; I tried both
esmtp and ssmtp, and both seem unable to work without tripping on
SELinux. It looks like they always inherit the context of the calling
program, which doesn't have the rights to, say, connect outside on port
25.
Is there a way?
Summary:
SELinux is preventing sendmail (logwatch_t) "name_connect" smtp_port_t.
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but
was permitted due to permissive mode.]
SELinux denied access requested by sendmail. It is not expected that this
access
is required by sendmail and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/
enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0-s0:c0.c1023
Target Context system_u:object_r:smtp_port_t:s0
Target Objects None [ tcp_socket ]
Source sendmail
Source Path /usr/sbin/ssmtp
Port 25
Host lin1195
Source RPM Packages ssmtp-2.61-11.7.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-26.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall
Host Name lin1195
Platform Linux lin1195 2.6.27.5-117.fc10.x86_64 #1
SMP Tue
Nov 18 11:58:53 EST 2008 x86_64 x86_64
Alert Count 1
First Seen Fri 12 Dec 2008 04:02:05 AM CET
Last Seen Fri 12 Dec 2008 04:02:05 AM CET
Local ID 631702fa-42b7-444d-b62e-fe50df41bf9f
Line Numbers
Raw Audit Messages
node=lin1195 type=AVC msg=audit(1229050925.485:1082): avc: denied
{ name_connect } for pid=22689 comm="sendmail" dest=25
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
node=lin1195 type=SYSCALL msg=audit(1229050925.485:1082): arch=c000003e
syscall=42 success=yes exit=0 a0=3 a1=ad2d90 a2=10 a3=3b4856da70 items=0
ppid=22433 pid=22689 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=122 comm="sendmail" exe="/usr/sbin/ssmtp"
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
More information about the selinux
mailing list