[Bug 480129] Error at calling service amavisd restart when SELinux is in enforce mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=480129

--- Comment #9 from Erik M Jacobs <ejacobs@xxxxxxxxxx> 2012-04-05 14:18:31 EDT ---
Looks like it works.

[root@atlas ~]$ cat amavisd-miro.te
module amavisd-miro 1.0;

require {
  type amavis_t;
  type proc_t;
  class file read;
}

#============= amavis_t ==============
allow amavis_t proc_t:file read;

[root@atlas ~]$ service amavisd restart
Shutting down amavisd: Daemon [28091] terminated by SIGTERM
                                                           [  OK  ]
amavisd stopped
Starting amavisd:                                          [  OK  ]

Still getting errors:
type=AVC msg=audit(1333649748.098:11411): avc:  denied  { read } for  pid=28571
comm="amavisd" name="shadow" dev=dm-0 ino=354339
scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:shadow_t:s0
tclass=file
type=SYSCALL msg=audit(1333649748.098:11411): arch=c000003e syscall=2
success=yes exit=5 a0=2ba41721d2da a1=0 a2=1b6 a3=0 items=0 ppid=28567
pid=28571 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl"
subj=user_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1333649748.098:11412): avc:  denied  { getattr } for 
pid=28571 comm="amavisd" path="/etc/shadow" dev=dm-0 ino=354339
scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:shadow_t:s0
tclass=file
type=SYSCALL msg=audit(1333649748.098:11412): arch=c000003e syscall=5
success=yes exit=0 a0=5 a1=7fff158c5960 a2=7fff158c5960 a3=0 items=0 ppid=28567
pid=28571 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl"
subj=user_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1333649748.099:11413): avc:  denied  { search } for 
pid=28571 comm="amavisd" name="root" dev=dm-0 ino=545089
scontext=user_u:system_r:amavis_t:s0 tcontext=root:object_r:user_home_dir_t:s0
tclass=dir
type=SYSCALL msg=audit(1333649748.099:11413): arch=c000003e syscall=4
success=no exit=-2 a0=c93c730 a1=c806140 a2=c806140 a3=7 items=0 ppid=28567
pid=28571 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl"
subj=user_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1333649749.867:11414): avc:  denied  { search } for 
pid=28578 comm="amavisd" name="selinux" dev=dm-0 ino=353080
scontext=user_u:system_r:amavis_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=AVC msg=audit(1333649749.867:11414): avc:  denied  { read } for  pid=28578
comm="amavisd" name="config" dev=dm-0 ino=353317
scontext=user_u:system_r:amavis_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=SYSCALL msg=audit(1333649749.867:11414): arch=c000003e syscall=2
success=yes exit=4 a0=3b91e12a64 a1=0 a2=1b6 a3=0 items=0 ppid=28574 pid=28578
auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2
ses=834 comm="amavisd" exe="/usr/bin/perl" subj=user_u:system_r:amavis_t:s0
key=(null)
type=AVC msg=audit(1333649749.867:11415): avc:  denied  { getattr } for 
pid=28578 comm="amavisd" path="/etc/selinux/config" dev=dm-0 ino=353317
scontext=user_u:system_r:amavis_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=SYSCALL msg=audit(1333649749.867:11415): arch=c000003e syscall=5
success=yes exit=0 a0=4 a1=7fffd9c7dfd0 a2=7fffd9c7dfd0 a3=0 items=0 ppid=28574
pid=28578 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl"
subj=user_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1333649749.867:11416): avc:  denied  { search } for 
pid=28578 comm="amavisd" name="/" dev=selinuxfs ino=392
scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:security_t:s0
tclass=dir
type=AVC msg=audit(1333649749.867:11416): avc:  denied  { read } for  pid=28578
comm="amavisd" name="mls" dev=selinuxfs ino=12
scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:security_t:s0
tclass=file
type=SYSCALL msg=audit(1333649749.867:11416): arch=c000003e syscall=2
success=yes exit=4 a0=7fffd9c7d0e0 a1=0 a2=0 a3=0 items=0 ppid=28574 pid=28578
auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2
ses=834 comm="amavisd" exe="/usr/bin/perl" subj=user_u:system_r:amavis_t:s0
key=(null)

(audit2allow)
#============= amavis_t ==============
allow amavis_t security_t:dir search;
allow amavis_t security_t:file read;
allow amavis_t selinux_config_t:dir search;
allow amavis_t selinux_config_t:file { read getattr };
allow amavis_t shadow_t:file { read getattr };
allow amavis_t user_home_dir_t:dir search;

But they don't cause any issue with the proc errors or anything like that.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Legacy Announce]     [Fedora PHP Devel]     [Kernel Devel]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite Information]
  Powered by Linux