Getting module_request errors from SELinux. Errors being thrown by metacity sendmail.postfix cleanup trivial-rewarite local postdrop pickup All errors are essentially the same System was working well until I began to apply some basic security hardening configuration. Postfix started complaining when I made /tmp noexec, nodev, nosuid, and then did a mount --bind of /var/tmp under /tmp. Backed that out the remount of /var/tmp and those errors went away. But then these errors started showing up. Here is an example of a postfix pickup error. What is going on? I could allow the module to load, but I want to understand what is going on and the dangers of making the mod before I do it. SELinux is preventing /usr/libexec/postfix/pickup from module_request access on the system Unknown. ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If you want to allow all domains to have the kernel load modules Then you must tell SELinux about this by enabling the 'domain_kernel_load_modules' boolean. Do setsebool -P domain_kernel_load_modules 1 ***** Plugin catchall (11.6 confidence) suggests *************************** If you believe that pickup should be allowed module_request access on the Unknown system by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pickup /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:postfix_pickup_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ system ] Source pickup Source Path /usr/libexec/postfix/pickup Port <Unknown> Host desk.localdomain Source RPM Packages postfix-2.6.6-2.2.el6_1 Target RPM Packages Policy RPM selinux-policy-3.7.19-126.el6_2.10 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name desk.localdomain Platform Linux desk.localdomain 2.6.32-220.13.1.el6.x86_64 #1 SMP Tue Apr 17 23:56:34 BST 2012 x86_64 x86_64 Alert Count 24 First Seen Fri 27 Apr 2012 02:46:55 PM MDT Last Seen Sun 29 Apr 2012 05:10:32 AM MDT Local ID 4b8e5292-93f1-4e69-8bb4-4ea70bc5232e Raw Audit Messages type=AVC msg=audit(1335697832.612:34911): avc: denied { module_request } for pid=24226 comm="pickup" kmod="net-pf-10" scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system type=SYSCALL msg=audit(1335697832.612:34911): arch=x86_64 syscall=socket success=no exit=EAFNOSUPPORT a0=a a1=1 a2=0 a3=7fff3ca82190 items=0 ppid=1925 pid=24226 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pickup exe=/usr/libexec/postfix/pickup subj=system_u:system_r:postfix_pickup_t:s0 key=(null) Hash: pickup,postfix_pickup_t,kernel_t,system,module_request audit2allow #============= postfix_pickup_t ============== #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' allow postfix_pickup_t kernel_t:system module_request; audit2allow -R #============= postfix_pickup_t ============== #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' allow postfix_pickup_t kernel_t:system module_request; _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos