F12: Selinux 'sendmail' denials on /var/log/message logfile

Dominick Grift domg472 at gmail.com
Fri Mar 5 18:28:07 UTC 2010 

On 03/05/2010 07:16 PM, Daniel B. Thurman wrote:

> node=host.domain.com type=AVC msg=audit(1267787608.324:42763): avc:  
> denied  { read } for  pid=14919 comm="sendmail" path="/var/log/messages" 
> dev=sdb8 ino=20167 
> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:var_log_t:s0 tclass=file
> 
> node=host.domain.com type=AVC msg=audit(1267787608.324:42763): avc:  
> denied  { read } for  pid=14919 comm="sendmail" path="/var/log/secure" 
> dev=sdb8 ino=20415 
> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:var_log_t:s0 tclass=file
> 
> node=host.domain.com type=AVC msg=audit(1267787608.324:42763): avc:  
> denied  { read } for  pid=14919 comm="sendmail" path="/var/log/maillog" 
> dev=sdb8 ino=21877 
> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:var_log_t:s0 tclass=file
> 
> node=host.domain.com type=SYSCALL msg=audit(1267787608.324:42763): 
> arch=40000003 syscall=11 success=yes exit=0 a0=85088a0 a1=8508928 
> a2=8507eb0 a3=8508928 items=0 ppid=14865 pid=14919 auid=0 uid=0 gid=0 
> euid=0 suid=0 fsuid=0 egid=486 sgid=486 fsgid=486 tty=(none) ses=246 
> comm="sendmail" exe="/usr/sbin/sendmail.sendmail" 
> subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)

Not sure why sendmail would need to read these files. It is obviously
not allowed.

Odd thing is that sendmail is allowed to append to "logfiles".

# sesearch --allow -s system_mail_t -t var_log_t
Found 4 semantic av rules:
   allow application_domain_type logfile : file { getattr append } ;
   allow system_mail_t var_log_t : dir { ioctl read write getattr lock
add_name remove_name search open } ;
   allow system_mail_t logfile : file { ioctl getattr lock append open } ;
   allow system_mail_t logfile : dir { getattr search open } ;

If this access is legitimate. Than it is a bug in policy.
> 
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100305/ae192831/attachment.bin

More information about the selinux mailing list