Hello, i get this warning from selinux :

"SELinux is preventing /bin/mailx from append access on the file /var/lib/rkhunter/rkhcronlog.OmRFCZOynG."

I tried to fix it by
"# /sbin/restorecon -v /var/lib/rkhunter/rkhcronlog.OmRFCZOynG" as suggested by SELinux but it comes back with another warning, but with a different /rkhcronlog.xxxxxxxxx...

Can anyone help me address this issue/warnings.. i think its just a way of rkhunter logging issue -.
attached here is the actual error message by selinux.

thanks for the help! :)

This issue is probably a bit more complicated then it seems, and the solution described below it probably not optimal:

desciption of the event:

A cronjob, probably one that is included in the rkhunter package, created a file /var/lib/rkhunter/rkhcronlog.OmRFCZOynG.
The same cronjob or crond itself runs the mail command which in turn wants to atleast append to the file.

suggested solution:

Allow the mail command (system_mail_t) to append /var/lib/rkhunter/rkhcronlog.OmRFCZOynG.

complications:

by allowing this we allow all processes running in the system_mail_t domain to append to cron_var_lib_t type files.
fortunately it seems that system_mail_t does not actually need to open the file (looks like cron passes the open file to mail command.

implement suggested solution:


mkdir ~/mymta; cd ~/mymta;
echo "policy_module(mymta, 1.0.0) optional_policy(\` gen_require(\` type system_mail_t, cron_var_lib_t; ') allow system_mail_t cron_var_lib_t:file append; ')
make -f /usr/share/selinux/devel/Makefile mymta.pp
sudo semodule -i mymta.pp (or su -c semodule -i mymta.pp)


long term solution suggested:

file a bug report to redhat.bugzilla.com in the selinux-policy component. Inclose the following information with your report:


type=AVC msg=audit(1300180566.329:32): avc: denied { append } for pid=8878 comm="mail" path="/var/lib/rkhunter/rkhcronlog.OmRFCZOynG" dev=dm-3 ino=525519 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file

Thanks for the reply.... I'll go for the "long term solution" and file a bug report for now. thanks again! :)

the problem is the log, it always changes,

Thanks for the reply.... I'll go for the "long term solution" and file a bug report for now. thanks again! :)

I got the same issue. Would you please tell me the bug ID or provide a link to it on Bugzilla?

Thanks.

The solution is even easier:

edit your /etc/rkhunter.conf file and change the:
MAIL-ON-WARNING="root"

to

MAIL-ON-WARNING=""

I fixed this default in rawhide, but it did not seem worth pushing back to stable releases without any other change. (It's been this way since forever, although the selinux notice might be newer).

The solution is even easier:

edit your /etc/rkhunter.conf file and change the:
MAIL-ON-WARNING="root"

to

MAIL-ON-WARNING=""


Made the change you suggested. Thanks.