[Mimedefang] Selinux issues w/ Fedora?

Stephen L Johnson stephen.johnson at arkansas.gov
Thu Oct 28 12:07:46 EDT 2010 

On Wed, 2010-10-27 at 18:48 -0500, Philip Prindeville wrote:
> Anyone else using F13 or F14 with Selinux set to enforcing mode?
> 
> I tried this and had to set it to permissive...
> 
> I was seeing the following:
> 
> 
> type=AVC msg=audit(1288040380.964:21719): avc:  denied  { connectto } for  pid=1955 comm="sendmail" path="/var/spool/MIMEDefang/mimedefang.sock" scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
> 
>      Was caused by:
>          Missing type enforcement (TE) allow rule.
> 
>          You can use audit2allow to generate a loadable module to allow this access.
> 
> type=AVC msg=audit(1288040873.720:21726): avc:  denied  { execute_no_trans } for  pid=2221 comm="mimedefang.pl" path="/usr/sbin/sendmail.sendmail" dev=sda3 ino=291976 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
> 
>      Was caused by:
>          Missing type enforcement (TE) allow rule.
> 
>          You can use audit2allow to generate a loadable module to allow this access.
> 
> 
> 
> 
> the offending records seem to have been:
> 
> type=AVC msg=audit(1288040380.964:21719): avc:  denied  { connectto } for  pid=1955 comm="sendmail" path="/var/spool/MIMEDefang/mimedefang.sock" scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
> type=AVC msg=audit(1288040873.720:21726): avc:  denied  { execute_no_trans } for  pid=2221 comm="mimedefang.pl" path="/usr/sbin/sendmail.sendmail" dev=sda3 ino=291976 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
> 
> 
> 
> 
> Oh, and it was pointed out that the .sock and .pid files should be going into /var/run and not /var/spool.
> 
> Looking at config.in:
> 
> dnl Allow specification of spool dir
> AC_ARG_WITH(spooldir,
> [  --with-spooldir=DIR     specify location of spool directory
>                            (/var/spool/MIMEDefang)],
>          SPOOLDIR=$with_spooldir, SPOOLDIR=/var/spool/MIMEDefang)
> 
> 
> This could easily by changed, but then it should probably be renamed too.
> 
> -Philip

The problem with putting the into /var/run is file permission problems.
Mimedefang doesn't run as root. It runs as an unprivileged user to
prevent security problems. And from my (albeit limited) knowledge of
mimedefang, there is no reason for it to ever have root privileges. 

It may be a good idea for a SELinux policy file to be written for
mimedefang and incorporated into the build system. It is certainly
unique enough for it. 
-- 
Stephen L Johnson  <stephen.johnson at arkansas.gov>
Unix Systems Administrator / DNS Hostmaster
Department of Information Systems
State of Arkansas
501-682-4339

More information about the MIMEDefang mailing list