I ran "... | mail -s ... aleksey" while running under sysadm_r and I got:
audit(1079685757.727:0): avc: denied { read } for pid=9687 exe=/usr/sbin/sendmail.sendmail name=self dev= ino=2 scontext=aleksey:sysadm_r:sysadm_mail_t tcontext=system_u:object_r:proc_t tclass=lnk_file audit(1079685757.727:0): avc: denied { search } for pid=9687 exe=/usr/sbin/sendmail.sendmail name=9687 dev= ino=634847234 scontext=aleksey:sysadm_r:sysadm_mail_t tcontext=aleksey:sysadm_r:sysadm_mail_t tclass=dir audit(1079685757.751:0): avc: denied { dac_override } for pid=9688 exe=/usr/sbin/sendmail.sendmail capability=1 scontext=system_u:system_r:sendmail_t tcontext=system_u:system_r:sendmail_t tclass=capability
The first one is probably an issue with how the kernel manages /proc - /proc/self IMHO should not be system_u:object_r:proc_t.
On Fri, 19 Mar 2004 20:03, Aleksey Nogin aleksey@nogin.org wrote:
The first one is probably an issue with how the kernel manages /proc - /proc/self IMHO should not be system_u:object_r:proc_t.
That seems like a reasonable idea, I wonder what Steve will think.
I've put a new snapshot of my tree on http://www.coker.com.au/selinux/policy.tgz . It has a fix for the hostname issue and changes to sendmail_macros.te and procmail.te to deal with the issues you reported.
If you like living on the edge then you can run your machine entirely from my policy instead of Dan's package. Otherwise just selectively copy the files you want.
selinux@lists.fedoraproject.org
-
Aleksey Nogin -
Russell Coker