> It's a problem with the policy not with a relabel. > > audit2allow <insert /var/log/auditd/auditd.log> > > will give you a policy statement to work with... > > > HTH, > Harry > > > > On Sun, 31 Jul 2005, Bobby Kashani wrote: > >> On Sun, 2005-07-31 at 15:22 +0200, Roger Grosswiler wrote: >> > hi, >> > >> > i recently updated from fc3 to fc4. i use this machine as a mailserver >> > with cyrus. 1st problem was the database - fixed issue. now, on >> > authentication, i get errors, will say, with selinux enforcing i >> cannot >> > authenticate at all. >> > >> > from the fc-list i got some help, with a few commands, that should >> help >> > better understanding. What can i do, to have this box with selinux >> > enforcing enabled? ah, yes, in permissive mode it works fine. >> >> Have you tried doing a "touch /.autorelabel" and rebooting? >> >> Bob >> >> > here a sniplet of my logs: >> > > [root@link ~]# ausearch -i -a 9657218 >> > > ---- >> > > type=PATH msg=audit(07/30/05 16:21:20.281:9657218) : item=0 >> flags=follow inode=262199 dev=fd:00 mode=dir,755 ouid=root ogid=root >> rdev=00:00 >> > > type=SOCKETCALL msg=audit(07/30/05 16:21:20.281:9657218) : nargs=3 >> a0=b a1=bfd308fa a2=6e >> > > type=SOCKADDR msg=audit(07/30/05 16:21:20.281:9657218) : saddr=local >> /var/run/saslauthd/mux >> > > type=SYSCALL msg=audit(07/30/05 16:21:20.281:9657218) : arch=i386 >> syscall=socketcall(connect) success=no exit=-13(Permission denied) >> a0=3 a1=bfd2e4b0 a2=dd0228 a3=bfd2e513 items=1 pid=28898 auid=root >> uid=cyrus gid=mail euid=cyrus suid=cyrus fsuid=cyrus egid=mail >> sgid=mail fsgid=mail comm=imapd exe=/usr/lib/cyrus-imapd/imapd >> > > type=AVC msg=audit(07/30/05 16:21:20.281:9657218) : avc: denied { >> search } for pid=28898 comm=imapd name=saslauthd dev=dm-0 >> ino=262199 scontext=root:system_r:cyrus_t >> tcontext=system_u:object_r:saslauthd_var_run_t tclass=dir >> > > >> > >> ausearch -i -a 9659874 >> > >> >> > >> >> > > [root@link ~]# ausearch -i -a 9659874 >> > > ---- >> > > type=PATH msg=audit(07/30/05 16:21:24.635:9659874) : item=0 >> flags=follow inode=262199 dev=fd:00 mode=dir,755 ouid=root ogid=root >> rdev=00:00 >> > > type=SOCKETCALL msg=audit(07/30/05 16:21:24.635:9659874) : nargs=3 >> a0=b a1=bfd308fa a2=6e >> > > type=SOCKADDR msg=audit(07/30/05 16:21:24.635:9659874) : saddr=local >> /var/run/saslauthd/mux >> > > type=SYSCALL msg=audit(07/30/05 16:21:24.635:9659874) : arch=i386 >> syscall=socketcall(connect) success=no exit=-13(Permission denied) >> a0=3 a1=bfd2e4b0 a2=dd0228 a3=bfd2e513 items=1 pid=28898 auid=root >> uid=cyrus gid=mail euid=cyrus suid=cyrus fsuid=cyrus egid=mail >> sgid=mail fsgid=mail comm=imapd exe=/usr/lib/cyrus-imapd/imapd >> > > type=AVC msg=audit(07/30/05 16:21:24.635:9659874) : avc: denied { >> search } for pid=28898 comm=imapd name=saslauthd dev=dm-0 >> ino=262199 scontext=root:system_r:cyrus_t >> tcontext=system_u:object_r:saslauthd_var_run_t tclass=dir >> > >> > >> > i hope, you can help. >> > >> > Thanks a lot >> > Roger >> > >> > >> > -- >> > fedora-selinux-list mailing list >> > fedora-selinux-list@xxxxxxxxxx >> > http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> -- >> Bobby Kashani >> http://www.ocf.berkeley.edu/~bobk/garnome >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list@xxxxxxxxxx >> http://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > http://www.redhat.com/mailman/listinfo/fedora-selinux-list > Hi, i am completely unexperienced in selinux, but i was trying changing the policy local.te and added the following: allow saslauthd_t initrc_t:unix_stream_socket connectto; allow saslauthd_t mysqld_db_t:dir search; allow saslauthd_t mysqld_var_run_t:sock_file write; allow saslauthd_t var_lib_t:dir search; ...since then, it is working. My imap authenticates agains sasl which uses mysql for user-authentication (pam_mysql.so) can any expert say, if i openend a hole in my security other than authentication? Thanks roger -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list