On Wed, 2010-10-27 at 18:48 -0500, Philip Prindeville wrote:
> Anyone else using F13 or F14 with Selinux set to enforcing mode?
>
> I tried this and had to set it to permissive...
>
> I was seeing the following:
>
>
> type=AVC msg=audit(1288040380.964:21719): avc: denied { connectto } for
> pid=1955 comm="sendmail" path="/var/spool/MIMEDefang/mimedefang.sock"
> scontext=unconfined_u:system_r:sendmail_t:s0
> tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
>
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow this
> access.
>
> type=AVC msg=audit(1288040873.720:21726): avc: denied { execute_no_trans }
> for pid=2221 comm="mimedefang.pl" path="/usr/sbin/sendmail.sendmail"
> dev=sda3 ino=291976 scontext=system_u:system_r:spamd_t:s0
> tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
>
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow this
> access.
>
>
>
>
> the offending records seem to have been:
>
> type=AVC msg=audit(1288040380.964:21719): avc: denied { connectto } for
> pid=1955 comm="sendmail" path="/var/spool/MIMEDefang/mimedefang.sock"
> scontext=unconfined_u:system_r:sendmail_t:s0
> tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
> type=AVC msg=audit(1288040873.720:21726): avc: denied { execute_no_trans }
> for pid=2221 comm="mimedefang.pl" path="/usr/sbin/sendmail.sendmail"
> dev=sda3 ino=291976 scontext=system_u:system_r:spamd_t:s0
> tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
>
>
>
>
> Oh, and it was pointed out that the .sock and .pid files should be going into
> /var/run and not /var/spool.
>
> Looking at config.in:
>
> dnl Allow specification of spool dir
> AC_ARG_WITH(spooldir,
> [ --with-spooldir=DIR specify location of spool directory
> (/var/spool/MIMEDefang)],
> SPOOLDIR=$with_spooldir, SPOOLDIR=/var/spool/MIMEDefang)
>
>
> This could easily by changed, but then it should probably be renamed too.
>
> -Philip
The problem with putting the into /var/run is file permission problems.
Mimedefang doesn't run as root. It runs as an unprivileged user to
prevent security problems. And from my (albeit limited) knowledge of
mimedefang, there is no reason for it to ever have root privileges.
It may be a good idea for a SELinux policy file to be written for
mimedefang and incorporated into the build system. It is certainly
unique enough for it.
--
Stephen L Johnson <[email protected]>
Unix Systems Administrator / DNS Hostmaster
Department of Information Systems
State of Arkansas
501-682-4339
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
