fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: SELINUX_ERR about sendmail (postfix version)

Re: SELINUX_ERR about sendmail (postfix version) on F-13

From: Daniel J Walsh <dwalsh_at_nospam>
Date: Wed Aug 04 2010 - 14:16:03 GMT
To: Laurent Rineau <laurent.rineau__fedora@normalesup.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/04/2010 05:33 AM, Laurent Rineau wrote:
> For a few days (maybe two weeks), my cron deamon keeps sending me error emails, once a day:
>> /etc/cron.daily/0logwatch:
>>
>> Can't exec "/usr/sbin/sendmail": Permission denied at /usr/sbin/logwatch line 1032, <TESTFILE> line 2.
>> Can't execute /usr/sbin/sendmail -t: Permission denied
>
> I have suspected SELinux, but the setroubleshot stuff did not say anything. And I eventually found that:
>
> lrineau@matisse ~ $ sudo ausearch -ts yesterday -m SELINUX_ERR
> ----
> time->Tue Aug 3 03:16:04 2010
> type=SYSCALL msg=audit(1280798164.966:454): arch=c000003e syscall=59 success=no exit=-13 a0=1dfe430 a1=1dfe3c0 a2=1e01240 a3=8 items=0 ppid=17968 pid=18278 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=31 comm="logwatch" exe="/usr/bin/perl" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
> type=SELINUX_ERR msg=audit(1280798164.966:454): security_compute_sid: invalid context system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 for scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process
> ----
> time->Wed Aug 4 03:19:04 2010
> type=SYSCALL msg=audit(1280884744.246:135): arch=c000003e syscall=59 success=no exit=-13 a0=187b190 a1=187b120 a2=187ac30 a3=7ffff2dc3ec0 items=0 ppid=14696 pid=15085 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=21 comm="logwatch" exe="/usr/bin/perl" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
> type=SELINUX_ERR msg=audit(1280884744.246:135): security_compute_sid: invalid context system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 for scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process
>
> I did not know about SELINUX_ERR before that error. Maybe setroubleshotd should be aware of it, so that one can report bugs about SELINUX_ERR easily with the applet.
>
> My configuration is this one:
>
> lrineau@matisse ~ $ rpm -qa postfix selinux\*
> selinux-policy-3.7.19-39.fc13.noarch
> selinux-policy-targeted-3.7.19-39.fc13.noarch
> postfix-2.7.0-1.fc13.x86_64
>
> logwatch and postfix are configured with the default configurations, tweak only the simpliest way.
>
Open a bug on the setroubleshoot issue.

yum update selinux-policy-targeted --enablerepo=updates-testing

Should fix logwatch issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxZdiMACgkQrlYvE4MpobMBagCfQs5QlaRVQ9n/0AC5mMvBw+mo
IQcAnRBSVuBBtcCC0n/lWt8rrV2AAnSF
=shAC
-----END PGP SIGNATURE-----
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux