[DSE-Dev] Bug#697845: selinux-policy-default: exim4 cannot read its own config

Marius Gavrilescu marius at ieval.ro
Thu Jan 10 11:01:19 UTC 2013 

Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: normal

My audit.log contains the following entries:
    type=AVC msg=audit(1357788322.941:17596): avc:  denied  { read } for  pid=5136 comm="sendmail" name="config.autogenerated" dev=sda1 ino=25298455 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
    type=AVC msg=audit(1357788322.941:17596): avc:  denied  { open } for  pid=5136 comm="sendmail" name="config.autogenerated" dev=sda1 ino=25298455 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
    type=SYSCALL msg=audit(1357788322.941:17596): arch=c000003e syscall=2 success=yes exit=3 a0=7f2ad698f690 a1=0 a2=1b6 a3=0 items=1 ppid=5128 pid=5136 auid=1000 uid=0 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 tty=(none) ses=1335 comm="sendmail" exe="/usr/sbin/exim4" subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
    type=CWD msg=audit(1357788322.941:17596):  cwd="/home/marius"
    type=PATH msg=audit(1357788322.941:17596): item=0 name="/var/lib/exim4/config.autogenerated" inode=25298455 dev=08:01 mode=0100644 ouid=0 ogid=103 rdev=00:00 obj=system_u:object_r:var_lib_t:s0
    type=AVC msg=audit(1357788322.941:17597): avc:  denied  { getattr } for  pid=5136 comm="sendmail" path="/var/lib/exim4/config.autogenerated" dev=sda1 ino=25298455 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
    type=SYSCALL msg=audit(1357788322.941:17597): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff9571cef0 a2=7fff9571cef0 a3=0 items=0 ppid=5128 pid=5136 auid=1000 uid=0 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 tty=(none) ses=1335 comm="sendmail" exe="/usr/sbin/exim4" subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)

Apparently exim4 is not allowed to read its own config file.

While my knowlendge of SELinux is almost nil, I think that either
exim4 should be running as exim_something_t instead of system_mail_t
or system_mail_t should be allowed to read exim config files.

ll -Z /var/lib/exim4/ says:
    total 36K
    drwxr-xr-x.  2 root root        system_u:object_r:var_lib_t:SystemLow 4.0K Jan  8 17:03 .
    drwxr-xr-x. 42 root root        system_u:object_r:var_lib_t:SystemLow 4.0K Jan  7 14:26 ..
    -rw-r--r--.  1 root root        system_u:object_r:var_lib_t:SystemLow    4 Jan  3 23:32 berkeleydbvers.txt
    -rw-r--r--.  1 root Debian-exim system_u:object_r:var_lib_t:SystemLow  24K Jan  8 17:03 config.autogenerated

I think that the contents of this directory should be exim_something_t,
not var_lib_t.

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-7.1
ii  libselinux1      2.1.9-5
ii  libsepol1        2.1.4-3
ii  policycoreutils  2.1.10-9
ii  python           2.7.3~rc2-1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
ii  setools      3.3.7-3

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local'

-- no debconf information

More information about the SELinux-devel mailing list