F12: AVCs: sendmail, mounted filesystems, and spamassassin
Daniel B. Thurman
dant at cdkkt.com
Tue Feb 23 19:54:09 UTC 2010
I am not sure I understand how to interpret AVC errors and
to determine if these AVC complaints need to be handled or
not. Any advice would be appreciated!
I have these in order of most current dates:
====================================
Summary:
SELinux is preventing /usr/bin/perl "execute" access on /usr/bin/python2.6.
Detailed Description:
SELinux denied access requested by spamassassin. It is not expected that
this
access is required by spamassassin and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.
Additional Information:
Source Context unconfined_u:system_r:spamc_t:s0
Target Context system_u:object_r:bin_t:s0
Target Objects /usr/bin/python2.6 [ file ]
Source spamassassin
Source Path /usr/bin/perl
Port <Unknown>
Host gold.cdkkt.com
Source RPM Packages perl-5.10.0-87.fc12
Target RPM Packages python-2.6.2-2.fc12
Policy RPM selinux-policy-3.6.32-89.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name gold.cdkkt.com
Platform Linux gold.cdkkt.com
2.6.31.12-174.2.22.fc12.i686
#1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686
Alert Count 5
First Seen Mon 22 Feb 2010 04:02:46 PM PST
Last Seen Tue 23 Feb 2010 08:02:17 AM PST
Local ID 080fd1f0-f784-4cd6-b2e3-7ec050a47323
Line Numbers
Raw Audit Messages
node=gold.cdkkt.com type=AVC msg=audit(1266940937.111:59356): avc:
denied { execute } for pid=24253 comm="spamassassin" name="python2.6"
dev=sdb10 ino=97611 scontext=unconfined_u:system_r:spamc_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=file
node=gold.cdkkt.com type=SYSCALL msg=audit(1266940937.111:59356):
arch=40000003 syscall=11 success=no exit=-13 a0=92c1664 a1=929d99c
a2=bf974eb4 a3=929d99c items=0 ppid=24246 pid=24253 auid=500 uid=500
gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
tty=(none) ses=1 comm="spamassassin" exe="/usr/bin/perl"
subj=unconfined_u:system_r:spamc_t:s0 key=(null)
==================================
NOTE: The following is one of many AVC complaints
from which it peers into mounted filesystems of different
OSes (F9, F11, Ubuntu, and so on)
How do you prevent SELinux from peering into certain
mounted filesystems it has no business to be doing?
==================================
Summary:
SELinux is preventing /usr/bin/updatedb "getattr" access to
/md/RF11D1/etc/poker-network.
Detailed Description:
SELinux denied access requested by updatedb.
/md/RF11D1/etc/poker-network may be
a mislabeled. /md/RF11D1/etc/poker-network default SELinux type is
default_t,
but its current type is unlabeled_t. Changing this file back to the default
type, may fix your problem.
File contexts can be assigned to a file in the following ways.
* Files created in a directory receive the file context of the parent
directory by default.
* The SELinux policy might override the default label inherited from the
parent directory by specifying a process running in context A which
creates
a file in a directory labeled B will instead create the file with
label C.
An example of this would be the dhcp client running with the
dhclient_t type
and creating a file in the directory /etc. This file would normally
receive
the etc_t type due to parental inheritance but instead the file is
labeled
with the net_conf_t type because the SELinux policy specifies this.
* Users can change the file context on a file using tools such as
chcon, or
restorecon.
This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.
However, this might also indicate a bug in SELinux because the file
should not
have been labeled with this type.
If you believe this is a bug, please file a bug report against this package.
Allowing Access:
You can restore the default system context to this file by executing the
restorecon command. restorecon '/md/RF11D1/etc/poker-network', if this
file is a
directory, you can recursively restore using restorecon -R
'/md/RF11D1/etc/poker-network'.
Fix Command:
/sbin/restorecon '/md/RF11D1/etc/poker-network'
Additional Information:
Source Context system_u:system_r:locate_t:s0-s0:c0.c1023
Target Context system_u:object_r:unlabeled_t:s0
Target Objects /md/RF11D1/etc/poker-network [ dir ]
Source updatedb
Source Path /usr/bin/updatedb
Port <Unknown>
Host gold.cdkkt.com
Source RPM Packages mlocate-0.22.2-1.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-89.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name restorecon
Host Name gold.cdkkt.com
Platform Linux gold.cdkkt.com
2.6.31.12-174.2.22.fc12.i686
#1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686
Alert Count 1
First Seen Tue 23 Feb 2010 03:40:27 AM PST
Last Seen Tue 23 Feb 2010 03:40:27 AM PST
Local ID c9411c07-575a-466d-903f-054169906d38
Line Numbers
Raw Audit Messages
node=gold.cdkkt.com type=AVC msg=audit(1266925227.491:58792): avc:
denied { getattr } for pid=17154 comm="updatedb"
path="/md/RF11D1/etc/poker-network" dev=sda10 ino=413
scontext=system_u:system_r:locate_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
node=gold.cdkkt.com type=SYSCALL msg=audit(1266925227.491:58792):
arch=40000003 syscall=196 success=no exit=-13 a0=807709d a1=bf917c00
a2=42cff4 a3=807709d items=0 ppid=17148 pid=17154 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1278
comm="updatedb" exe="/usr/bin/updatedb"
subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null)
==================================
Summary:
SELinux is preventing /usr/sbin/sendmail.sendmail "read" access on
/var/log/messages.
Detailed Description:
[sendmail has a permissive type (system_mail_t). This access was not
denied.]
SELinux denied access requested by sendmail. It is not expected that
this access
is required by sendmail and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.
Additional Information:
Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023
Target Context system_u:object_r:var_log_t:s0
Target Objects /var/log/messages [ file ]
Source sendmail
Source Path /usr/sbin/sendmail.sendmail
Port <Unknown>
Host gold.cdkkt.com
Source RPM Packages sendmail-8.14.3-8.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-89.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name gold.cdkkt.com
Platform Linux gold.cdkkt.com
2.6.31.12-174.2.22.fc12.i686
#1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686
Alert Count 3
First Seen Tue 23 Feb 2010 03:37:58 AM PST
Last Seen Tue 23 Feb 2010 03:37:58 AM PST
Local ID c6d1d2d8-7cdd-451a-9647-4a61fbc848c5
Line Numbers
Raw Audit Messages
node=gold.cdkkt.com type=AVC msg=audit(1266925078.757:58778): avc:
denied { read } for pid=16966 comm="sendmail" path="/var/log/messages"
dev=sdb10 ino=54039
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=file
node=gold.cdkkt.com type=AVC msg=audit(1266925078.757:58778): avc:
denied { read } for pid=16966 comm="sendmail" path="/var/log/secure"
dev=sdb10 ino=54090
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=file
node=gold.cdkkt.com type=AVC msg=audit(1266925078.757:58778): avc:
denied { read } for pid=16966 comm="sendmail" path="/var/log/maillog"
dev=sdb10 ino=54091
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=file
node=gold.cdkkt.com type=SYSCALL msg=audit(1266925078.757:58778):
arch=40000003 syscall=11 success=yes exit=0 a0=97d58a0 a1=97d5928
a2=97d4eb0 a3=97d5928 items=0 ppid=16912 pid=16966 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=486 sgid=486 fsgid=486 tty=(none) ses=1278
comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
More information about the selinux
mailing list