Using FC6, I get the following SELinux warnings in /var/log/messages every time I reboot:
Dec 13 07:18:21 localhost setroubleshoot: SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda (fixed_disk_device_t). For complete SELinux messages. run sealert -l 334bcb59-54ff-414f-bd52-f32c49 90df4a Dec 13 07:18:22 localhost setroubleshoot: SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda (fixed_disk_device_t). For complete SELinux messages. run sealert -l 334bcb59-54ff-414f-bd52-f32c49 90df4a
My sendmail configuration is unmodified from Fedora Core 6 default installation, and while sendmail is set to start at bootup, I am not currently using sendmail for anything on this system.
Nonetheless the error is a bit alarming, and I didn't find anything similar in a google search. My system is fully updated to the current updates as of just prior to my reboot, which was about 15 minutes ago.
[root@shuttle ~]# rpm -qf /usr/sbin/sendmail.sendmail sendmail-8.13.8-2 [root@shuttle ~]# ls -al /usr/sbin/sendmail.sendmail -rwxr-sr-x 1 root smmsp 806460 Sep 5 09:27 /usr/sbin/sendmail.sendmail
[root@shuttle ~]# sealert -l 334bcb59-54ff-414f-bd52-f32c4990df4a Summary SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda (fixed_disk_device_t).
Detailed Description SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not expected that this access is required by /usr/sbin/sendmail.sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /dev/hda, restorecon -v /dev/hda If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information:
Source Context: system_u:system_r:system_mail_t Target Context: system_u:object_r:fixed_disk_device_t Target Objects: /dev/hda [ blk_file ] Affected RPM Packages: sendmail-8.13.8-2 [application] Policy RPM: selinux-policy-2.4.6-1.fc6 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.catchall_file Host Name: shuttle Platform: Linux shuttle 2.6.18-1.2849.fc6 #1 SMP Fri Nov 10 12:45:28 EST 2006 i686 i686 Alert Count: 2 Line Numbers:
Raw Audit Messages:
avc: denied { read } for comm="sendmail" dev=tmpfs egid=51 euid=0 exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=0 gid=0 items=0 name="hda" path="/dev/hda" pid=2509 scontext=system_u:system_r:system_mail_t:s0 sgid=51 subj=system_u:system_r:system_mail_t:s0 suid=0 tclass=blk_file tcontext=system_u:object_r:fixed_disk_device_t:s0 tty=(none) uid=0
On Wed, 2006-12-13 at 07:33 -0500, Mike A. Harris wrote:
Using FC6, I get the following SELinux warnings in /var/log/messages every time I reboot:
Dec 13 07:18:21 localhost setroubleshoot: SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda (fixed_disk_device_t). For complete SELinux messages. run sealert -l 334bcb59-54ff-414f-bd52-f32c49 90df4a Dec 13 07:18:22 localhost setroubleshoot: SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda (fixed_disk_device_t). For complete SELinux messages. run sealert -l 334bcb59-54ff-414f-bd52-f32c49 90df4a
Known problem of smartd leaking file descriptor when calls sendmail.
Tomas Mraz wrote:
On Wed, 2006-12-13 at 07:33 -0500, Mike A. Harris wrote:
Using FC6, I get the following SELinux warnings in /var/log/messages every time I reboot:
Dec 13 07:18:21 localhost setroubleshoot: SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda (fixed_disk_device_t). For complete SELinux messages. run sealert -l 334bcb59-54ff-414f-bd52-f32c49 90df4a Dec 13 07:18:22 localhost setroubleshoot: SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda (fixed_disk_device_t). For complete SELinux messages. run sealert -l 334bcb59-54ff-414f-bd52-f32c49 90df4a
Known problem of smartd leaking file descriptor when calls sendmail.
Wow, thanks. ;)
I'd have never suspected something like that in a billion years. ;)
selinux@lists.fedoraproject.org