SELinux prevents logwatch email

cwebster · #1 22nd May 2008, 02:42 PM

SELinux seems to have problems with sendmail on our Fedora 8 machine. When we first rolled it out I had to compile a custom policy to get sendmail to work. It was choking while checking for ".forward" files in home dirs.

Now Logwatch is choking when it tries to send the daily report from Cron. Here is the message I get from cron:

Code:

/etc/cron.daily/0logwatch:

Can't exec "/usr/sbin/sendmail": Permission denied at /etc/cron.daily/0logwatch line 1022, <TESTFILE> line 3.
Can't execute /usr/sbin/sendmail -t: Permission denied

Here is the associated audit message:

Code:

May 21 04:50:26 axl kernel: audit(1211359826.011:5): security_compute_sid:  invalid context unconfined_u:unconfined_r:system_mail_t:s0 for scontext=unconfined_u:unconfined_r:unconfined_crond_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process

I get a pair of these each day.

I found a few other instances of problems running sendmail from cron while googling but those resulted in avc denials, whereas this results in "security_compute_sid: invalid context" message.

I don't see an SELInux boolean to cover cron executing sendmail. Anyone have an idea on how to resolve this?

Thanks in advance.

Karl_W_Lewis · #2 27th May 2008, 08:05 PM

I don't know, I've not had that problem, but have you checked the context of the various sendmail .forward files?

ls -lZ whatever

Have a look at this thread, maybe it'll help.

http://www.redhat.com/archives/fedor.../msg00091.html

KWL

cwebster · #3 2nd June 2008, 01:54 PM

Thanks Karl but that's not my problem. I solved that issue in this thread with a combination of changes to sendmail.cf and compiling a new SELinux policy..

http://forums.fedoraforum.org/showth...8&goto=newpost

My issue only affects sendmail running from the logwatch cron job. The audit message seems to indicate that "crond" is not allowed to run the sendmail executable. There's no SELinux boolean to cover this and, since it doesn't produce an avc denial, I can't use "audit2why" and "audit2allow" to produce a workable policy module. I'll have to try some manual policy module constructs I guess.

I can't believe I'm the only one running "logwatch" on F8.

Evil_Bert · #4 2nd June 2008, 02:22 PM

Quote:

Originally Posted by cwebster

I can't believe I'm the only one running "logwatch" on F8.

You're not, but I couldn't be arsed to fix the issue.

cwebster · #5 3rd June 2008, 07:44 PM

Not sure what you mean Bert, but I'll certainly post the solution when I figure it out. I think that others would probably just change to permissive mode if they need logwatch, rather than deal with SELinux policies. I use permissive mode only for troubleshooting. I've done several manual policy changes under the older SELInux in RHEL4 so I guess I'll just have to extrapolate from that. I've gotta free up some time, though.