I didn't want to have a full-fledged MTA on my machines; I tried both esmtp and ssmtp, and both seem unable to work without tripping on SELinux. It looks like they always inherit the context of the calling program, which doesn't have the rights to, say, connect outside on port 25.
Is there a way?
Summary:
SELinux is preventing sendmail (logwatch_t) "name_connect" smtp_port_t.
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]
SELinux denied access requested by sendmail. It is not expected that this access is required by sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/ enter_bug.cgi) against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0-s0:c0.c1023 Target Context system_u:object_r:smtp_port_t:s0 Target Objects None [ tcp_socket ] Source sendmail Source Path /usr/sbin/ssmtp Port 25 Host lin1195 Source RPM Packages ssmtp-2.61-11.7.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-26.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name lin1195 Platform Linux lin1195 2.6.27.5-117.fc10.x86_64 #1 SMP Tue Nov 18 11:58:53 EST 2008 x86_64 x86_64 Alert Count 1 First Seen Fri 12 Dec 2008 04:02:05 AM CET Last Seen Fri 12 Dec 2008 04:02:05 AM CET Local ID 631702fa-42b7-444d-b62e-fe50df41bf9f Line Numbers
Raw Audit Messages
node=lin1195 type=AVC msg=audit(1229050925.485:1082): avc: denied { name_connect } for pid=22689 comm="sendmail" dest=25 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
node=lin1195 type=SYSCALL msg=audit(1229050925.485:1082): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=ad2d90 a2=10 a3=3b4856da70 items=0 ppid=22433 pid=22689 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=122 comm="sendmail" exe="/usr/sbin/ssmtp" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
NM wrote:
I didn't want to have a full-fledged MTA on my machines; I tried both esmtp and ssmtp, and both seem unable to work without tripping on SELinux. It looks like they always inherit the context of the calling program, which doesn't have the rights to, say, connect outside on port 25.
Is there a way?
Long term, policy for this type of forwarder would need to be written.
Short term, you could try re-using the sendmail policy:
e.g. # chcon -t sendmail_exec_t /path/to/ssmtp
See if that helps.
Paul.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
NM wrote:
On Fri, 12 Dec 2008 10:18:52 +0000, Paul Howarth wrote:
Long term, policy for this type of forwarder would need to be written.
Short term, you could try re-using the sendmail policy:
e.g. # chcon -t sendmail_exec_t /path/to/ssmtp
See if that helps.
Thanks, will try.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I will add labeling for
/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
To the policy packages.
On 12/15/2008 04:22 PM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
NM wrote:
On Fri, 12 Dec 2008 10:18:52 +0000, Paul Howarth wrote:
Long term, policy for this type of forwarder would need to be written.
Short term, you could try re-using the sendmail policy:
e.g. # chcon -t sendmail_exec_t /path/to/ssmtp
See if that helps.
Thanks, will try.
I will add labeling for
/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
To the policy packages.
Thanks, Dan! Now, asking as maintainer of these packages in EPEL: any chance of propagating this policy changes to RHEL 4/5 ?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Manuel Wolfshant wrote:
On 12/15/2008 04:22 PM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
NM wrote:
On Fri, 12 Dec 2008 10:18:52 +0000, Paul Howarth wrote:
Long term, policy for this type of forwarder would need to be written.
Short term, you could try re-using the sendmail policy:
e.g. # chcon -t sendmail_exec_t /path/to/ssmtp
See if that helps.
Thanks, will try.
I will add labeling for
/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
To the policy packages.
Thanks, Dan! Now, asking as maintainer of these packages in EPEL: any chance of propagating this policy changes to RHEL 4/5 ?
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
5.3 policy currently preview at selinux-policy-2.4.6-201.el5 will have the fixed labeling.
selinux@lists.fedoraproject.org