possibly compromised? SElinux sendmail message

zantehood · #1 1st July 2007, 04:34 AM

i was sitting and doing mundane and everyday tasks whilst listening to some music on my labtop
and i see this message from the syslog

Sun Jul 1 05:23:20 2007 [localhost setroubleshoot] SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially mislabeled files (/tmp/fileWBjuQB (deleted)). For complete SELinux messages. run sealert -l 2bb7169a-650d-4f97-ba91-a3d2963a9fcc

ofcourse, i run the sealert troubleshooter

Code:

[root@sinserv ~]# sealert -l 2bb7169a-650d-4f97-ba91-a3d2963a9fcc
Summary
    SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially
    mislabeled files (/tmp/fileWBjuQB (deleted)).

Detailed Description
    SELinux has denied /usr/sbin/sendmail.sendmail access to potentially
    mislabeled file(s) (/tmp/fileWBjuQB (deleted)).  This means that SELinux
    will not allow /usr/sbin/sendmail.sendmail to use these files.  It is common
    for users to edit files in their home directory or tmp directories and then
    move (mv) them to system directories.  The problem is that the files end up
    with the wrong file context which confined applications are not allowed to
    access.

Allowing Access
    If you want /usr/sbin/sendmail.sendmail to access this files, you need to
    relabel them using restorecon -v /tmp/fileWBjuQB (deleted).  You might want
    to relabel the entire directory using restorecon -R -v /tmp.

Additional Information

Source Context                system_u:system_r:system_mail_t
Target Context                system_u:object_r:crond_tmp_t
Target Objects                /tmp/fileWBjuQB (deleted) [ file ]
Affected RPM Packages         sendmail-8.14.1-2 [application]
Policy RPM                    selinux-policy-2.6.4-21.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.home_tmp_bad_labels
Host Name                     sinserv
Platform                      Linux sinserv 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12
                              15:37:31 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Sun Jul  1 05:23:16 2007
Last Seen                     Sun Jul  1 05:23:16 2007
Local ID                      2bb7169a-650d-4f97-ba91-a3d2963a9fcc
Line Numbers

Raw Audit Messages

avc: denied { read } for comm="sendmail" dev=dm-0 egid=51 euid=0
exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=0 gid=0 items=0
name="fileWBjuQB" path=2F746D702F66696C6557426A755142202864656C6574656429
pid=3457 scontext=system_u:system_r:system_mail_t:s0 sgid=51
subj=system_u:system_r:system_mail_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:crond_tmp_t:s0 tty=(none) uid=0

it should also be noted that sendmail isnt running.
this could very well be a rootkit of somesort, or what?
im not running anykind of servers, as this is a portable machine

edit:

the sendmail.sendmail application seems to be a duplicate of the original sendmail app
seeing as they both have the same MD5sums

Code:

[root@sinserv sbin]# md5sum sendmail.sendmail
5a7b52ff81e872c21a174508d9c52cde  sendmail.sendmail
[root@sinserv sbin]# md5sum sendmail
5a7b52ff81e872c21a174508d9c52cde  sendmail
[root@sinserv sbin]#

any light on the subject will be greatly appreciated

stevea · #2 1st July 2007, 05:37 AM

Tho' I'm no Selinux guru - I think it's highly unlikely that your system has been compromised.

Go examine the file /tmp/fileWBjuQB (if it hasn't been deleted) and see what it is.

FWIW Every process and file under SE linux must have a context and there is a kernel module full of rules that determine exactly when context can do what to objects of the same or other contexts. It's really quite hairy - but the upshot is this. IF you run with SELinux off and create files or install packages - then these files need to be labelled. There is a "relabel files at next reboot" somewhere down the rathole of gui managers for SELinux. *BUT* relabelling a disk full of files will take a long time - perhaps hours. I suspect that something was incorrectly labelled leading to the snafu.

zantehood · #3 1st July 2007, 07:27 AM

yes im aware that you can relabel files or the entire filesystem, as i have done that on FC6
though im not interested in relabeling, im wondering what the application sendmail.sendmail would want with /tmp/fileWBjuQB, especially since sendmail is disabled for all runlevels

pete_1967 · #4 1st July 2007, 10:11 AM

Disabling it on runlevel doesn't stop it from working

Denial was for sendmail but you need to find the program/ script that invoked it (e.g. there have been problems with squirrelmail using sendmail) and tried to send the mail. For example if you've installed e.g. mediawiki for personal purposes or some monitoring script that is set to send reports via email is usually the cause of this kind of denial.

You can then disable mailing option in script's configs or change the temporary dir for outgoing mails and label that correctly, or you could try to find up to date policy for it.