[Mimedefang] Selinux issues w/ Fedora?

Philip Prindeville philipp_subx at redfish-solutions.com
Wed Oct 27 19:48:24 EDT 2010 

Anyone else using F13 or F14 with Selinux set to enforcing mode?

I tried this and had to set it to permissive...

I was seeing the following:


type=AVC msg=audit(1288040380.964:21719): avc:  denied  { connectto } for  pid=1955 comm="sendmail" path="/var/spool/MIMEDefang/mimedefang.sock" scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket

     Was caused by:
         Missing type enforcement (TE) allow rule.

         You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1288040873.720:21726): avc:  denied  { execute_no_trans } for  pid=2221 comm="mimedefang.pl" path="/usr/sbin/sendmail.sendmail" dev=sda3 ino=291976 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file

     Was caused by:
         Missing type enforcement (TE) allow rule.

         You can use audit2allow to generate a loadable module to allow this access.




the offending records seem to have been:

type=AVC msg=audit(1288040380.964:21719): avc:  denied  { connectto } for  pid=1955 comm="sendmail" path="/var/spool/MIMEDefang/mimedefang.sock" scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1288040873.720:21726): avc:  denied  { execute_no_trans } for  pid=2221 comm="mimedefang.pl" path="/usr/sbin/sendmail.sendmail" dev=sda3 ino=291976 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file




Oh, and it was pointed out that the .sock and .pid files should be going into /var/run and not /var/spool.

Looking at config.in:

dnl Allow specification of spool dir
AC_ARG_WITH(spooldir,
[  --with-spooldir=DIR     specify location of spool directory
                           (/var/spool/MIMEDefang)],
         SPOOLDIR=$with_spooldir, SPOOLDIR=/var/spool/MIMEDefang)


This could easily by changed, but then it should probably be renamed too.

-Philip

More information about the MIMEDefang mailing list