Hello:
I'm a spanish user of Fedora 8, a great distribution. I send this mail because I see a alert of SElinux troubleshooter with rkhunter. I have received two alerts:
ResúmenSELinux is preventing sendmail (system_mail_t) "append" to /var/rkhunter/tmp/rkhcronlog.mFxQaF5049 (var_t). Descripción DetalladaSELinux denied access requested by sendmail. It is not expected that this access is required by sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Permitiendo AccesoSometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/rkhunter/tmp/rkhcronlog.mFxQaF5049, restorecon -v '/var/rkhunter/tmp/rkhcronlog.mFxQaF5049' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Información AdicionalContexto Fuente: system_u:system_r:system_mail_t:s0Contexto Destino: system_u:object_r:var_t:s0Objetos Destino: /var/rkhunter/tmp/rkhcronlog.mFxQaF5049 [ file ]Source: sendmailSource Path: /usr/sbin/sendmail.sendmailPort: <Desconocido>Host: localhost.localdomainSource RPM Packages: sendmail-8.14.2-1.fc8Target RPM Packages: RPM de Políticas: selinux-policy-3.0.8-93.fc8SELinux Activado: TrueTipo de Política: targetedMLS Activado: TrueModo Obediente: EnforcingNombre de Plugin: catchall_fileNombre de Equipo: localhost.localdomainPlataforma: Linux localhost.localdomain 2.6.24.3-34.fc8 #1 SMP Wed Mar 12 18:17:20 EDT 2008 i686 i686Cantidad de Alertas: 1First Seen: mié 26 mar 2008 18:47:43 CETLast Seen: mié 26 mar 2008 18:47:43 CETLocal ID: 65abd64d-1a3f-4d68-a9b0-5ea5cf268d85Números de Línea: Mensajes de Auditoría Crudos :host=localhost.localdomain type=AVC msg=audit(1206553663.4:30): avc: denied { append } for pid=21759 comm="sendmail" path="/var/rkhunter/tmp/rkhcronlog.mFxQaF5049" dev=sda6 ino=1766018 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1206553663.4:30): arch=40000003 syscall=11 success=yes exit=0 a0=805848b a1=956760c a2=bfc98a58 a3=956760c items=0 ppid=21758 pid=21759 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null)
The second alert it's same, because change the destiny file. How do I solve it?
Sorry, because my english is very bad.
Forgiveness, not paste good warning. Here, have a more readable
Thanks.
Resúmen:
SELinux is preventing sendmail (system_mail_t) "append" to /var/rkhunter/tmp/rkhcronlog.mFxQaF5049 (var_t).
Descripción Detallada:
SELinux denied access requested by sendmail. It is not expected that this access is required by sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Permitiendo Acceso:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/rkhunter/tmp/rkhcronlog.mFxQaF5049,
restorecon -v '/var/rkhunter/tmp/rkhcronlog.mFxQaF5049'
If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Información Adicional:
Contexto Fuente system_u:system_r:system_mail_t:s0 Contexto Destino system_u:object_r:var_t:s0 Objetos Destino /var/rkhunter/tmp/rkhcronlog.mFxQaF5049 [ file ] Source sendmail Source Path /usr/sbin/sendmail.sendmail Port <Desconocido> Host localhost.localdomain Source RPM Packages sendmail-8.14.2-1.fc8 Target RPM Packages RPM de Políticas selinux-policy-3.0.8-93.fc8 SELinux Activado True Tipo de Política targeted MLS Activado True Modo Obediente Enforcing Nombre de Plugin catchall_file Nombre de Equipo localhost.localdomain Plataforma Linux localhost.localdomain 2.6.24.3-34.fc8 #1 SMP Wed Mar 12 18:17:20 EDT 2008 i686 i686 Cantidad de Alertas 1 First Seen mié 26 mar 2008 18:47:43 CET Last Seen mié 26 mar 2008 18:47:43 CET Local ID 65abd64d-1a3f-4d68-a9b0-5ea5cf268d85 Números de Línea
Mensajes de Auditoría Crudos
host=localhost.localdomain type=AVC msg=audit(1206553663.4:30): avc: denied { append } for pid=21759 comm="sendmail" path="/var/rkhunter/tmp/rkhcronlog.mFxQaF5049" dev=sda6 ino=1766018 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
host=localhost.localdomain type=SYSCALL msg=audit(1206553663.4:30): arch=40000003 syscall=11 success=yes exit=0 a0=805848b a1=956760c a2=bfc98a58 a3=956760c items=0 ppid=21758 pid=21759 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null)
Hello, it needs a new SELinux policy for rkhunter: I'm currently working on it ... Relational thing is https://bugzilla.redhat.com/show_bug.cgi?id=438576
Josef
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Josef Kubin wrote:
Hello, it needs a new SELinux policy for rkhunter: I'm currently working on it ... Relational thing is https://bugzilla.redhat.com/show_bug.cgi?id=438576
Josef
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Joseph and I played around with a policy for rkhunter and quickly found it to be too cumbersome to confine. Pretty much needs unconfined_domain to do its thing. rkhunter package is moving it's log files to /var/log and other files to /var/run, We can then make policy for sendmail to dontaudit writes. This is a perfect example of allowing sendmail Read/Write but no Open.
Pedro, you can allow this access by executing
# grep mail /var/log/audit/audit.log | audit2allow -M myrkhunter # semodule -i myrkhunter.pp
selinux@lists.fedoraproject.org