This is the first Fedora I've come across a files called dead-letter. I don't use sendmail, exim is installed, if relevant.
Summary:
SELinux is preventing the sendmail from using potentially mislabeled files (./dead.letter).
Detailed Description:
SELinux has denied sendmail access to potentially mislabeled file(s) (./dead.letter). This means that SELinux will not allow sendmail to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access.
Allowing Access:
If you want sendmail to access this files, you need to relabel them using restorecon -v './dead.letter'. You might want to relabel the entire directory using restorecon -R -v './dead.letter'.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0 Target Context system_u:object_r:admin_home_t:s0 Target Objects ./dead.letter [ dir ] Source sendmail Source Path /usr/sbin/ssmtp Port <Unknown> Host frank01.frankly3d.local Source RPM Packages ssmtp-2.61-11.7.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-34.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name frank01.frankly3d.local Platform Linux frank01.frankly3d.local 2.6.27.9-159.fc10.i686 #1 SMP Tue Dec 16 15:12:04 EST 2008 i686 i686 Alert Count 1 First Seen Sun 28 Dec 2008 12:18:46 GMT Last Seen Sun 28 Dec 2008 12:18:46 GMT Local ID 6feff0bd-d81b-472e-8c9b-a4538c69479f Line Numbers
Raw Audit Messages
node=frank01.frankly3d.local type=AVC msg=audit(1230466726.28:154): avc: denied { add_name } for pid=4443 comm="sendmail" name="dead.letter" scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
node=frank01.frankly3d.local type=SYSCALL msg=audit(1230466726.28:154): arch=40000003 syscall=5 success=no exit=-13 a0=97312d0 a1=441 a2=1b6 a3=440 items=0 ppid=4311 pid=4443 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/ssmtp" subj=system_u:system_r:logwatch_t:s0 key=(null)
==================================================== Dead-Letter contents ====================================================
/etc/cron.daily/0logwatch:
sendmail: Cannot open mail:25 /etc/cron.daily/rkhunter:
send-mail: Cannot open mail:25 send-mail: Cannot open mail:25
/bin/sh: opt/f-prot/fpscan: No such file or directory
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Frank Murphy wrote:
This is the first Fedora I've come across a files called dead-letter. I don't use sendmail, exim is installed, if relevant.
Summary:
SELinux is preventing the sendmail from using potentially mislabeled files (./dead.letter).
Detailed Description:
SELinux has denied sendmail access to potentially mislabeled file(s) (./dead.letter). This means that SELinux will not allow sendmail to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access.
Allowing Access:
If you want sendmail to access this files, you need to relabel them using restorecon -v './dead.letter'. You might want to relabel the entire directory using restorecon -R -v './dead.letter'.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0 Target Context system_u:object_r:admin_home_t:s0 Target Objects ./dead.letter [ dir ] Source sendmail Source Path /usr/sbin/ssmtp Port <Unknown> Host frank01.frankly3d.local Source RPM Packages ssmtp-2.61-11.7.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-34.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name frank01.frankly3d.local Platform Linux frank01.frankly3d.local 2.6.27.9-159.fc10.i686 #1 SMP Tue Dec 16 15:12:04 EST 2008 i686 i686 Alert Count 1 First Seen Sun 28 Dec 2008 12:18:46 GMT Last Seen Sun 28 Dec 2008 12:18:46 GMT Local ID 6feff0bd-d81b-472e-8c9b-a4538c69479f Line Numbers
Raw Audit Messages
node=frank01.frankly3d.local type=AVC msg=audit(1230466726.28:154): avc: denied { add_name } for pid=4443 comm="sendmail" name="dead.letter" scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
node=frank01.frankly3d.local type=SYSCALL msg=audit(1230466726.28:154): arch=40000003 syscall=5 success=no exit=-13 a0=97312d0 a1=441 a2=1b6 a3=440 items=0 ppid=4311 pid=4443 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/ssmtp" subj=system_u:system_r:logwatch_t:s0 key=(null)
==================================================== Dead-Letter contents ====================================================
/etc/cron.daily/0logwatch:
sendmail: Cannot open mail:25 /etc/cron.daily/rkhunter:
send-mail: Cannot open mail:25 send-mail: Cannot open mail:25
/bin/sh: opt/f-prot/fpscan: No such file or directory
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
The problem here looks like logwatch did not transition to system_mail_t when running sendmail.
What sendmail is it running and what is it labeled?
ls -lZ PATHTO/sendmail?
On Sun, 04 Jan 2009 14:35:49 -0500 Daniel J Walsh dwalsh@redhat.com wrote:
The problem here looks like logwatch did not transition to system_mail_t when running sendmail.
Funnily enough I've had a similar issue with logrotate not transitioning to squid_t on Fedora 10:
type=AVC msg=audit(1231041733.717:646): avc: denied { read } for pid=6892 comm="squid" name="squid.conf" dev=dm-6 ino=147637 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:squid_conf_t:s0 tclass=file type=SYSCALL msg=audit(1231041733.717:646): arch=c000003e syscall=2 success=no exit=-13 a0=7f8b4a6bb260 a1=0 a2=1b6 a3=7f8b48be47b0 items=0 ppid=6891 pid=6892 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=101 comm="squid" exe="/usr/sbin/squid" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
The result of this is the following email when logrotate runs:
/etc/cron.daily/logrotate:
2009/01/04 04:02:13| ALERT: initgroups: unable to set groups for User squid and Group 0 FATAL: Unable to open configuration file: /etc/squid/squid.conf: (13) Permission denied Squid Cache (Version 3.0.STABLE10): Terminated abnormally. CPU Usage: 0.032 seconds = 0.009 user + 0.023 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 25
Paul.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Paul Howarth wrote:
On Sun, 04 Jan 2009 14:35:49 -0500 Daniel J Walsh dwalsh@redhat.com wrote:
The problem here looks like logwatch did not transition to system_mail_t when running sendmail.
Funnily enough I've had a similar issue with logrotate not transitioning to squid_t on Fedora 10:
type=AVC msg=audit(1231041733.717:646): avc: denied { read } for pid=6892 comm="squid" name="squid.conf" dev=dm-6 ino=147637 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:squid_conf_t:s0 tclass=file type=SYSCALL msg=audit(1231041733.717:646): arch=c000003e syscall=2 success=no exit=-13 a0=7f8b4a6bb260 a1=0 a2=1b6 a3=7f8b48be47b0 items=0 ppid=6891 pid=6892 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=101 comm="squid" exe="/usr/sbin/squid" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
The result of this is the following email when logrotate runs:
/etc/cron.daily/logrotate:
2009/01/04 04:02:13| ALERT: initgroups: unable to set groups for User squid and Group 0 FATAL: Unable to open configuration file: /etc/squid/squid.conf: (13) Permission denied Squid Cache (Version 3.0.STABLE10): Terminated abnormally. CPU Usage: 0.032 seconds = 0.009 user + 0.023 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 25
Paul.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Latest policy should have the squid_domtrans back.
Daniel J Walsh wrote:
Frank Murphy wrote:
This is the first Fedora I've come across a files called dead-letter. I don't use sendmail, exim is installed, if relevant.
What sendmail is it running and what is it labeled?
ls -lZ PATHTO/sendmail?
No sendmail.
This deadletter files, was semmingly cause by something called ssmtp http://linux.die.net/man/8/ssmtp
which seems to have installed itself with F10, and decided to replace exim, without my consent.
Have come across something relevant: http://www.redhat.com/archives/fedora-selinux-list/2008-December/msg00078.ht...
Frank
Frank Murphy wrote:
Daniel J Walsh wrote:
Frank Murphy wrote:
This is the first Fedora I've come across a files called dead-letter. I don't use sendmail, exim is installed, if relevant.
What sendmail is it running and what is it labeled?
ls -lZ PATHTO/sendmail?
No sendmail.
This deadletter files, was semmingly cause by something called ssmtp http://linux.die.net/man/8/ssmtp
ssmtp will leave dead.letter behind if it cannot reach the configured relay MTA. But not only ssmtp creates dead.letter
which seems to have installed itself with F10, and decided to replace exim, without my consent.
ssmtp installs /usr/sbin/sendmail.ssmtp and ln -s it to /usr/sbin/sendmail via the standard alternatives system: postinstall scriptlet (using /bin/sh): /usr/sbin/alternatives --install /usr/sbin/sendmail mta /usr/sbin/sendmail.ssmtp 30 \ --slave /usr/bin/mailq mta-mailq /usr/bin/mailq.ssmtp \ --slave /usr/bin/newaliases mta-newaliases /usr/bin/newaliases.ssmtp \ --slave /usr/share/man/man1/mailq.1.gz mta-mailqman /usr/share/man/man1/mailq.ssmtp.1.gz \ --slave /usr/share/man/man1/newaliases.1.gz mta-newaliasesman /usr/share/man/man1/newaliases.ssmtp.1.gz \ --slave /usr/share/man/man8/sendmail.8.gz mta-sendmailman /usr/share/man/man8/ssmtp.8.gz
it never replaces exim unless told to, because exim is preferred by yum. actually you MUST install ssmtp ON PURPOSE, it never comes as the first choice and the priorities are chosen as to be less preferred when compared to sendmail or postfix. However I have no idea how does exim handle this. sendmail is the default mailer chosen by anaconda, which gets replaced by exim or postfix if one chooses to not install sendmail. you have to try really hard to install ssmtp and it's on purpose like that.
Have come across something relevant: http://www.redhat.com/archives/fedora-selinux-list/2008-December/msg00078.ht...
selinux@lists.fedoraproject.org