We have an email configuration package that often needs to restart sendmail when it is upgraded. To make updates as easy as possible for the users, it has a trigger script on sendmail that contains "/etc/rc.d/init.d/sendmail condrestart", so that they don't have to remember to do that themselves.
This worked fine on CentOS 4. On CentOS 5 it has a problem:
# rpm -qa selinux* selinux-policy-targeted-2.4.6-255.el5_4.3 selinux-policy-2.4.6-255.el5_4.3 selinux-policy-devel-2.4.6-255.el5_4.3
Apr 29 12:40:27 ict sm-msp-queue[4024]: unable to write pid to /var/run/sm-client.pid: Permission denied time->Thu Apr 29 12:40:27 2010 type=SYSCALL msg=audit(1272541227.852:97659096): arch=40000003 syscall=196 success=no exit=-13 a0=bfec70d8 a1=bfec6f70 a2=4efff4 a3=3 items=0 ppid=4023 pid=4024 auid=783 uid=51 gid=51 euid=51 suid=51 fsuid=51 egid=51 sgid=51 fsgid=51 tty=(none) ses=23989 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=user_u:system_r:system_mail_t:s0 key=(null) type=AVC msg=audit(1272541227.852:97659096): avc: denied { getattr } for pid=4024 comm="sendmail" path="/var/run/sm-client.pid" dev=dm-4 ino=1097779 scontext=user_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:sendmail_var_run_t:s0 tclass=file
A manual restart of sendmail works. This is because of the following transition rules:
type_transition unconfined_t sendmail_exec_t : process sendmail_t; type_transition initrc_t sendmail_exec_t : process sendmail_t; type_transition rpm_script_t sendmail_exec_t : process system_mail_t;
In other words, being run from an rpm script does not give sendmail enough access to restart. I don't know why there wasn't a similar error for /var/run/sendmail.pid, though.
Moray. "To err is human. To purr, feline"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/29/2010 08:41 AM, Moray Henderson wrote:
We have an email configuration package that often needs to restart sendmail when it is upgraded. To make updates as easy as possible for the users, it has a trigger script on sendmail that contains " condrestart", so that they don't have to remember to do that themselves.
This worked fine on CentOS 4. On CentOS 5 it has a problem:
# rpm -qa selinux* selinux-policy-targeted-2.4.6-255.el5_4.3 selinux-policy-2.4.6-255.el5_4.3 selinux-policy-devel-2.4.6-255.el5_4.3
Apr 29 12:40:27 ict sm-msp-queue[4024]: unable to write pid to /var/run/sm-client.pid: Permission denied time->Thu Apr 29 12:40:27 2010 type=SYSCALL msg=audit(1272541227.852:97659096): arch=40000003 syscall=196 success=no exit=-13 a0=bfec70d8 a1=bfec6f70 a2=4efff4 a3=3 items=0 ppid=4023 pid=4024 auid=783 uid=51 gid=51 euid=51 suid=51 fsuid=51 egid=51 sgid=51 fsgid=51 tty=(none) ses=23989 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=user_u:system_r:system_mail_t:s0 key=(null) type=AVC msg=audit(1272541227.852:97659096): avc: denied { getattr } for pid=4024 comm="sendmail" path="/var/run/sm-client.pid" dev=dm-4 ino=1097779 scontext=user_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:sendmail_var_run_t:s0 tclass=file
A manual restart of sendmail works. This is because of the following transition rules:
type_transition unconfined_t sendmail_exec_t : process sendmail_t; type_transition initrc_t sendmail_exec_t : process sendmail_t; type_transition rpm_script_t sendmail_exec_t : process system_mail_t;
In other words, being run from an rpm script does not give sendmail enough access to restart. I don't know why there wasn't a similar error for /var/run/sendmail.pid, though.
Moray. "To err is human. To purr, feline"
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I think /etc/rc.d/init.d/sendmail is mislabeled.
Run restorecon on it.
Because using the init script with the correct label it should be
unconfined_t -> initrc_exec_t -> initrc_t -> sendmain_exec_t -> sendmail_t
rpm_script_t > initrc_exec_t -> initrc_t -> sendmain_exec_t -> sendmail_t
Daniel J Walsh wrote:
On 04/29/2010 08:41 AM, Moray Henderson wrote:
We have an email configuration package that often needs to restart sendmail when it is upgraded. To make updates as easy as possible
for
the users, it has a trigger script on sendmail that contains " condrestart", so that they don't have to remember to do that themselves.
This worked fine on CentOS 4. On CentOS 5 it has a problem:
# rpm -qa selinux* selinux-policy-targeted-2.4.6-255.el5_4.3 selinux-policy-2.4.6-255.el5_4.3 selinux-policy-devel-2.4.6-255.el5_4.3
Apr 29 12:40:27 ict sm-msp-queue[4024]: unable to write pid to /var/run/sm-client.pid: Permission denied time->Thu Apr 29 12:40:27 2010 type=SYSCALL msg=audit(1272541227.852:97659096): arch=40000003 syscall=196 success=no exit=-13 a0=bfec70d8 a1=bfec6f70 a2=4efff4
a3=3
items=0 ppid=4023 pid=4024 auid=783 uid=51 gid=51 euid=51 suid=51 fsuid=51 egid=51 sgid=51 fsgid=51 tty=(none) ses=23989
comm="sendmail"
exe="/usr/sbin/sendmail.sendmail"
subj=user_u:system_r:system_mail_t:s0
key=(null) type=AVC msg=audit(1272541227.852:97659096): avc: denied { getattr
}
for pid=4024 comm="sendmail" path="/var/run/sm-client.pid" dev=dm-4 ino=1097779 scontext=user_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:sendmail_var_run_t:s0 tclass=file
A manual restart of sendmail works. This is because of the following transition rules:
type_transition unconfined_t sendmail_exec_t : process sendmail_t; type_transition initrc_t sendmail_exec_t : process sendmail_t; type_transition rpm_script_t sendmail_exec_t : process system_mail_t;
In other words, being run from an rpm script does not give sendmail enough access to restart. I don't know why there wasn't a similar
error
for /var/run/sendmail.pid, though.
Moray. "To err is human. To purr, feline"
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I think /etc/rc.d/init.d/sendmail is mislabeled.
Run restorecon on it.
Because using the init script with the correct label it should be
unconfined_t -> initrc_exec_t -> initrc_t -> sendmain_exec_t ->
sendmail_t
rpm_script_t > initrc_exec_t -> initrc_t -> sendmain_exec_t ->
sendmail_t
Ah, that was it:
restorecon reset /etc/rc.d/init.d/sendmail context root:object_r:etc_t:s0->system_u:object_r:initrc_exec_t:s0
I'll work out how that happened, and get it to stop. Thank you.
Moray. "To err is human. To purr, feline"
selinux@lists.fedoraproject.org