F12: AVCs: sendmail, mounted filesystems, and spamassassin

Daniel B. Thurman dant at cdkkt.com
Tue Feb 23 19:54:09 UTC 2010 

I am not sure I understand how to interpret AVC errors and
to determine if these AVC complaints need to be handled or
not.  Any advice would be appreciated!

I have these in order of most current dates:
====================================
Summary:

SELinux is preventing /usr/bin/perl "execute" access on /usr/bin/python2.6.

Detailed Description:

SELinux denied access requested by spamassassin. It is not expected that
this
access is required by spamassassin and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:spamc_t:s0
Target Context                system_u:object_r:bin_t:s0
Target Objects                /usr/bin/python2.6 [ file ]
Source                        spamassassin
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          gold.cdkkt.com
Source RPM Packages           perl-5.10.0-87.fc12
Target RPM Packages           python-2.6.2-2.fc12
Policy RPM                    selinux-policy-3.6.32-89.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     gold.cdkkt.com
Platform                      Linux gold.cdkkt.com
2.6.31.12-174.2.22.fc12.i686
                              #1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686
Alert Count                   5
First Seen                    Mon 22 Feb 2010 04:02:46 PM PST
Last Seen                     Tue 23 Feb 2010 08:02:17 AM PST
Local ID                      080fd1f0-f784-4cd6-b2e3-7ec050a47323
Line Numbers                 

Raw Audit Messages           

node=gold.cdkkt.com type=AVC msg=audit(1266940937.111:59356): avc: 
denied  { execute } for  pid=24253 comm="spamassassin" name="python2.6"
dev=sdb10 ino=97611 scontext=unconfined_u:system_r:spamc_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=file

node=gold.cdkkt.com type=SYSCALL msg=audit(1266940937.111:59356):
arch=40000003 syscall=11 success=no exit=-13 a0=92c1664 a1=929d99c
a2=bf974eb4 a3=929d99c items=0 ppid=24246 pid=24253 auid=500 uid=500
gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
tty=(none) ses=1 comm="spamassassin" exe="/usr/bin/perl"
subj=unconfined_u:system_r:spamc_t:s0 key=(null)



==================================
NOTE: The following is one of many AVC complaints
from which it peers into mounted filesystems of different
OSes (F9, F11, Ubuntu, and so on)

How do you prevent SELinux from peering into certain
mounted filesystems it has no business to be doing?
==================================
Summary:

SELinux is preventing /usr/bin/updatedb "getattr" access to
/md/RF11D1/etc/poker-network.

Detailed Description:

SELinux denied access requested by updatedb.
/md/RF11D1/etc/poker-network may be
a mislabeled. /md/RF11D1/etc/poker-network default SELinux type is
default_t,
but its current type is unlabeled_t. Changing this file back to the default
type, may fix your problem.

File contexts can be assigned to a file in the following ways.

  * Files created in a directory receive the file context of the parent
    directory by default.
  * The SELinux policy might override the default label inherited from the
    parent directory by specifying a process running in context A which
creates
    a file in a directory labeled B will instead create the file with
label C.
    An example of this would be the dhcp client running with the
dhclient_t type
    and creating a file in the directory /etc. This file would normally
receive
    the etc_t type due to parental inheritance but instead the file is
labeled
    with the net_conf_t type because the SELinux policy specifies this.
  * Users can change the file context on a file using tools such as
chcon, or
    restorecon.

This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.

However, this might also indicate a bug in SELinux because the file
should not
have been labeled with this type.

If you believe this is a bug, please file a bug report against this package.

Allowing Access:

You can restore the default system context to this file by executing the
restorecon command. restorecon '/md/RF11D1/etc/poker-network', if this
file is a
directory, you can recursively restore using restorecon -R
'/md/RF11D1/etc/poker-network'.

Fix Command:

/sbin/restorecon '/md/RF11D1/etc/poker-network'

Additional Information:

Source Context                system_u:system_r:locate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                /md/RF11D1/etc/poker-network [ dir ]
Source                        updatedb
Source Path                   /usr/bin/updatedb
Port                          <Unknown>
Host                          gold.cdkkt.com
Source RPM Packages           mlocate-0.22.2-1.fc12
Target RPM Packages          
Policy RPM                    selinux-policy-3.6.32-89.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   restorecon
Host Name                     gold.cdkkt.com
Platform                      Linux gold.cdkkt.com
2.6.31.12-174.2.22.fc12.i686
                              #1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Tue 23 Feb 2010 03:40:27 AM PST
Last Seen                     Tue 23 Feb 2010 03:40:27 AM PST
Local ID                      c9411c07-575a-466d-903f-054169906d38
Line Numbers                 

Raw Audit Messages           

node=gold.cdkkt.com type=AVC msg=audit(1266925227.491:58792): avc: 
denied  { getattr } for  pid=17154 comm="updatedb"
path="/md/RF11D1/etc/poker-network" dev=sda10 ino=413
scontext=system_u:system_r:locate_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir

node=gold.cdkkt.com type=SYSCALL msg=audit(1266925227.491:58792):
arch=40000003 syscall=196 success=no exit=-13 a0=807709d a1=bf917c00
a2=42cff4 a3=807709d items=0 ppid=17148 pid=17154 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1278
comm="updatedb" exe="/usr/bin/updatedb"
subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null)



==================================
Summary:

SELinux is preventing /usr/sbin/sendmail.sendmail "read" access on
/var/log/messages.

Detailed Description:

[sendmail has a permissive type (system_mail_t). This access was not
denied.]

SELinux denied access requested by sendmail. It is not expected that
this access
is required by sendmail and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:system_mail_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_log_t:s0
Target Objects                /var/log/messages [ file ]
Source                        sendmail
Source Path                   /usr/sbin/sendmail.sendmail
Port                          <Unknown>
Host                          gold.cdkkt.com
Source RPM Packages           sendmail-8.14.3-8.fc12
Target RPM Packages          
Policy RPM                    selinux-policy-3.6.32-89.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     gold.cdkkt.com
Platform                      Linux gold.cdkkt.com
2.6.31.12-174.2.22.fc12.i686
                              #1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686
Alert Count                   3
First Seen                    Tue 23 Feb 2010 03:37:58 AM PST
Last Seen                     Tue 23 Feb 2010 03:37:58 AM PST
Local ID                      c6d1d2d8-7cdd-451a-9647-4a61fbc848c5
Line Numbers                 

Raw Audit Messages           

node=gold.cdkkt.com type=AVC msg=audit(1266925078.757:58778): avc: 
denied  { read } for  pid=16966 comm="sendmail" path="/var/log/messages"
dev=sdb10 ino=54039
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=file

node=gold.cdkkt.com type=AVC msg=audit(1266925078.757:58778): avc: 
denied  { read } for  pid=16966 comm="sendmail" path="/var/log/secure"
dev=sdb10 ino=54090
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=file

node=gold.cdkkt.com type=AVC msg=audit(1266925078.757:58778): avc: 
denied  { read } for  pid=16966 comm="sendmail" path="/var/log/maillog"
dev=sdb10 ino=54091
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=file

node=gold.cdkkt.com type=SYSCALL msg=audit(1266925078.757:58778):
arch=40000003 syscall=11 success=yes exit=0 a0=97d58a0 a1=97d5928
a2=97d4eb0 a3=97d5928 items=0 ppid=16912 pid=16966 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=486 sgid=486 fsgid=486 tty=(none) ses=1278
comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)

More information about the selinux mailing list