Skip top menus
National Security Agency and Central Security Service with agency logos.NSA/CSS Memorial Wall
Home    About NSA    Research    Business    Careers    Public Info    History
Introduction to Research    Security-Enhanced Linux    Information Assurance Research    Technology Transfer    Publications    Related Links

>>SELinux Mailing List: by thread

Search
What's new?
Contents
Overview
What's New
Frequently Asked Questions
Background
Documentation
License
Download
Participating
Mail List
Archive Summary
Archive by Thread
Archive by Author
Archive by Date
Archive by Subject
Remaining Work
Contributors
Related Work
Press Releases
  • Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
From: Dan Berberich <dberb_at_bellatlantic.net>
subject: sendmail config question
Date: Tue, 20 Nov 2001 14:58:57 -0500
  • This message: [ Message body ]
  • Next message: Stephen Smalley: "Re: sendmail config question"
  • Previous message: Stephen Smalley: "[PATCH] Bug fix for selinux_inode_delete hook"
  • Next in thread: Stephen Smalley: "Re: sendmail config question"
  • Reply: Stephen Smalley: "Re: sendmail config question"


When simply sending mail from root to user or form user to user on localhost I get an avc denial message
avc: denied { remove_name search } for pid=675 exc=/bin/mail path=/var/spool/mail/user_02 dev=03:05 ino=310085 

	scontext=user_02:user_r:user_t
	tcontext=system_u:object:r:mail_spool_t
t	class=dir

BUT, mail to root does not get denied.
Looking at sendmail.te there is the line:

        allow sendmail_t mail_spool_t:dir rw_dir_perms how would I add the remove_name search (and other additional permissions for the directory file class)
I cannot seem to find the macro definition for them.

thank you
-Dan Berberich

--

You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

From: Stephen Smalley <sds_at_tislabs.com>
subject: Re: sendmail config question
Date: Tue, 20 Nov 2001 15:32:10 -0500 (EST)
  • This message: [ Message body ]
  • Next message: Grant Bayley: "Re: Updated release"
  • Previous message: Dan Berberich: "sendmail config question"
  • In reply to: Dan Berberich: "sendmail config question"

On Tue, 20 Nov 2001, Dan Berberich wrote:

> When simply sending mail from root to user or form user to user on
> localhost I get an avc denial message
> avc: denied { remove_name search } for pid=675 exc=/bin/mail
> path=/var/spool/mail/user_02 dev=03:05 ino=310085
> scontext=user_02:user_r:user_t
> tcontext=system_u:object:r:mail_spool_t
> class=dir

This indicates that the /bin/mail program is trying to directly drop the message into /var/spool/mail. Since /bin/mail doesn't run in a separate domain and the ordinary user domain lacks these permissions, this access is denied.

On my system, when I send mail to a local user (whether from root to a user or from a user to a user), the sendmail program is executed by mail, which does cause a transition to a new domain (either user_mail_t or sysadm_mail_t, depending on whether you were logged in as user_t or sysadm_t) that can write to /var/spool/mail. And even if I were to place /bin/mail into a domain that can write to /var/spool/mail, the Unix permissions wouldn't allow this behavior, since /bin/mail isn't setuid or setgid and /var/spool/mail isn't world writeable. 

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
  • Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT

Information Assurance | Signals & Intelligence        Links | Accessibility | Privacy & Security