Hello,

Perhaps this is why mail is the #1 exploited service. So what's the solution?

Ed

=> -----Original Message-----
=> From: owner-selinux@tycho.nsa.gov

[mailto:owner-selinux@tycho.nsa.gov] On
=> Behalf Of Russell Coker
=> Sent: Wednesday, July 10, 2002 3:46 AM
=> To: SE Linux
=> Subject: audit bug in fd handling
=>
=> It seems that when a file handle open read/write is inherited by a
domain
=> that is permitted read access only, an error about write access will
be
=> logged - even if there is a dontaudit rule!
=>
=> Here's the dmesg log:
=> avc: denied { write } for pid=4731 exe=/usr/sbin/sendmail
=> path=/spool/fcron/fcrjob-Ldo3Uf (deleted) dev=03:08 ino=27923
=> scontext=system_u:system_r:system_mail_t
=> tcontext=system_u:object_r:system_crond_tmp_t tclass=file
=>
=> Here's a grep from policy.conf:
=> dontaudit system_mail_t system_crond_tmp_t:file write;
=>
=>
=> Incidentally I'm changing the way mail sending operates. Having
daemons
=> send
=> mail as sysadm_mail_t is ugly, and having them send mail as
user_mail_t
=> is
=> wrong. I've created a new system_mail_t for this.
=>
=> --
=> I do not get viruses because I do not use MS software.
=> If you use Outlook then please do not put my email address in your
=> address-book so that WHEN you get a virus it won't use my address in
the
=> >From field.
=>
=> --
=> You have received this message because you are subscribed to the
selinux
=> list.
=> If you no longer wish to subscribe, send mail to
majordomo@tycho.nsa.gov
=> with
=> the words "unsubscribe selinux" without quotes as the message.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.