We use the Postfix email system and not sendmail. When selinux is in
permissive mode, postfix will start. When selinux is enforcing with
selinux-policy-targeted-1.27.1-2.1, it does not start.
These are the entries to audit.log when trying to start postfix with
selinux enforcing.
type=AVC msg=audit(1127679357.877:29): avc: denied { search } for pid=4929 comm="postalias" name="audit" dev=dm-0 ino=1721482 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:auditd_log_t tclass=dir
type=SYSCALL msg=audit(1127679357.877:29): arch=40000003 syscall=195 success=no exit=-13 a0=9498cc0 a1=bfbdd26c a2=496ff4 a3=64 items=1 pid=4929 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postalias" exe="/usr/sbin/postalias"
type=CWD msg=audit(1127679357.877:29): cwd="/var/log/audit"
type=PATH msg=audit(1127679357.877:29): item=0 name="DB_CONFIG" flags=1 inode=1721482 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1127679357.878:30): avc: denied { search } for pid=4929 comm="postalias" name="audit" dev=dm-0 ino=1721482 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:auditd_log_t tclass=dir
type=SYSCALL msg=audit(1127679357.878:30): arch=40000003 syscall=5 success=no exit=-13 a0=9498cc0 a1=8000 a2=1b6 a3=9498ce8 items=1 pid=4929 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postalias" exe="/usr/sbin/postalias"
type=CWD msg=audit(1127679357.878:30): cwd="/var/log/audit"
type=PATH msg=audit(1127679357.878:30): item=0 name="DB_CONFIG" flags=101 inode=1721482 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1127679357.878:31): avc: denied { search } for pid=4929 comm="postalias" name="audit" dev=dm-0 ino=1721482 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:auditd_log_t tclass=dir
type=SYSCALL msg=audit(1127679357.878:31): arch=40000003 syscall=195 success=no exit=-13 a0=9498f08 a1=bfbdd2fc a2=496ff4 a3=64 items=1 pid=4929 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postalias" exe="/usr/sbin/postalias"
type=CWD msg=audit(1127679357.878:31): cwd="/var/log/audit"
type=PATH msg=audit(1127679357.878:31): item=0 name="__db.002" flags=1 inode=1721482 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1127679358.558:32): avc: denied { name_bind } for pid=4975 comm="master" src=10025 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:amavisd_send_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1127679358.558:32): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfe36550 a2=8065228 a3=bfe365c4 items=0 pid=4975 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="master" exe="/usr/libexec/postfix/master"
type=SOCKADDR msg=audit(1127679358.558:32): saddr=020027297F0000010000000000000000
type=SOCKETCALL msg=audit(1127679358.558:32): nargs=3 a0=50 a1=923c3b8 a2=10
I still do not know enough about selinux to know if I can relabel
something of if this needs a new policy.
Thanks in advance for all help.
John
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
