Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=480129 Erik M Jacobs <ejacobs@xxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Release| |--- --- Comment #6 from Erik M Jacobs <ejacobs@xxxxxxxxxx> 2012-03-31 18:36:12 EDT --- OK, think I spoke too soon. Here's the latest situation: [root@atlas /etc/puppet]$ rpm -qa | grep selinux-policy selinux-policy-targeted-2.4.6-327.el5 selinux-policy-2.4.6-327.el5 [root@atlas /etc/puppet]$ getenforce Permissive [root@atlas /etc/puppet]$ service amavisd restart Shutting down amavisd: Daemon [3230] terminated by SIGTERM [ OK ] amavisd stopped Starting amavisd: [ OK ] In this configuration, nothing gets logged to the audit log (yes, permissive). If we switch to enforcing: [root@atlas /etc/puppet]$ setenforce 1 [root@atlas /etc/puppet]$ getenforce Enforcing [root@atlas /etc/puppet]$ service amavisd restart Shutting down amavisd: Error: /proc must be mounted To mount /proc at boot you need an /etc/fstab line like: /proc /proc proc defaults In the meantime, run "mount /proc /proc -t proc" Daemon [3286] terminated by SIGTERM [ OK ] amavisd stopped Starting amavisd: [ OK ] SELinux is definitely doing something naughty. Apparently there are some things that default policies set to not audit: http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/9234 Disabling the dontaudit and going to permissive: [root@atlas /etc/puppet]$ semodule -DB [root@atlas /etc/puppet]$ setenforce 0 [root@atlas /etc/puppet]$ getenforce Permissive [root@atlas /etc/puppet]$ service amavisd restart Shutting down amavisd: Daemon [3315] terminated by SIGTERM [ OK ] amavisd stopped Starting amavisd: [ OK ] [root@atlas /etc/puppet]$ date Sat Mar 31 22:33:06 GMT 2012 [root@atlas /etc/puppet]$ ausearch -m avc -ts 22:33 | audit2allow #============= amavis_t ============== allow amavis_t proc_t:file read; allow amavis_t security_t:dir search; allow amavis_t security_t:file read; allow amavis_t selinux_config_t:dir search; allow amavis_t selinux_config_t:file { read getattr }; allow amavis_t shadow_t:file { read getattr }; allow amavis_t user_home_dir_t:dir search; This looks good I guess. But this module won't compile and install: [root@atlas ~]$ ausearch -m avc -ts 22:33 | audit2allow -M amavisd ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i amavisd.pp [root@atlas ~]$ cat amavisd.te module amavisd 1.0; require { type amavis_t; type security_t; type proc_t; type user_home_dir_t; type selinux_config_t; type shadow_t; class file { read getattr }; class dir search; } #============= amavis_t ============== allow amavis_t proc_t:file read; allow amavis_t security_t:dir search; allow amavis_t security_t:file read; allow amavis_t selinux_config_t:dir search; allow amavis_t selinux_config_t:file { read getattr }; allow amavis_t shadow_t:file { read getattr }; allow amavis_t user_home_dir_t:dir search; [root@atlas ~]$ semodule -i amavisd.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow amavis_t shadow_t:file { read }; libsepol.check_assertions: 1 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! So I'm at a loss as to actually how to generate a policy here that will work. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
